From 754d40ad2c971f1d3b609518c919f2c1710837e6 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 3 May 2024 14:26:58 +0200
Subject: [PATCH] =?UTF-8?q?chore:=20=F0=9F=A7=B9=20Simple=20Update?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Full_tests.csv                               | 12 +++++-
 missing_tests.csv                            |  4 +-
 sigma_rule.csv                               | 43 ++++++++++++--------
 yml/00738d2a-4651-4d76-adf2-c43a41dfb243.yml |  8 +++-
 yml/00c652e2-0750-4ca6-82ff-0204684a6fe4.yml |  2 +-
 yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml |  2 +-
 yml/0139dba1-f391-405e-a4f5-f3989f2c88ef.yml | 10 +++--
 yml/015cd268-996e-4c32-8347-94c80c6286ee.yml |  4 +-
 yml/02e8be5a-3065-4e54-8cc8-a14d138834d3.yml |  2 +-
 yml/079ee2e9-6f16-47ca-a635-14efcd994118.yml |  6 +--
 yml/096b6d2a-b63f-4100-8fa0-525da4cd25ca.yml |  2 +-
 yml/0976990f-53b1-4d3f-a185-6df5be429d3b.yml |  2 +-
 yml/0a2ce662-1efa-496f-a472-2fe7b080db16.yml |  2 +-
 yml/0ad9ab92-c48c-4f08-9b20-9633277c4646.yml | 22 ++++++----
 yml/0ae9e327-3251-465a-a53b-485d4e3f58fa.yml |  5 ++-
 yml/0b207037-813c-4444-ac3f-b597cf280a67.yml | 17 ++++++++
 yml/0b2f9520-a17a-4671-9dba-3bd034099fff.yml |  2 +-
 yml/0b44d79b-570a-4b27-a31f-3bf2156e5eaa.yml |  2 +-
 yml/0bb64470-582a-4155-bde2-d6003a95ed34.yml |  2 +
 yml/0be2230c-9ab3-4ac2-8826-3199b9a0ebf8.yml |  3 +-
 yml/0ca82ed1-0a94-4774-9a9a-a2c83a8022b7.yml |  2 +
 yml/0e36303b-6762-4500-b003-127743b80ba6.yml |  2 +
 yml/0e56bf29-ff49-4ea5-9af4-3b81283fd513.yml |  2 +-
 yml/0e65ae27-5385-46b4-98ac-607a8ee82261.yml |  7 ++--
 yml/0f0b6a29-08c3-44ad-a30b-47fd996b2110.yml |  2 +-
 yml/0fc6e977-cb12-44f6-b263-2824ba917409.yml | 10 +++--
 yml/0fd48ef7-d890-4e93-a533-f7dedd5191d3.yml |  8 +++-
 yml/103d6533-fd2a-4d08-976a-4a598565280f.yml |  2 +
 yml/10447c83-fc38-462a-a936-5102363b1c43.yml |  8 +++-
 yml/10ba02d0-ab76-4f80-940d-451633f24c5b.yml |  2 +
 yml/10c710c9-9104-4d5f-8829-5b65391e2a29.yml |  4 +-
 yml/114ccff9-ae6d-4547-9ead-4cd69f687306.yml | 10 ++---
 yml/114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0.yml |  2 +-
 yml/11ba69ee-902e-4a0f-b3b6-418aed7d7ddb.yml | 13 +++---
 yml/12631354-fdbc-4164-92be-402527e748da.yml |  8 +++-
 yml/1329d5ab-e10e-4e5e-93d1-4d907eb656e5.yml | 24 ++++-------
 yml/13c5e1ae-605b-46c4-a79f-db28c77ff24e.yml |  2 +
 yml/14d55ca0-920e-4b44-8425-37eedd72b173.yml |  8 +++-
 yml/14f3af20-61f1-45b8-ad31-4637815f3f44.yml |  3 +-
 yml/1553252f-14ea-4d3b-8a08-d7a4211aa945.yml |  4 +-
 yml/15e57006-79dd-46df-9bf9-31bc24fb5a80.yml |  2 +
 yml/161d694c-b543-4434-85c3-c3a433e33792.yml |  2 +-
 yml/161dcd85-d014-4f5e-900c-d3eaae82a0f7.yml |  2 +-
 yml/16bdbe52-371c-4ccf-b708-79fba61f1db4.yml | 21 ++++++++++
 yml/17d046be-fdd0-4cbb-b5c7-55c85d9d0714.yml |  9 ++--
 yml/19acf63b-55c4-4b6a-8552-00a8865105c8.yml |  5 ++-
 yml/1a02df58-09af-4064-a765-0babe1a0d1e2.yml | 10 +++--
 yml/1a94b3fc-b080-450a-b3d8-6d9b57b472ea.yml |  7 ++--
 yml/1b682d84-f075-4f93-9a89-8a8de19ffd6e.yml |  7 +++-
 yml/1b72b3bd-72f8-4b63-a30b-84e91b9c3578.yml |  5 ++-
 yml/1b83cddb-eaa7-45aa-98a5-85fb0a8807ea.yml | 29 ++++++-------
 yml/1c68c68d-83a4-4981-974e-8993055fa034.yml |  1 +
 yml/1d5711d6-655c-4a47-ae9c-6503c74fa877.yml |  6 ++-
 yml/1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8.yml |  2 +-
 yml/1f896ce4-8070-4959-8a25-2658856a70c9.yml |  6 ++-
 yml/20aba24b-e61f-4b26-b4ce-4784f763ca20.yml |  6 ++-
 yml/2158908e-b7ef-4c21-8a83-3ce4dd05a924.yml |  2 +
 yml/2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a.yml | 18 ++++----
 yml/21caf58e-87ad-440c-a6b8-3ac259964003.yml |  4 +-
 yml/228c7498-be31-48e9-83b7-9cb906504ec8.yml |  2 +
 yml/234f9b7c-b53d-4f32-897b-b880a6c9ea7b.yml |  6 +--
 yml/23b91cd2-c99c-4002-9e41-317c63e024a2.yml |  4 +-
 yml/2536dee2-12fb-459a-8c37-971844fa73be.yml |  3 +-
 yml/263ba6cb-ea2b-41c9-9d4e-b652dadd002c.yml |  1 +
 yml/26a6b840-4943-4965-8df5-ef1f9a282440.yml |  4 +-
 yml/29786d7e-8916-4de6-9c55-be7b093b2706.yml |  4 +-
 yml/29e0afca-8d1d-471a-8d34-25512fc48315.yml |  4 +-
 yml/2b080b99-0deb-4d51-af0f-833d37c4ca6a.yml | 10 +++--
 yml/2b162bfd-0928-4d4c-9ec3-4d9f88374b52.yml | 14 +++----
 yml/2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17.yml |  2 +-
 yml/2ca61766-b456-4fcf-a35a-1233685e1cad.yml | 10 +++--
 yml/3180f7d5-52c0-4493-9ea0-e3431a84773f.yml | 10 +++--
 yml/319e9f6c-7a9e-432e-8c62-9385c803b6f2.yml |  2 +-
 yml/33a29ab1-cabb-407f-9448-269041bf2856.yml | 22 ++++++++++
 yml/348f4d14-4bd3-4f6b-bd8a-61237f78b3ac.yml | 16 ++++----
 yml/34f0a430-9d04-4d98-bcb5-1989f14719f0.yml |  2 +-
 yml/36753ded-e5c4-4eb5-bc3c-e8fba236878d.yml |  6 +--
 yml/367d4004-5fc0-446d-823f-960c74ae52c3.yml |  2 +-
 yml/394012d9-2164-4d4f-b9e5-acf30ba933fe.yml |  2 +-
 yml/39a295ca-7059-4a88-86f6-09556c1211e7.yml |  1 +
 yml/3a159042-69e6-4398-9a69-3308a4841c85.yml | 16 ++++----
 yml/3a95cdb2-c6ea-4761-b24e-02b71889b8bb.yml |  2 +-
 yml/3b0df731-030c-4768-b492-2a3216d90e53.yml |  2 +-
 yml/3b3809b6-a54b-4f5b-8aff-cb51f2e97b34.yml | 13 +++---
 yml/3c64f177-28e2-49eb-a799-d767b24dd1e0.yml |  4 +-
 yml/3d456e2b-a7db-4af8-b5b3-720e7c4d9da5.yml | 22 +++++-----
 yml/3ecd790d-2617-4abf-9a8c-4e8d47da9ee1.yml | 22 +++++-----
 yml/3fc9fea2-871d-414d-8ef6-02e85e322b80.yml |  2 +-
 yml/41410c60-614d-4b9d-b66e-b0192dd9c597.yml |  2 +-
 yml/419cca0c-fa52-4572-b0d7-bc7c6f388a27.yml |  2 +
 yml/42510244-5019-48fa-a0e5-66c3b76e6049.yml |  2 +-
 yml/42dc4460-9aa6-45d3-b1a6-3955d34e1fe8.yml | 10 +++--
 yml/42e51815-a6cc-4c75-b970-3f0ff54b610e.yml |  5 ++-
 yml/437b2003-a20d-4ed8-834c-4964f24eec63.yml |  2 +-
 yml/43819286-91a9-4369-90ed-d31fb4da2c01.yml |  1 +
 yml/4449c89b-ec82-43a4-89c1-91e2f1abeecc.yml |  2 +-
 yml/453acf13-1dbd-47d7-b28a-172ce9228023.yml |  3 +-
 yml/46f8dbe9-22a5-4770-8513-66119c5be63b.yml |  2 +-
 yml/47a539d1-61b9-4364-bf49-a68bc2a95ef0.yml |  3 +-
 yml/491a4af6-a521-4b74-b23b-f7b3f1ee9e77.yml |  6 ++-
 yml/49845fc1-7961-4590-a0f0-3dbcf065ae7e.yml | 10 +++--
 yml/4a18cc4e-416f-4966-9a9d-75731c4684c0.yml |  5 ++-
 yml/4a233a40-caf7-4cf1-890a-c6331bbc72cf.yml |  2 +
 yml/4a41089a-48e0-47aa-82cb-5b81a463bc78.yml | 11 ++---
 yml/4b437357-f4e9-4c84-9fa6-9bcee6f826aa.yml |  4 +-
 yml/4c83940d-8ca5-4bb2-8100-f46dc914bc3f.yml | 22 +++++-----
 yml/4d77f913-56f5-4a14-b4b1-bf7bb24298ad.yml |  3 +-
 yml/4e524c4e-0e02-49aa-8df5-93f3f7959b9f.yml |  2 +-
 yml/4ff64f0b-aaf2-4866-b39d-38d9791407cc.yml | 13 +++---
 yml/502a7dc4-9d6f-4d28-abf2-f0e84692562d.yml | 11 ++---
 yml/51005ac7-52e2-45e0-bdab-d17c6d4916cd.yml |  2 +-
 yml/515575ab-d213-42b1-aa64-ef6a2dd4641b.yml |  4 +-
 yml/51a98f96-0269-4e09-a10f-e307779a8b05.yml |  2 +-
 yml/52778a8f-a10b-41a4-9eae-52ddb74072bf.yml |  2 +-
 yml/53ead5db-7098-4111-bb3f-563be390e72e.yml |  6 ++-
 yml/54782d65-12f0-47a5-b4c1-b70ee23de6df.yml | 10 +++--
 yml/54a4daf1-71df-4383-9ba7-f1a295d8b6d2.yml | 10 +++--
 yml/5598f7cb-cf43-455e-883a-f6008c5d46af.yml |  7 ++--
 yml/562aa072-524e-459a-ba2b-91f1afccf5ab.yml |  2 +-
 yml/56506854-89d6-46a3-9804-b7fde90791f9.yml | 16 ++++----
 yml/56b9589c-9170-4682-8c3d-33b86ecb5119.yml |  4 +-
 yml/5750aa16-0e59-4410-8b9a-8a47ca2788e2.yml |  8 +++-
 yml/584331dd-75bc-4c02-9e0b-17f5fd81c748.yml |  1 +
 yml/58bd8c8d-3a1a-4467-a69c-439c75469b07.yml | 22 ++++++++++
 yml/59aa6f26-7620-417e-9318-589e0fb7a372.yml |  4 +-
 yml/5a3497a4-1568-4663-b12a-d4a5ed70c7d7.yml |  2 +-
 yml/5b380e96-b0ef-4072-8a8e-f194cb9eb9ac.yml |  6 +--
 yml/5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c.yml | 10 +++--
 yml/5e2938fb-f919-47b6-8b29-2f6a1f718e99.yml |  2 +-
 yml/5f507e45-8411-4f99-84e7-e38530c45d01.yml | 10 +++--
 yml/5ff9d047-6e9c-4357-b39b-5cf89d9b59c7.yml |  8 +++-
 yml/634bd9b9-dc83-4229-b19f-7f83ba9ad313.yml | 10 ++---
 yml/635c9a38-6cbf-47dc-8615-3810bc1167cf.yml | 10 +++--
 yml/640cbf6d-659b-498b-ba53-f6dd1a1cc02c.yml | 13 +++---
 yml/6502c8f0-b775-4dbd-9193-1298f56b6781.yml |  3 +-
 yml/66e647d1-8741-4e43-b7c1-334760c2047f.yml |  1 +
 yml/66ee226e-64cb-4dae-80e3-5bf5763e4a51.yml | 10 +++--
 yml/66fb0bc1-3c3f-47e9-a298-550ecfefacbc.yml |  3 +-
 yml/68190529-069b-4ffc-a942-919704158065.yml |  7 ++--
 yml/68981660-6670-47ee-a5fa-7e74806420a4.yml |  2 +
 yml/6a3ff8dd-f49c-4272-a658-11c2fe58bd88.yml |  1 +
 yml/6b1dbaf6-cc8a-4ea6-891f-6058569653bf.yml |  1 +
 yml/6b8b7391-5c0a-4f8c-baee-78d8ce0ce330.yml |  5 ++-
 yml/6c499943-b098-4bc6-8d38-0956fc182984.yml |  2 +-
 yml/6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8.yml |  2 +-
 yml/6c7a4fd3-5b0b-4b30-a93e-39411b25d889.yml |  2 +-
 yml/6e85bdf9-7bc4-4259-ac0f-f0cb39964443.yml |  2 +-
 yml/6f5822d2-d38d-4f48-9bfc-916607ff6b8c.yml |  2 +
 yml/6fbc9e68-5ad7-444a-bd11-8bf3136c477e.yml |  2 +-
 yml/6fdaae87-c05b-42f8-842e-991a74e8376b.yml | 10 +++--
 yml/70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf.yml | 10 +++--
 yml/718aebaa-d0e0-471a-8241-c5afa69c7414.yml |  8 +++-
 yml/7230d01a-0a72-4bd5-9d7f-c6d472bc6a59.yml |  2 +-
 yml/736b4f53-f400-4c22-855d-1a6b5a551600.yml |  2 +-
 yml/75f66e03-37d3-4704-9520-3210efbe33ce.yml |  2 +-
 yml/760fe8d2-79d9-494f-905e-a239a3df86f6.yml |  2 +-
 yml/76628574-0bc1-4646-8fe2-8f4427b47d15.yml | 14 +++----
 yml/7784c64e-ed0b-4b65-bf63-c86db229fd56.yml |  2 +
 yml/784d1349-5a26-4d20-af5e-d6af53bae460.yml |  7 ++--
 yml/7906f0a6-b527-46ee-9026-6e81a9184e08.yml | 23 +++++++++++
 yml/7a0895f0-84c1-4adf-8491-a21510b1d4c1.yml |  4 +-
 yml/7a21cce2-6ada-4f7c-afd9-e1e9c481e44a.yml |  2 +-
 yml/7a714703-9f6b-461c-b06d-e6aeac650f27.yml | 22 +++++-----
 yml/7ab0205a-34e4-4a44-9b04-e1541d1a57be.yml |  2 +-
 yml/7ae7102c-a099-45c8-b985-4c7a2d05790d.yml |  3 +-
 yml/7b697ece-8270-46b5-bbc7-6b9e27081831.yml |  2 +
 yml/7b9d85e5-c4ce-4434-8060-d3de83595e69.yml |  8 +++-
 yml/7be1bc0f-d8e5-4345-9333-f5f67d742cb9.yml |  2 +-
 yml/7ccdfcfa-6707-46bc-b812-007ab6ff951c.yml | 20 +++++++++
 yml/7cede33f-0acd-44ef-9774-15511300b24b.yml |  3 +-
 yml/7d984ef2-2db2-4cec-b090-e637e1698f61.yml |  7 ++--
 yml/7db7a7f9-9531-4840-9b30-46220135441c.yml |  8 +++-
 yml/7e46c7a5-0142-45be-a858-1a3ecb4fd3cb.yml |  2 +-
 yml/7e79a1b6-519e-433c-ad55-3ff293667101.yml |  2 +
 yml/7e91138a-8e74-456d-a007-973d67a0bb80.yml |  2 +-
 yml/7ece1dea-49f1-4d62-bdcc-5801e3292510.yml |  7 ++--
 yml/7f566051-f033-49fb-89de-b6bacab730f0.yml |  4 +-
 yml/7fe741f7-b265-4951-a7c7-320889083b3e.yml |  4 +-
 yml/80887bec-5a9b-4efc-a81d-f83eb2eb32ab.yml |  2 +-
 yml/80b453d1-eec5-4144-bf08-613a6c3ffe12.yml |  2 +
 yml/815bef8b-bf91-4b67-be4c-abe4c2a94ccc.yml | 10 +++--
 yml/81959d03-c51f-49a1-bb24-23f1ec885578.yml |  7 ++--
 yml/81cfdd7f-1f41-4cc5-9845-bb5149438e37.yml | 28 +++++++++++++
 yml/83a49600-222b-4866-80a0-37736ad29344.yml | 10 +++--
 yml/84113186-ed3c-4d0d-8a3c-8980c86c1f4a.yml |  2 +-
 yml/8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3.yml |  2 +
 yml/855fb8b4-b8ab-4785-ae77-09f5df7bff55.yml |  4 +-
 yml/86fc3f40-237f-4701-b155-81c01c48d697.yml |  3 +-
 yml/8822c3b0-d9f9-4daf-a043-491160a31122.yml |  5 ++-
 yml/8822c3b0-d9f9-4daf-a043-49f110a31122.yml |  7 ++--
 yml/88d05800-a5e4-407e-9b53-ece4174f197f.yml |  2 +
 yml/8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7.yml | 14 ++++---
 yml/899a7fb5-d197-4951-8614-f19ac4a73ad4.yml |  2 +
 yml/8a95b832-2c2a-494d-9cb0-dc9dd97c8bad.yml |  2 +
 yml/8b23cae1-66c1-41c5-b79d-e095b6098b5b.yml |  2 +
 yml/8b8a6449-be98-4f42-afd2-dedddc7453b2.yml |  2 +-
 yml/8bec51da-7a6d-4346-b941-51eca448c4b0.yml | 20 +++++++++
 yml/8c992cb3-a46e-4fd5-b005-b1bab185af31.yml |  2 +-
 yml/8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0.yml |  5 ++-
 yml/8d1c2368-b503-40c9-9057-8e42f21c58ad.yml |  2 +
 yml/8fd5a296-6772-4766-9991-ff4e92af7240.yml |  6 +--
 yml/90db9e27-8e7c-4c04-b602-a45927884966.yml |  2 +-
 yml/91f348e6-3760-4997-a93b-2ceee7f254ee.yml |  2 +
 yml/92c40b3f-c406-4d1f-8d2b-c039bf5009e4.yml |  7 ++--
 yml/93662494-5ed7-4454-a04c-8c8372808ac2.yml |  2 +-
 yml/945da11e-977e-4dab-85d2-f394d03c5887.yml |  7 ++--
 yml/94be7646-25f6-467e-af23-585fb13000c8.yml |  2 +
 yml/94ea9cc3-81f9-4111-8dde-3fb54f36af4b.yml |  7 ++--
 yml/95018438-454a-468c-a0fa-59c800149b59.yml |  2 +-
 yml/95f5c72f-6dfe-45f3-a8c1-d8faa07176fa.yml | 25 ++++--------
 yml/96345bfc-8ae7-4b6a-80b7-223200f24ef9.yml |  2 +-
 yml/9636dd6e-7599-40d2-8eee-ac16434f35ed.yml |  2 +
 yml/97116a3f-efac-4b26-8336-b9cb18c45188.yml | 10 +++--
 yml/981e2942-e433-44e9-afc1-8c957a1496b6.yml |  6 ++-
 yml/9c15a7de-de14-46c3-bc2a-6d94130986ae.yml |  4 +-
 yml/9c3ad250-b185-4444-b5a9-d69218a10c95.yml |  2 +-
 yml/9c6d799b-c111-4749-a42f-ec2f8cb51448.yml |  2 +-
 yml/9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0.yml |  6 +--
 yml/9c8ef159-c666-472f-9874-90c8d60d136b.yml |  8 +++-
 yml/9d0072c8-7cca-45c4-bd14-f852cfa35cf0.yml |  3 +-
 yml/9d04efee-eff5-4240-b8d2-07792b873608.yml |  4 +-
 yml/9dca5a1d-f78c-4a8d-accb-d6de67cfed6b.yml |  4 +-
 yml/9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6.yml |  2 +-
 yml/9e507bb8-1d30-4e3b-a49b-cb5727d7ea79.yml |  2 +-
 yml/9fd99609-1854-4f3c-b47b-97d9a5972bd1.yml |  2 +
 yml/9fdd83fd-bd53-46e5-a716-9dec89c8ae8e.yml | 16 ++++----
 yml/a12b5531-acab-4618-a470-0dafb294a87a.yml |  5 ++-
 yml/a138085e-bfe5-46ba-a242-74a6fb884af3.yml |  2 +-
 yml/a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b.yml | 10 +++--
 yml/a21118de-b11e-4ebd-b655-42f11142df0c.yml |  6 +--
 yml/a27418de-bdce-4ebd-b655-38f04842bf0c.yml |  2 +-
 yml/a3a0d4c9-c068-4563-a08d-583bd05b884c.yml |  4 +-
 yml/a4420f93-5386-4290-b780-f4f66abc7070.yml |  1 +
 yml/a4651931-ebbb-4cde-9363-ddf3d66214cb.yml |  2 +
 yml/a54d497e-8dbe-4558-9895-44944baa395f.yml |  2 +-
 yml/a55a22e9-a3d3-42ce-bd48-2653adb8f7a9.yml |  7 ++--
 yml/a5b2f6a0-24b4-493e-9590-c699f75723ca.yml |  4 +-
 yml/a960185f-aef6-4547-8350-d1ce16680d09.yml | 11 ++---
 yml/aa1180e2-f329-4e1e-8625-2472ec0bfaf3.yml | 10 ++---
 yml/aaa87b0e-5232-4649-ae5c-f1724a4b2798.yml |  2 +-
 yml/abf00f6c-9983-4d9a-afbc-6b1c6c6448e1.yml |  2 +-
 yml/ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b.yml |  2 +-
 yml/afe369c2-b42e-447f-98a3-fb1f4e2b8552.yml |  6 +--
 yml/afedc8c4-038c-4d82-b3e5-623a95f8a612.yml |  2 +
 yml/b13e9306-3351-4b4b-a6e8-477358b0b498.yml |  7 +++-
 yml/b1729c57-9384-4d1c-9b99-9b220afb384e.yml | 10 +++--
 yml/b1b8128b-c5d4-4de9-bf70-e60419274562.yml |  5 ++-
 yml/b1cbdf8b-6078-48f5-a890-11ea19d7f8e9.yml |  4 +-
 yml/b2563a4e-c4b8-429c-8d47-d5bcb227ba7a.yml |  2 +
 yml/b299c120-44a7-4d68-b8e2-8ba5a28511ec.yml |  7 ++--
 yml/b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3.yml |  8 +++-
 yml/b4988cad-6ed2-434d-ace5-ea2670782129.yml | 18 ++++----
 yml/b51239b4-0129-474f-a2b4-70f855b9f2c2.yml | 13 +++---
 yml/b5656f67-d67f-4de8-8e62-b5581630f528.yml |  4 +-
 yml/b7037b89-947a-427a-ba29-e7e9f09bc045.yml | 14 +++----
 yml/b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1.yml |  2 +-
 yml/b8a563d4-a836-4993-a74e-0a19b8481bfe.yml |  2 +-
 yml/b8e747c3-bdf7-4d71-bce2-f1df2a057406.yml |  5 ++-
 yml/b95fd967-4e62-4109-b48d-265edfd28c3a.yml |  2 +-
 yml/b9d22b9a-9778-4426-abf0-568ea64e9c33.yml | 10 +++--
 yml/ba62ce11-e820-485f-9c17-6f3c857cd840.yml |  4 +-
 yml/bac8a340-be64-4491-a0cc-0985cb227f5a.yml |  2 +
 yml/bc071188-459f-44d5-901a-f8f2625b2d2e.yml |  6 +--
 yml/bc25c04b-841e-4965-855f-d1f645d7ab73.yml |  2 +-
 yml/bd4cf0d1-7646-474e-8610-78ccf5a097c4.yml |  2 +-
 yml/bdc373c5-e9cf-4563-8a7b-a9ba720a90f3.yml | 10 +++--
 yml/beaf815a-c883-4194-97e9-fdbbb2bbdd7c.yml |  2 +
 yml/c01cad7f-7a4c-49df-985e-b190dcf6a279.yml | 10 +++--
 yml/c107778c-dcf5-47c5-af2e-1d058a3df3ea.yml |  8 +++-
 yml/c1d8c4eb-88da-4927-ae97-c7c25893803b.yml |  2 +
 yml/c35ac4a8-19de-43af-b9f8-755da7e89c89.yml |  2 +-
 yml/c37bc535-5c62-4195-9cc3-0517673171d8.yml |  3 +-
 yml/c3e35b58-fe1c-480b-b540-7600fb612563.yml |  2 +-
 yml/c3f6d794-50dd-482f-b640-0384fbb7db26.yml | 10 ++---
 yml/c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b.yml |  2 +
 yml/c4ae0701-88d3-4cd8-8bce-4801ed9f97e4.yml |  2 +
 yml/c510d25b-1667-467d-8331-a56d3e9bc4ff.yml |  8 +++-
 yml/c5806a4f-62b8-4900-980b-c7ec004e9908.yml | 13 +++---
 yml/c5bec457-43c9-4a18-9a24-fe151d8971b7.yml |  2 +
 yml/c67ba807-f48b-446e-b955-e4928cd1bf91.yml |  4 +-
 yml/c6c34f61-1c3e-40fb-8a58-d017d88286d8.yml |  2 +
 yml/c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef.yml |  2 +-
 yml/c7a0bb71-70ce-4a53-b115-881f241b795b.yml |  2 +-
 yml/c89becbe-1758-4e7d-a0f4-97d2188a23e3.yml |  6 +--
 yml/c8f4bc29-a151-48da-b3be-4680af56f404.yml |  7 ++--
 yml/c93f2492-9ebe-44b5-8b45-36574cccfe67.yml |  4 +-
 yml/c955a599-3653-4fe5-b631-f11c00eb0397.yml |  2 +-
 yml/c99a829f-0bb8-4187-b2c6-d47d1df74cab.yml | 10 +++--
 yml/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.yml |  2 +-
 yml/cb379146-53f1-43e0-b884-7ce2c635ff5b.yml | 10 ++---
 yml/cb790029-17e6-4c43-b96f-002ce5f10938.yml | 22 +++++-----
 yml/cbb6799a-425c-4f83-9194-5447a909d67f.yml | 10 ++---
 yml/ce483c35-c74b-45a7-a670-631d1e69db3d.yml |  2 +-
 yml/cf21060a-80b3-4238-a595-22525de4ab81.yml |  1 +
 yml/d03683ec-aae0-42f9-9b4c-534780e0f8e1.yml |  5 ++-
 yml/d1fa2a69-b0a2-4e8a-9112-529b00c19a41.yml | 19 +++++++++
 yml/d239772b-88e2-4a2e-8473-897503401bcc.yml | 12 +++---
 yml/d3415a0e-66ef-429b-acf4-a768876954f6.yml |  4 +-
 yml/d34ef297-f178-4462-871e-9ce618d44e50.yml |  8 ++--
 yml/d400090a-d8ca-4be0-982e-c70598a23de9.yml |  2 +-
 yml/d5b886d9-d1c7-4b6e-a7b0-460041bf2823.yml |  7 ++--
 yml/d5d5a6b0-0f92-42d8-985d-47aafa2dd4db.yml |  6 ++-
 yml/d9841bf8-f161-4c73-81e9-fd773a5ff8c1.yml |  2 +
 yml/d9e4f24f-aa67-4c6e-bcbf-85622b697a7c.yml |  2 +-
 yml/da4f751a-020b-40d7-b9ff-d433b7799803.yml |  2 +-
 yml/da558b07-69ae-41b9-b9d4-4d98154a7049.yml |  1 +
 yml/db965264-3117-4bad-b7b7-2523b7856b92.yml |  6 +--
 yml/dc7726d2-8ccb-4cc6-af22-0d5afb53a548.yml |  2 +-
 yml/dd3b61dd-7bbc-48cd-ab51-49ad1a776df0.yml | 10 +++--
 yml/dddd4aca-bbed-46f0-984d-e4c5971c51ea.yml |  3 +-
 yml/dea6c349-f1c6-44f3-87a1-1ed33a59a607.yml |  3 +-
 yml/df1efab7-bc6d-4b88-8be9-91f55ae017aa.yml |  4 +-
 yml/dfbd1a21-540d-4574-9731-e852bd6fe840.yml | 11 ++---
 yml/e129d73b-3e03-4ae9-bf1e-67fc8921e0fd.yml | 11 ++---
 yml/e1ec8d20-509a-4b9a-b820-06c9b2da8eb7.yml |  2 +-
 yml/e2028771-1bfb-48f5-b5e6-e50ee0942a14.yml |  4 +-
 yml/e2480aee-23f3-4f34-80ce-de221e27cd19.yml |  4 +-
 yml/e43cfdaf-3fb8-4a45-8de0-7eee8741d072.yml |  4 +-
 yml/e447b83b-a698-4feb-bed1-a7aaf45c3443.yml | 18 ++++----
 yml/e62d23ef-3153-4837-8625-fa4a3829134d.yml |  2 +
 yml/e6abb60e-26b8-41da-8aae-0c35174b0967.yml |  7 +++-
 yml/e6f36545-dc1e-47f0-9f48-7f730f54a02e.yml |  2 +-
 yml/e6fe5095-545d-4c8b-a0ae-e863914be3aa.yml |  4 +-
 yml/eb5adf16-b601-4926-bca7-dad22adffb37.yml |  3 +-
 yml/ecca999b-e0c8-40e8-8416-ad320b146a75.yml |  5 ++-
 yml/ed0335ac-0354-400c-8148-f6151d20035a.yml | 10 +++--
 yml/ed366cde-7d12-49df-a833-671904770b9f.yml |  6 ++-
 yml/ed952f70-91d4-445a-b7ff-30966bfb1aff.yml |  1 +
 yml/ef0581fd-528e-4662-87bc-4c2affb86940.yml |  6 ++-
 yml/f095e373-b936-4eb4-8d22-f47ccbfbe64a.yml |  2 +-
 yml/f151ee37-9e2b-47e6-80e4-550b9f999b7a.yml | 14 ++++---
 yml/f1641ba9-919a-4323-b74f-33372333bf0e.yml |  5 ++-
 yml/f449c933-0891-407f-821e-7916a21a1a6f.yml |  6 ++-
 yml/f450461c-18d1-4452-9f0d-2c42c3f08624.yml |  2 +-
 yml/f564c297-7978-4aa9-b37a-d90477feea4e.yml | 10 +++--
 yml/f8aab3dd-5990-4bf8-b8ab-2226c951696f.yml |  2 +-
 yml/f92a380f-ced9-491f-b338-95a991418ce2.yml |  4 +-
 yml/fa37b633-e097-4415-b2b8-c5bf4c86e423.yml |  2 +-
 yml/fa5a2759-41d7-4e13-a19c-e8f28a53566f.yml | 10 +++--
 yml/fa96c21c-5fd6-4428-aa28-51a2fbecdbdc.yml |  4 +-
 yml/fb4151a2-db33-4f8c-b7f8-78ea8790f961.yml |  6 ++-
 yml/fbff3f1f-b0bf-448e-840f-7e1687affdce.yml |  5 ++-
 yml/fc5f9414-bd67-4f5f-a08e-e5381e29cbd1.yml |  7 ++--
 yml/fcec2963-9951-4173-9bfa-98d8b7834e62.yml |  2 +-
 yml/fdd0c913-714b-4c13-b40f-1824d6c015f2.yml |  2 +-
 yml/fe135572-edcd-49a2-afe6-1d39521c5a9a.yml |  2 +
 yml/fe613cf3-8009-4446-9a0f-bc78a15b66c9.yml |  4 +-
 yml/fecd0dfd-fb55-45fa-a10b-6250272d0832.yml |  4 +-
 yml/fed9be70-0186-4bde-9f8a-20945f9370c2.yml |  2 +-
 yml/ffbcfd62-15d6-4989-a21a-80bfc8e58bb5.yml |  2 +-
 yml/ffc8b249-372a-4b74-adcd-e4c0430842de.yml |  2 +
 yml/ffd492e3-0455-4518-9fb1-46527c9f241b.yml | 10 +++--
 352 files changed, 1316 insertions(+), 788 deletions(-)
 create mode 100644 yml/0b207037-813c-4444-ac3f-b597cf280a67.yml
 create mode 100644 yml/16bdbe52-371c-4ccf-b708-79fba61f1db4.yml
 create mode 100644 yml/33a29ab1-cabb-407f-9448-269041bf2856.yml
 create mode 100644 yml/58bd8c8d-3a1a-4467-a69c-439c75469b07.yml
 create mode 100644 yml/7906f0a6-b527-46ee-9026-6e81a9184e08.yml
 create mode 100644 yml/7ccdfcfa-6707-46bc-b812-007ab6ff951c.yml
 create mode 100644 yml/81cfdd7f-1f41-4cc5-9845-bb5149438e37.yml
 create mode 100644 yml/8bec51da-7a6d-4346-b941-51eca448c4b0.yml
 create mode 100644 yml/d1fa2a69-b0a2-4e8a-9112-529b00c19a41.yml

diff --git a/Full_tests.csv b/Full_tests.csv
index 6f7a530b..61a32912 100644
--- a/Full_tests.csv
+++ b/Full_tests.csv
@@ -245,6 +245,8 @@ defense-evasion;T1562.004;command_prompt;['windows'];Blackbit - Disable Windows
 defense-evasion;T1562.004;command_prompt;['windows'];ESXi - Disable Firewall via Esxcli;bac8a340-be64-4491-a0cc-0985cb227f5a;False;23
 defense-evasion;T1562.004;powershell;['windows'];Set a firewall rule using New-NetFirewallRule;94be7646-25f6-467e-af23-585fb13000c8;False;24
 defense-evasion;T1553.003;command_prompt;['windows'];SIP (Subject Interface Package) Hijacking via Custom DLL;e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675;False;1
+defense-evasion;T1562.012;sh;['linux'];Delete all auditd rules using auditctl;33a29ab1-cabb-407f-9448-269041bf2856;False;1
+defense-evasion;T1562.012;sh;['linux'];Disable auditd using auditctl;7906f0a6-b527-46ee-9026-6e81a9184e08;False;2
 defense-evasion;T1207;powershell;['windows'];DCShadow (Active Directory);0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6;True;1
 defense-evasion;T1610;bash;['containers'];Deploy Docker container;59aa6f26-7620-417e-9318-589e0fb7a372;False;1
 defense-evasion;T1112;command_prompt;['windows'];Modify Registry of Current User Profile - cmd;1324796b-d0f6-455a-b4ae-21ffee6aa6b9;True;1
@@ -316,6 +318,7 @@ defense-evasion;T1112;command_prompt;['windows'];Disabling ShowUI Settings of Wi
 defense-evasion;T1112;command_prompt;['windows'];Enable Proxy Settings;eb0ba433-63e5-4a8c-a9f0-27c4192e1336;False;67
 defense-evasion;T1112;command_prompt;['windows'];Set-Up Proxy Server;d88a3d3b-d016-4939-a745-03638aafd21b;False;68
 defense-evasion;T1112;command_prompt;['windows'];RDP Authentication Level Override;7e7b62e9-5f83-477d-8935-48600f38a3c6;False;69
+defense-evasion;T1112;command_prompt;['windows'];Enable RDP via Registry (fDenyTSConnections);16bdbe52-371c-4ccf-b708-79fba61f1db4;False;70
 defense-evasion;T1574.008;powershell;['windows'];powerShell Persistence via hijacking default modules - Get-Variable.exe;1561de08-0b4b-498e-8261-e922f3494aae;True;1
 defense-evasion;T1027.001;sh;['linux', 'macos'];Pad Binary to Change Hash - Linux/macOS dd;ffe2346c-abd5-4b45-a713-bf5f1ebd573a;False;1
 defense-evasion;T1027.001;sh;['linux', 'macos'];Pad Binary to Change Hash using truncate command - Linux/macOS;e22a9e89-69c7-410f-a473-e6c212cd2292;False;2
@@ -537,7 +540,7 @@ defense-evasion;T1562.008;sh;['iaas:aws'];AWS CloudWatch Log Stream Deletes;33ca
 defense-evasion;T1562.008;powershell;['office-365'];Office 365 - Set Audit Bypass For a Mailbox;c9a2f6fe-7197-488c-af6d-10c782121ca6;False;9
 defense-evasion;T1562.008;sh;['iaas:gcp'];GCP - Delete Activity Event Log;d56152ec-01d9-42a2-877c-aac1f6ebe8e6;False;10
 defense-evasion;T1564.003;powershell;['windows'];Hidden Window;f151ee37-9e2b-47e6-80e4-550b9f999b7a;True;1
-defense-evasion;T1564.003;command_prompt;['windows'];Headless Browser Accessing Mockbin;0ad9ab92-c48c-4f08-9b20-9633277c4646;False;2
+defense-evasion;T1564.003;command_prompt;['windows'];Headless Browser Accessing Mockbin;0ad9ab92-c48c-4f08-9b20-9633277c4646;True;2
 defense-evasion;T1027.006;powershell;['windows'];HTML Smuggling Remote Payload;30cbeda4-08d9-42f1-8685-197fad677734;False;1
 defense-evasion;T1070.004;sh;['linux', 'macos'];Delete a single file - FreeBSD/Linux/macOS;562d737f-2fc6-4b09-8c2a-7f8ff0828480;False;1
 defense-evasion;T1070.004;sh;['linux', 'macos'];Delete an entire folder - FreeBSD/Linux/macOS;a415f17e-ce8d-4ce2-a8b4-83b674e7017e;False;2
@@ -554,6 +557,7 @@ defense-evasion;T1027.002;sh;['linux'];Binary simply packed by UPX (linux);11c46
 defense-evasion;T1027.002;sh;['linux'];Binary packed by UPX, with modified headers (linux);f06197f8-ff46-48c2-a0c6-afc1b50665e1;False;2
 defense-evasion;T1027.002;sh;['macos'];Binary simply packed by UPX;b16ef901-00bb-4dda-b4fc-a04db5067e20;False;3
 defense-evasion;T1027.002;sh;['macos'];Binary packed by UPX, with modified headers;4d46e16b-5765-4046-9f25-a600d3e65e4d;False;4
+defense-evasion;T1622;powershell;['windows'];Detect a Debugger Presence in the Machine;58bd8c8d-3a1a-4467-a69c-439c75469b07;False;1
 defense-evasion;T1036.006;manual;['macos'];Space After Filename (Manual);89a7dd26-e510-4c9f-9b15-f3bae333360f;False;1
 defense-evasion;T1036.006;sh;['macos', 'linux'];Space After Filename;b95ce2eb-a093-4cd8-938d-5258cef656ea;False;2
 defense-evasion;T1550.002;command_prompt;['windows'];Mimikatz Pass the Hash;ec23cef9-27d9-46e4-a68d-6f75f7b86908;True;1
@@ -1405,6 +1409,7 @@ credential-access;T1003;powershell;['windows'];Dump svchost.exe to gather RDP cr
 credential-access;T1003;powershell;['windows'];Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list);6c7a4fd3-5b0b-4b30-a93e-39411b25d889;True;4
 credential-access;T1003;powershell;['windows'];Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config);42510244-5019-48fa-a0e5-66c3b76e6049;True;5
 credential-access;T1003;powershell;['windows'];Dump Credential Manager using keymgr.dll and rundll32.exe;84113186-ed3c-4d0d-8a3c-8980c86c1f4a;True;6
+credential-access;T1003;powershell;['windows'];Send NTLM Hash with RPC Test Connection;0b207037-813c-4444-ac3f-b597cf280a67;False;7
 credential-access;T1539;powershell;['windows'];Steal Firefox Cookies (Windows);4b437357-f4e9-4c84-9fa6-9bcee6f826aa;True;1
 credential-access;T1539;powershell;['windows'];Steal Chrome Cookies (Windows);26a6b840-4943-4965-8df5-ef1f9a282440;True;2
 credential-access;T1539;bash;['macos'];Steal Chrome Cookies via Remote Debugging (Mac);e43cfdaf-3fb8-4a45-8de0-7eee8741d072;False;3
@@ -1543,6 +1548,7 @@ credential-access;T1110.004;sh;['linux'];SSH Credential Stuffing From FreeBSD;a7
 credential-access;T1110.004;powershell;['windows'];Brute Force:Credential Stuffing using Kerbrute Tool;4852c630-87a9-409b-bb5e-5dc12c9ebcde;True;4
 credential-access;T1187;powershell;['windows'];PetitPotam;485ce873-2e65-4706-9c7e-ae3ab9e14213;True;1
 credential-access;T1187;powershell;['windows'];WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS;7f06b25c-799e-40f1-89db-999c9cc84317;True;2
+credential-access;T1187;powershell;['windows'];Trigger an authenticated RPC call to a target server with no Sign flag set;81cfdd7f-1f41-4cc5-9845-bb5149438e37;False;3
 credential-access;T1003.008;bash;['linux'];Access /etc/shadow (Local);3723ab77-c546-403c-8fb4-bb577033b235;False;1
 credential-access;T1003.008;sh;['linux'];Access /etc/master.passwd (Local);5076874f-a8e6-4077-8ace-9e5ab54114a5;False;2
 credential-access;T1003.008;sh;['linux'];Access /etc/passwd (Local);60e860b6-8ae6-49db-ad07-5e73edd88f5d;False;3
@@ -1670,6 +1676,7 @@ discovery;T1135;powershell;['windows'];Share Discovery with PowerView;b1636f0a-b
 discovery;T1135;powershell;['windows'];PowerView ShareFinder;d07e4cc1-98ae-447e-9d31-36cb430d28c4;True;8
 discovery;T1135;powershell;['windows'];WinPwn - shareenumeration;987901d1-5b87-4558-a6d9-cffcabc638b8;True;9
 discovery;T1135;command_prompt;['windows'];Network Share Discovery via dir command;13daa2cf-195a-43df-a8bd-7dd5ffb607b5;False;10
+discovery;T1135;powershell;['windows'];Enumerate All Network Shares with SharpShares;d1fa2a69-b0a2-4e8a-9112-529b00c19a41;False;11
 discovery;T1120;powershell;['windows'];Win32_PnPEntity Hardware Inventory;2cb4dbf2-2dca-4597-8678-4d39d207a3a5;True;1
 discovery;T1120;powershell;['windows'];WinPwn - printercheck;cb6e76ca-861e-4a7f-be08-564caa3e6f75;True;2
 discovery;T1120;command_prompt;['windows'];Peripheral Device Discovery via fsutil;424e18fd-48b8-4201-8d3a-bf591523a686;False;3
@@ -1831,6 +1838,7 @@ discovery;T1518;sh;['macos'];Find and Display Safari Browser Version;103d6533-fd
 discovery;T1518;powershell;['windows'];WinPwn - Dotnetsearch;7e79a1b6-519e-433c-ad55-3ff293667101;True;4
 discovery;T1518;powershell;['windows'];WinPwn - DotNet;10ba02d0-ab76-4f80-940d-451633f24c5b;True;5
 discovery;T1518;powershell;['windows'];WinPwn - powerSQL;0bb64470-582a-4155-bde2-d6003a95ed34;True;6
+discovery;T1622;powershell;['windows'];Detect a Debugger Presence in the Machine;58bd8c8d-3a1a-4467-a69c-439c75469b07;False;1
 discovery;T1124;command_prompt;['windows'];System Time Discovery;20aba24b-e61f-4b26-b4ce-4784f763ca20;True;1
 discovery;T1124;powershell;['windows'];System Time Discovery - PowerShell;1d5711d6-655c-4a47-ae9c-6503c74fa877;True;2
 discovery;T1124;sh;['linux', 'macos'];System Time Discovery in FreeBSD/macOS;f449c933-0891-407f-821e-7916a21a1a6f;False;3
@@ -1917,6 +1925,8 @@ exfiltration;T1020;powershell;['windows'];IcedID Botnet HTTP PUT;9c780d3d-3a14-4
 exfiltration;T1020;powershell;['windows'];Exfiltration via Encrypted FTP;5b380e96-b0ef-4072-8a8e-f194cb9eb9ac;False;2
 exfiltration;T1048.002;command_prompt;['windows'];Exfiltrate data HTTPS using curl windows;1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0;True;1
 exfiltration;T1048.002;bash;['macos', 'linux'];Exfiltrate data HTTPS using curl freebsd,linux or macos;4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01;False;2
+exfiltration;T1048.002;sh;['linux'];Exfiltrate data in a file over HTTPS using wget;7ccdfcfa-6707-46bc-b812-007ab6ff951c;False;3
+exfiltration;T1048.002;sh;['linux'];Exfiltrate data as text over HTTPS using wget;8bec51da-7a6d-4346-b941-51eca448c4b0;False;4
 exfiltration;T1041;powershell;['windows'];C2 Data Exfiltration;d1253f6e-c29b-49dc-b466-2147a6191932;True;1
 exfiltration;T1041;powershell;['windows'];Text Based Data Exfiltration using DNS subdomains;c9207f3e-213d-4cc7-ad2a-7697a7237df9;False;2
 exfiltration;T1048;sh;['macos', 'linux'];Exfiltration Over Alternative Protocol - SSH;f6786cc8-beda-4915-a4d6-ac2f193bb988;False;1
diff --git a/missing_tests.csv b/missing_tests.csv
index 25881270..fe4e3758 100644
--- a/missing_tests.csv
+++ b/missing_tests.csv
@@ -25,7 +25,6 @@ defense-evasion;T1078.002;win_security_admin_rdp_login.yml
 defense-evasion;T1055.009;proc_creation_lnx_dd_process_injection.yml
 defense-evasion;T1027.010;proc_creation_win_powershell_crypto_namespace.yml,registry_set_powershell_crypto_namespace.yml
 defense-evasion;T1134;win_security_hktl_nofilter.yml,proc_creation_win_susp_system_user_anomaly.yml
-defense-evasion;T1622;proc_creation_win_pua_process_hacker.yml
 defense-evasion;T1484;azure_ad_device_registration_policy_changes.yml
 defense-evasion;T1550.001;aws_console_getsignintoken.yml,aws_sts_assumerole_misuse.yml,aws_sts_getsessiontoken_misuse.yml,aws_susp_saml_activity.yml
 defense-evasion;T1556;aws_sso_idp_change.yml,azure_mfa_disabled.yml,azure_aad_secops_ca_policy_removedby_bad_actor.yml,azure_aad_secops_ca_policy_updatedby_bad_actor.yml,azure_ad_certificate_based_authencation_enabled.yml,azure_ad_new_root_ca_added.yml,azure_change_to_authentication_method.yml,azure_group_user_addition_ca_modification.yml,azure_group_user_removal_ca_modification.yml,github_disable_high_risk_configuration.yml,microsoft365_disabling_mfa.yml,win_security_susp_possible_shadow_credentials_added.yml
@@ -103,7 +102,6 @@ discovery;T1069;posh_pm_malicious_commandlets.yml,posh_ps_malicious_commandlets.
 discovery;T1069.003;kubernetes_audit_rbac_permisions_listing.yml
 discovery;T1087;rpc_firewall_sharphound_recon_account.yml,win_security_alert_ruler.yml,posh_pm_malicious_commandlets.yml,posh_ps_malicious_commandlets.yml,proc_creation_win_hktl_winpeas.yml,proc_creation_win_nslookup_domain_discovery.yml,proc_creation_win_powershell_malicious_cmdlets.yml,proc_creation_win_pua_seatbelt.yml,proc_creation_win_sysinternals_psloglist.yml,proc_creation_win_webshell_chopper.yml,proc_creation_win_webshell_hacking.yml,proc_creation_win_webshell_recon_commands_and_processes.yml,proc_creation_win_malware_pikabot_discovery.yml
 discovery;T1087.004;kubernetes_audit_rbac_permisions_listing.yml,azure_ad_azurehound_discovery.yml
-discovery;T1622;proc_creation_win_pua_process_hacker.yml
 resource-development;T1587.001;win_exchange_proxylogon_oabvirtualdir.yml,file_event_win_office_uncommon_file_startup.yml,file_event_win_vhd_download_via_browsers.yml,proc_creation_win_pua_csexec.yml,proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml,proc_creation_win_sysinternals_psexec_remote_execution.yml,proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml,proc_creation_win_malware_formbook.yml,proc_creation_win_apt_mustangpanda.yml,proc_creation_win_malware_conti.yml,file_event_win_susp_binary_dropper.yml
 resource-development;T1586.003;okta_suspicious_activity_enduser_report.yml
 resource-development;T1588.001;lnx_clamav_relevant_message.yml
@@ -140,7 +138,7 @@ initial-access;T1078;opencanary_ssh_login_attempt.yml,opencanary_ssh_new_connect
 initial-access;T1078.002;win_security_admin_rdp_login.yml
 initial-access;T1200;win_usb_device_plugged.yml,win_security_device_installation_blocked.yml,win_security_external_device.yml
 initial-access;T1189;proc_creation_macos_susp_browser_child_process.yml,proxy_susp_flash_download_loc.yml,web_xss_in_access_logs.yml
-exfiltration;T1567;net_connection_lnx_ngrok_tunnel.yml,proc_creation_lnx_susp_curl_fileupload.yml,net_dns_pua_cryptocoin_mining_xmr.yml,net_connection_win_domain_ngrok_tunnel.yml,proc_creation_win_lolbin_configsecuritypolicy.yml,proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml,proc_creation_win_curl_fileupload.yml
+exfiltration;T1567;net_connection_lnx_ngrok_tunnel.yml,proc_creation_lnx_susp_curl_fileupload.yml,net_dns_pua_cryptocoin_mining_xmr.yml,net_connection_win_domain_ngrok_tunnel.yml,proc_creation_win_configsecuritypolicy_download_file.yml,proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml,proc_creation_win_curl_fileupload.yml
 exfiltration;T1048.001;proc_creation_win_dns_exfiltration_tools_execution.yml
 exfiltration;T1567.001;net_connection_win_domain_mega_nz.yml,net_connection_win_domain_ngrok.yml,net_connection_win_susp_devtunnel_connection.yml,net_connection_win_vscode_tunnel_connection.yml
 exfiltration;T1537;aws_ec2_vm_export_failure.yml,aws_s3_data_management_tampering.yml,aws_snapshot_backup_exfiltration.yml,microsoft365_data_exfiltration_to_unsanctioned_app.yml
diff --git a/sigma_rule.csv b/sigma_rule.csv
index 0f3147ba..010d11ee 100644
--- a/sigma_rule.csv
+++ b/sigma_rule.csv
@@ -1275,6 +1275,7 @@ image_load_wmi_persistence_commandline_event_consumer.yml;False
 image_load_wsman_provider_image_load.yml;True
 net_connection_win_addinutil.yml;False
 net_connection_win_certutil_initiated_connection.yml;False
+net_connection_win_dialer_initiated_connection.yml;False
 net_connection_win_dllhost_non_local_ip.yml;False
 net_connection_win_domain_mega_nz.yml;False
 net_connection_win_domain_ngrok.yml;False
@@ -1290,6 +1291,7 @@ net_connection_win_python.yml;True
 net_connection_win_rdp_outbound_over_non_standard_tools.yml;True
 net_connection_win_rdp_reverse_tunnel.yml;False
 net_connection_win_rdp_to_http.yml;False
+net_connection_win_regasm_network_activity.yml;False
 net_connection_win_regsvr32_network_activity.yml;True
 net_connection_win_rundll32_net_connections.yml;True
 net_connection_win_script.yml;True
@@ -1595,15 +1597,16 @@ proc_creation_win_bitsadmin_download_susp_targetfolder.yml;False
 proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml;False
 proc_creation_win_bitsadmin_potential_persistence.yml;True
 proc_creation_win_browsers_chromium_headless_debugging.yml;False
-proc_creation_win_browsers_chromium_headless_exec.yml;False
+proc_creation_win_browsers_chromium_headless_exec.yml;True
 proc_creation_win_browsers_chromium_headless_file_download.yml;False
 proc_creation_win_browsers_chromium_load_extension.yml;False
-proc_creation_win_browsers_chromium_mockbin_abuse.yml;False
+proc_creation_win_browsers_chromium_mockbin_abuse.yml;True
 proc_creation_win_browsers_chromium_susp_load_extension.yml;True
 proc_creation_win_browsers_inline_file_download.yml;False
 proc_creation_win_browsers_remote_debugging.yml;False
 proc_creation_win_browsers_tor_execution.yml;True
 proc_creation_win_calc_uncommon_exec.yml;True
+proc_creation_win_cdb_arbitrary_command_execution.yml;False
 proc_creation_win_certmgr_certificate_installation.yml;False
 proc_creation_win_certoc_download.yml;False
 proc_creation_win_certoc_download_direct_ip.yml;False
@@ -1630,6 +1633,7 @@ proc_creation_win_cloudflared_tunnel_cleanup.yml;False
 proc_creation_win_cloudflared_tunnel_run.yml;False
 proc_creation_win_cmdkey_adding_generic_creds.yml;False
 proc_creation_win_cmdkey_recon.yml;True
+proc_creation_win_cmdl32_arbitrary_file_download.yml;True
 proc_creation_win_cmd_assoc_execution.yml;True
 proc_creation_win_cmd_assoc_tamper_exe_file_association.yml;False
 proc_creation_win_cmd_copy_dmp_from_share.yml;False
@@ -1653,8 +1657,10 @@ proc_creation_win_cmd_shadowcopy_access.yml;True
 proc_creation_win_cmd_stdin_redirect.yml;True
 proc_creation_win_cmd_sticky_keys_replace.yml;False
 proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml;False
+proc_creation_win_cmd_type_arbitrary_file_download.yml;False
 proc_creation_win_cmd_unusual_parent.yml;False
 proc_creation_win_cmstp_execution_by_creation.yml;False
+proc_creation_win_configsecuritypolicy_download_file.yml;False
 proc_creation_win_conhost_legacy_option.yml;False
 proc_creation_win_conhost_path_traversal.yml;False
 proc_creation_win_conhost_susp_child_process.yml;True
@@ -1675,6 +1681,8 @@ proc_creation_win_curl_insecure_connection.yml;False
 proc_creation_win_curl_insecure_porxy_or_doh.yml;False
 proc_creation_win_curl_local_file_read.yml;False
 proc_creation_win_curl_susp_download.yml;True
+proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml;False
+proc_creation_win_defaultpack_uncommon_child_process.yml;False
 proc_creation_win_desktopimgdownldr_remote_file_download.yml;False
 proc_creation_win_desktopimgdownldr_susp_execution.yml;True
 proc_creation_win_deviceenroller_dll_sideloading.yml;False
@@ -1690,6 +1698,9 @@ proc_creation_win_dnscmd_discovery.yml;False
 proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml;False
 proc_creation_win_dns_exfiltration_tools_execution.yml;False
 proc_creation_win_dns_susp_child_process.yml;False
+proc_creation_win_dnx_execute_csharp_code.yml;False
+proc_creation_win_dotnetdump_memory_dump.yml;False
+proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml;False
 proc_creation_win_dotnet_trace_lolbin_execution.yml;False
 proc_creation_win_driverquery_recon.yml;False
 proc_creation_win_driverquery_usage.yml;False
@@ -1722,9 +1733,11 @@ proc_creation_win_fltmc_unload_driver.yml;False
 proc_creation_win_fltmc_unload_driver_sysmon.yml;True
 proc_creation_win_forfiles_child_process_masquerading.yml;False
 proc_creation_win_forfiles_proxy_execution_.yml;True
+proc_creation_win_fsi_fsharp_code_execution.yml;False
 proc_creation_win_fsutil_drive_enumeration.yml;False
 proc_creation_win_fsutil_symlinkevaluation.yml;True
 proc_creation_win_fsutil_usage.yml;True
+proc_creation_win_ftp_arbitrary_command_execution.yml;False
 proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml;False
 proc_creation_win_git_susp_clone.yml;False
 proc_creation_win_googleupdate_susp_child_process.yml;False
@@ -1834,6 +1847,7 @@ proc_creation_win_iis_appcmd_susp_module_install.yml;False
 proc_creation_win_iis_appcmd_susp_rewrite_rule.yml;False
 proc_creation_win_iis_connection_strings_decryption.yml;False
 proc_creation_win_iis_susp_module_registration.yml;False
+proc_creation_win_ilasm_il_code_compilation.yml;False
 proc_creation_win_imagingdevices_unusual_parents.yml;False
 proc_creation_win_imewbdld_download.yml;False
 proc_creation_win_infdefaultinstall_execute_sct_scripts.yml;True
@@ -1845,6 +1859,7 @@ proc_creation_win_java_remote_debugging.yml;False
 proc_creation_win_java_susp_child_process.yml;False
 proc_creation_win_java_susp_child_process_2.yml;False
 proc_creation_win_java_sysaidserver_susp_child_process.yml;False
+proc_creation_win_jsc_execution.yml;True
 proc_creation_win_kd_execution.yml;False
 proc_creation_win_ksetup_password_change_computer.yml;False
 proc_creation_win_ksetup_password_change_user.yml;False
@@ -1852,34 +1867,20 @@ proc_creation_win_ldifde_export.yml;True
 proc_creation_win_ldifde_file_load.yml;False
 proc_creation_win_lodctr_performance_counter_tampering.yml;False
 proc_creation_win_logman_disable_eventlog.yml;False
-proc_creation_win_lolbin_cdb.yml;False
-proc_creation_win_lolbin_class_exec_xwizard.yml;False
-proc_creation_win_lolbin_cmdl32.yml;True
-proc_creation_win_lolbin_configsecuritypolicy.yml;False
 proc_creation_win_lolbin_customshellhost.yml;False
 proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml;False
-proc_creation_win_lolbin_dctask64_proc_inject.yml;False
-proc_creation_win_lolbin_defaultpack.yml;False
 proc_creation_win_lolbin_device_credential_deployment.yml;False
 proc_creation_win_lolbin_devtoolslauncher.yml;False
 proc_creation_win_lolbin_diantz_ads.yml;False
 proc_creation_win_lolbin_diantz_remote_cab.yml;False
-proc_creation_win_lolbin_dll_sideload_xwizard.yml;False
-proc_creation_win_lolbin_dnx.yml;False
-proc_creation_win_lolbin_dotnet.yml;False
-proc_creation_win_lolbin_dotnet_dump.yml;False
 proc_creation_win_lolbin_dump64.yml;False
 proc_creation_win_lolbin_extexport.yml;False
 proc_creation_win_lolbin_extrac32.yml;False
 proc_creation_win_lolbin_extrac32_ads.yml;False
 proc_creation_win_lolbin_format.yml;False
-proc_creation_win_lolbin_fsharp_interpreters.yml;False
-proc_creation_win_lolbin_ftp.yml;False
 proc_creation_win_lolbin_gather_network_info.yml;False
 proc_creation_win_lolbin_gpscript.yml;True
 proc_creation_win_lolbin_ie4uinit.yml;True
-proc_creation_win_lolbin_ilasm.yml;False
-proc_creation_win_lolbin_jsc.yml;True
 proc_creation_win_lolbin_kavremover.yml;False
 proc_creation_win_lolbin_launch_vsdevshell.yml;False
 proc_creation_win_lolbin_manage_bde.yml;True
@@ -1921,7 +1922,6 @@ proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml;True
 proc_creation_win_lolbin_tracker.yml;False
 proc_creation_win_lolbin_ttdinject.yml;False
 proc_creation_win_lolbin_tttracer_mod_load.yml;False
-proc_creation_win_lolbin_type.yml;False
 proc_creation_win_lolbin_unregmp2.yml;False
 proc_creation_win_lolbin_utilityfunctions.yml;False
 proc_creation_win_lolbin_visualuiaverifynative.yml;False
@@ -2151,6 +2151,7 @@ proc_creation_win_pua_frp.yml;False
 proc_creation_win_pua_iox.yml;False
 proc_creation_win_pua_mouselock_execution.yml;False
 proc_creation_win_pua_netcat.yml;True
+proc_creation_win_pua_netscan.yml;False
 proc_creation_win_pua_ngrok.yml;True
 proc_creation_win_pua_nimgrab.yml;True
 proc_creation_win_pua_nircmd.yml;False
@@ -2634,6 +2635,8 @@ proc_creation_win_wuauclt_no_cli_flags_execution.yml;False
 proc_creation_win_wusa_cab_files_extraction.yml;False
 proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml;False
 proc_creation_win_wusa_susp_parent_execution.yml;False
+proc_creation_win_xwizard_execution_non_default_location.yml;False
+proc_creation_win_xwizard_runwizard_com_object_exec.yml;False
 proc_tampering_susp_process_hollowing.yml;False
 raw_access_thread_susp_disk_access_using_uncommon_tools.yml;True
 registry_add_malware_netwire.yml;False
@@ -3199,7 +3202,8 @@ file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.ym
 web_exploit_cve_2024_1709_screenconnect.yml;False
 win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml;False
 proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml;False
-paloalto_globalprotect_os_command_injection.yml;False
+file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml;False
+paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml;False
 proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml;False
 proc_creation_win_malware_kamikakabot_schtasks_persistence.yml;False
 registry_set_malware_kamikakabot_winlogon_persistence.yml;False
@@ -3213,6 +3217,8 @@ registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml;False
 file_event_win_apt_unknown_exploitation_indicators.yml;False
 microsoft365_susp_email_forwarding_activity.yml;False
 okta_password_health_report_query.yml;False
+file_event_lnx_python_path_configuration_files.yml;False
+file_event_macos_python_path_configuration_files.yml;False
 proxy_susp_class_extension_request.yml;False
 win_firewall_as_change_rule.yml;False
 win_security_scheduled_task_deletion.yml;False
@@ -3221,6 +3227,7 @@ create_remote_thread_win_powershell_generic.yml;True
 file_access_win_susp_gpo_access_uncommon_process.yml;False
 file_delete_win_zone_identifier_ads.yml;False
 file_event_win_dump_file_creation.yml;False
+file_event_win_python_path_configuration_files.yml;False
 file_event_win_scheduled_task_creation.yml;False
 file_event_win_susp_binary_dropper.yml;True
 file_event_win_vscode_tunnel_indicators.yml;False
diff --git a/yml/00738d2a-4651-4d76-adf2-c43a41dfb243.yml b/yml/00738d2a-4651-4d76-adf2-c43a41dfb243.yml
index c96f85e6..fe0b8950 100644
--- a/yml/00738d2a-4651-4d76-adf2-c43a41dfb243.yml
+++ b/yml/00738d2a-4651-4d76-adf2-c43a41dfb243.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: '00738d2a-4651-4d76-adf2-c43a41dfb243'
 name: WMI Execute rundll32
 tactic:
diff --git a/yml/00c652e2-0750-4ca6-82ff-0204684a6fe4.yml b/yml/00c652e2-0750-4ca6-82ff-0204684a6fe4.yml
index 2a039680..a2688e1d 100644
--- a/yml/00c652e2-0750-4ca6-82ff-0204684a6fe4.yml
+++ b/yml/00c652e2-0750-4ca6-82ff-0204684a6fe4.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4
 name: Enumerate Root Domain linked policies Discovery
 tactic:
diff --git a/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml b/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml
index 6b4800d8..823e283c 100644
--- a/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml
+++ b/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797
diff --git a/yml/0139dba1-f391-405e-a4f5-f3989f2c88ef.yml b/yml/0139dba1-f391-405e-a4f5-f3989f2c88ef.yml
index adec22ca..794ef28b 100644
--- a/yml/0139dba1-f391-405e-a4f5-f3989f2c88ef.yml
+++ b/yml/0139dba1-f391-405e-a4f5-f3989f2c88ef.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: '0139dba1-f391-405e-a4f5-f3989f2c88ef'
 name: sftp remote file copy (pull)
 tactic:
diff --git a/yml/015cd268-996e-4c32-8347-94c80c6286ee.yml b/yml/015cd268-996e-4c32-8347-94c80c6286ee.yml
index 0aaf01eb..7cc75909 100644
--- a/yml/015cd268-996e-4c32-8347-94c80c6286ee.yml
+++ b/yml/015cd268-996e-4c32-8347-94c80c6286ee.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: 015cd268-996e-4c32-8347-94c80c6286ee
 name: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets
 tactic:
diff --git a/yml/02e8be5a-3065-4e54-8cc8-a14d138834d3.yml b/yml/02e8be5a-3065-4e54-8cc8-a14d138834d3.yml
index d43a36b3..89c65188 100644
--- a/yml/02e8be5a-3065-4e54-8cc8-a14d138834d3.yml
+++ b/yml/02e8be5a-3065-4e54-8cc8-a14d138834d3.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
 name: Enumerate Active Directory Users with ADSISearcher
 tactic:
diff --git a/yml/079ee2e9-6f16-47ca-a635-14efcd994118.yml b/yml/079ee2e9-6f16-47ca-a635-14efcd994118.yml
index 587b4bc3..2868274e 100644
--- a/yml/079ee2e9-6f16-47ca-a635-14efcd994118.yml
+++ b/yml/079ee2e9-6f16-47ca-a635-14efcd994118.yml
@@ -1,7 +1,7 @@
 Attack_name: Credentials from Password Stores
-Attack_description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application
-  holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults.
-  Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+Attack_description: 'Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending
+  on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password
+  managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.'
 guid: '079ee2e9-6f16-47ca-a635-14efcd994118'
 name: WinPwn - Loot local Credentials - lazagne
 tactic:
diff --git a/yml/096b6d2a-b63f-4100-8fa0-525da4cd25ca.yml b/yml/096b6d2a-b63f-4100-8fa0-525da4cd25ca.yml
index 3dcc64df..12b06e95 100644
--- a/yml/096b6d2a-b63f-4100-8fa0-525da4cd25ca.yml
+++ b/yml/096b6d2a-b63f-4100-8fa0-525da4cd25ca.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: '096b6d2a-b63f-4100-8fa0-525da4cd25ca'
 name: Active Directory Domain Search
 tactic:
diff --git a/yml/0976990f-53b1-4d3f-a185-6df5be429d3b.yml b/yml/0976990f-53b1-4d3f-a185-6df5be429d3b.yml
index bcb722b4..27cb1a45 100644
--- a/yml/0976990f-53b1-4d3f-a185-6df5be429d3b.yml
+++ b/yml/0976990f-53b1-4d3f-a185-6df5be429d3b.yml
@@ -2,7 +2,7 @@ Attack_name: Group Policy Discovery
 Attack_description: |-
   Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
 
-  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
+  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
 guid: '0976990f-53b1-4d3f-a185-6df5be429d3b'
 name: Display group policy information via gpresult
 tactic:
diff --git a/yml/0a2ce662-1efa-496f-a472-2fe7b080db16.yml b/yml/0a2ce662-1efa-496f-a472-2fe7b080db16.yml
index 10890405..91d4cc17 100644
--- a/yml/0a2ce662-1efa-496f-a472-2fe7b080db16.yml
+++ b/yml/0a2ce662-1efa-496f-a472-2fe7b080db16.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Server Software Component: Web Shell'
 Attack_description: |-
-  Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
+  Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
 
   In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)
 guid: 0a2ce662-1efa-496f-a472-2fe7b080db16
diff --git a/yml/0ad9ab92-c48c-4f08-9b20-9633277c4646.yml b/yml/0ad9ab92-c48c-4f08-9b20-9633277c4646.yml
index cdebf06b..4edee07f 100644
--- a/yml/0ad9ab92-c48c-4f08-9b20-9633277c4646.yml
+++ b/yml/0ad9ab92-c48c-4f08-9b20-9633277c4646.yml
@@ -1,11 +1,13 @@
 Attack_name: 'Hide Artifacts: Hidden Window'
 Attack_description: "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries
-  out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nOn Windows, there are a variety of
-  features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows
-  hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the configurations for how applications run are listed in property
-  list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use
-  for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not
-  to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)"
+  out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nAdversaries may abuse these functionalities
+  to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)\n\nOn macOS, the configurations for how applications run
+  are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in
+  the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nSimilarly, on Windows there are a variety of features in scripting languages,
+  such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is <code>powershell.exe
+  -WindowStyle Hidden</code>.(Citation: PowerShell About 2019)\n\nIn addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding <code>explorer.exe</code>
+  process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack)  All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible
+  to other desktops windows."
 guid: 0ad9ab92-c48c-4f08-9b20-9633277c4646
 name: Headless Browser Accessing Mockbin
 tactic:
@@ -19,5 +21,9 @@ description: |
   The default Mockbin ID forwards to google.com and you may view the details here https://mockbin.org/bin/f6b9a876-a826-4ac0-83b8-639d6ad516ec/view.
   Reference: https://cert.gov.ua/article/5702579
 executor: command_prompt
-sigma: false
-sigma_rule: []
+sigma: true
+sigma_rule:
+  - id: 1c526788-0abe-4713-862f-b520da5e5316
+    name: proc_creation_win_browsers_chromium_mockbin_abuse.yml
+  - id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
+    name: proc_creation_win_browsers_chromium_headless_exec.yml
diff --git a/yml/0ae9e327-3251-465a-a53b-485d4e3f58fa.yml b/yml/0ae9e327-3251-465a-a53b-485d4e3f58fa.yml
index 2293fdc2..3b748884 100644
--- a/yml/0ae9e327-3251-465a-a53b-485d4e3f58fa.yml
+++ b/yml/0ae9e327-3251-465a-a53b-485d4e3f58fa.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: 0ae9e327-3251-465a-a53b-485d4e3f58fa
 name: Ammyy Admin Software Execution
 tactic:
diff --git a/yml/0b207037-813c-4444-ac3f-b597cf280a67.yml b/yml/0b207037-813c-4444-ac3f-b597cf280a67.yml
new file mode 100644
index 00000000..1d1dd133
--- /dev/null
+++ b/yml/0b207037-813c-4444-ac3f-b597cf280a67.yml
@@ -0,0 +1,17 @@
+Attack_name: OS Credential Dumping
+Attack_description: |
+  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+
+  Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
+guid: 0b207037-813c-4444-ac3f-b597cf280a67
+name: Send NTLM Hash with RPC Test Connection
+tactic:
+  - credential-access
+technique:
+  - T1003
+os:
+  - windows
+description: "RpcPing command can be used to send an RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. \nRef: https://twitter.com/vysecurity/status/974806438316072960"
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/0b2f9520-a17a-4671-9dba-3bd034099fff.yml b/yml/0b2f9520-a17a-4671-9dba-3bd034099fff.yml
index f258e04b..1f85c07c 100644
--- a/yml/0b2f9520-a17a-4671-9dba-3bd034099fff.yml
+++ b/yml/0b2f9520-a17a-4671-9dba-3bd034099fff.yml
@@ -6,7 +6,7 @@ Attack_description: |-
 
   Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)
 
-  Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.
+  Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host.
 guid: 0b2f9520-a17a-4671-9dba-3bd034099fff
 name: Deploy container using nsenter container escape
 tactic:
diff --git a/yml/0b44d79b-570a-4b27-a31f-3bf2156e5eaa.yml b/yml/0b44d79b-570a-4b27-a31f-3bf2156e5eaa.yml
index 806eb48a..13b9dc89 100644
--- a/yml/0b44d79b-570a-4b27-a31f-3bf2156e5eaa.yml
+++ b/yml/0b44d79b-570a-4b27-a31f-3bf2156e5eaa.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Command and Scripting Interpreter: Python'
 Attack_description: |-
-  Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
+  Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
 
   Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
 guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
diff --git a/yml/0bb64470-582a-4155-bde2-d6003a95ed34.yml b/yml/0bb64470-582a-4155-bde2-d6003a95ed34.yml
index 74a928e4..c0f58afc 100644
--- a/yml/0bb64470-582a-4155-bde2-d6003a95ed34.yml
+++ b/yml/0bb64470-582a-4155-bde2-d6003a95ed34.yml
@@ -2,6 +2,8 @@ Attack_name: Software Discovery
 Attack_description: |-
   Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
+  Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally.
+
   Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
 guid: 0bb64470-582a-4155-bde2-d6003a95ed34
 name: WinPwn - powerSQL
diff --git a/yml/0be2230c-9ab3-4ac2-8826-3199b9a0ebf8.yml b/yml/0be2230c-9ab3-4ac2-8826-3199b9a0ebf8.yml
index 65938423..f2131d3b 100644
--- a/yml/0be2230c-9ab3-4ac2-8826-3199b9a0ebf8.yml
+++ b/yml/0be2230c-9ab3-4ac2-8826-3199b9a0ebf8.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/0ca82ed1-0a94-4774-9a9a-a2c83a8022b7.yml b/yml/0ca82ed1-0a94-4774-9a9a-a2c83a8022b7.yml
index 0ce29ed5..1af303b1 100644
--- a/yml/0ca82ed1-0a94-4774-9a9a-a2c83a8022b7.yml
+++ b/yml/0ca82ed1-0a94-4774-9a9a-a2c83a8022b7.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7
 name: Stop/Start Packet Filter
 tactic:
diff --git a/yml/0e36303b-6762-4500-b003-127743b80ba6.yml b/yml/0e36303b-6762-4500-b003-127743b80ba6.yml
index 5cce681f..869a464d 100644
--- a/yml/0e36303b-6762-4500-b003-127743b80ba6.yml
+++ b/yml/0e36303b-6762-4500-b003-127743b80ba6.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
+
+  Some files and directories may require elevated or specific user permissions to access.
 guid: 0e36303b-6762-4500-b003-127743b80ba6
 name: File and Directory Discovery (cmd.exe)
 tactic:
diff --git a/yml/0e56bf29-ff49-4ea5-9af4-3b81283fd513.yml b/yml/0e56bf29-ff49-4ea5-9af4-3b81283fd513.yml
index 499cbc79..be0479bd 100644
--- a/yml/0e56bf29-ff49-4ea5-9af4-3b81283fd513.yml
+++ b/yml/0e56bf29-ff49-4ea5-9af4-3b81283fd513.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513
diff --git a/yml/0e65ae27-5385-46b4-98ac-607a8ee82261.yml b/yml/0e65ae27-5385-46b4-98ac-607a8ee82261.yml
index 63f9e061..017560ca 100644
--- a/yml/0e65ae27-5385-46b4-98ac-607a8ee82261.yml
+++ b/yml/0e65ae27-5385-46b4-98ac-607a8ee82261.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
 name: Azure AD - adding user to Azure AD role
 tactic:
diff --git a/yml/0f0b6a29-08c3-44ad-a30b-47fd996b2110.yml b/yml/0f0b6a29-08c3-44ad-a30b-47fd996b2110.yml
index 286ed135..7e805494 100644
--- a/yml/0f0b6a29-08c3-44ad-a30b-47fd996b2110.yml
+++ b/yml/0f0b6a29-08c3-44ad-a30b-47fd996b2110.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
 name: Show if a user account has ever logged in remotely
 tactic:
diff --git a/yml/0fc6e977-cb12-44f6-b263-2824ba917409.yml b/yml/0fc6e977-cb12-44f6-b263-2824ba917409.yml
index 689f6295..935d7b6e 100644
--- a/yml/0fc6e977-cb12-44f6-b263-2824ba917409.yml
+++ b/yml/0fc6e977-cb12-44f6-b263-2824ba917409.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 0fc6e977-cb12-44f6-b263-2824ba917409
 name: rsync remote file copy (push)
 tactic:
diff --git a/yml/0fd48ef7-d890-4e93-a533-f7dedd5191d3.yml b/yml/0fd48ef7-d890-4e93-a533-f7dedd5191d3.yml
index 2c4bf7c9..3fe48fa5 100644
--- a/yml/0fd48ef7-d890-4e93-a533-f7dedd5191d3.yml
+++ b/yml/0fd48ef7-d890-4e93-a533-f7dedd5191d3.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3
 name: WMI Reconnaissance List Remote Services
 tactic:
diff --git a/yml/103d6533-fd2a-4d08-976a-4a598565280f.yml b/yml/103d6533-fd2a-4d08-976a-4a598565280f.yml
index 666f51d6..a535dff4 100644
--- a/yml/103d6533-fd2a-4d08-976a-4a598565280f.yml
+++ b/yml/103d6533-fd2a-4d08-976a-4a598565280f.yml
@@ -2,6 +2,8 @@ Attack_name: Software Discovery
 Attack_description: |-
   Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
+  Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally.
+
   Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
 guid: 103d6533-fd2a-4d08-976a-4a598565280f
 name: Find and Display Safari Browser Version
diff --git a/yml/10447c83-fc38-462a-a936-5102363b1c43.yml b/yml/10447c83-fc38-462a-a936-5102363b1c43.yml
index 96580cea..59925889 100644
--- a/yml/10447c83-fc38-462a-a936-5102363b1c43.yml
+++ b/yml/10447c83-fc38-462a-a936-5102363b1c43.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: 10447c83-fc38-462a-a936-5102363b1c43
 name: Create a Process using obfuscated Win32_Process
 tactic:
diff --git a/yml/10ba02d0-ab76-4f80-940d-451633f24c5b.yml b/yml/10ba02d0-ab76-4f80-940d-451633f24c5b.yml
index 6a2a44c2..64ea8a4c 100644
--- a/yml/10ba02d0-ab76-4f80-940d-451633f24c5b.yml
+++ b/yml/10ba02d0-ab76-4f80-940d-451633f24c5b.yml
@@ -2,6 +2,8 @@ Attack_name: Software Discovery
 Attack_description: |-
   Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
+  Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally.
+
   Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
 guid: 10ba02d0-ab76-4f80-940d-451633f24c5b
 name: WinPwn - DotNet
diff --git a/yml/10c710c9-9104-4d5f-8829-5b65391e2a29.yml b/yml/10c710c9-9104-4d5f-8829-5b65391e2a29.yml
index 120867bd..1b8c4acb 100644
--- a/yml/10c710c9-9104-4d5f-8829-5b65391e2a29.yml
+++ b/yml/10c710c9-9104-4d5f-8829-5b65391e2a29.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/114ccff9-ae6d-4547-9ead-4cd69f687306.yml b/yml/114ccff9-ae6d-4547-9ead-4cd69f687306.yml
index 8bee10d8..3a054097 100644
--- a/yml/114ccff9-ae6d-4547-9ead-4cd69f687306.yml
+++ b/yml/114ccff9-ae6d-4547-9ead-4cd69f687306.yml
@@ -2,11 +2,11 @@ Attack_name: 'Phishing: Spearphishing Attachment'
 Attack_description: "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing.
   Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering
   targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204)
-  to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables,
-  PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of
-  the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions
-  on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables
-  appear to be document files, or files exploiting one application appear to be a file for a different one. "
+  to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment
+  such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly
+  executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to
+  do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions
+  and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. "
 guid: 114ccff9-ae6d-4547-9ead-4cd69f687306
 name: Download Macro-Enabled Phishing Attachment
 tactic:
diff --git a/yml/114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0.yml b/yml/114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0.yml
index f9e2ff1f..db247946 100644
--- a/yml/114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0.yml
+++ b/yml/114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0
diff --git a/yml/11ba69ee-902e-4a0f-b3b6-418aed7d7ddb.yml b/yml/11ba69ee-902e-4a0f-b3b6-418aed7d7ddb.yml
index e7bbd5d8..15ee6dfa 100644
--- a/yml/11ba69ee-902e-4a0f-b3b6-418aed7d7ddb.yml
+++ b/yml/11ba69ee-902e-4a0f-b3b6-418aed7d7ddb.yml
@@ -1,10 +1,11 @@
 Attack_name: Process Discovery
-Attack_description: |-
-  Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-  In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.
-
-  On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
+Attack_description: "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on
+  systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057)
+  during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could
+  obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+  Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this
+  is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+  commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)"
 guid: 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
 name: Discover Specific Process - tasklist
 tactic:
diff --git a/yml/12631354-fdbc-4164-92be-402527e748da.yml b/yml/12631354-fdbc-4164-92be-402527e748da.yml
index 478d82ca..8fdffed7 100644
--- a/yml/12631354-fdbc-4164-92be-402527e748da.yml
+++ b/yml/12631354-fdbc-4164-92be-402527e748da.yml
@@ -1,8 +1,12 @@
 Attack_name: 'Proxy: Multi-hop Proxy'
 Attack_description: |-
-  To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)
+  Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
 
-  In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.
+  For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
+
+  In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
+
+  Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
 guid: 12631354-fdbc-4164-92be-402527e748da
 name: Tor Proxy Usage - MacOS
 tactic:
diff --git a/yml/1329d5ab-e10e-4e5e-93d1-4d907eb656e5.yml b/yml/1329d5ab-e10e-4e5e-93d1-4d907eb656e5.yml
index e2e5bf12..a2f6b2e2 100644
--- a/yml/1329d5ab-e10e-4e5e-93d1-4d907eb656e5.yml
+++ b/yml/1329d5ab-e10e-4e5e-93d1-4d907eb656e5.yml
@@ -20,23 +20,13 @@ technique:
   - T1562.003
 os:
   - windows
-description: |
-  In Windows operating systems, command line auditing is controlled through the following registry value:
-
-    Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
-    Registry Value: ProcessCreationIncludeCmdLine_Enabled
-
-  When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
-  This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
-  By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
-  Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
-
-  Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
-    Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
-    Registry events (Windows Event ID 4657, Sysmon Event ID 13)
-
-  Read more here:
-  https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+description: "In Windows operating systems, command line auditing is controlled through the following registry value:\n\n  Registry Path: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\
+  Audit\n  \n  Registry Value: ProcessCreationIncludeCmdLine_Enabled\n\nWhen command line auditing is enabled, the system records detailed information about command execution, including the command executed,
+  the user account responsible for executing the command, and the timestamp of the execution.\nThis information is crucial for security monitoring and forensic analysis, as it helps organizations detect
+  and investigate unauthorized or malicious activities within their systems.\nBy default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate
+  registry settings to activate it.\nConversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks
+  while perpetrating malicious activities.\n\nBecause this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:\n  Process Creation events for reg.exe (Windows
+  Event ID 4688, Sysmon Event ID 1)\n  Registry events (Windows Event ID 4657, Sysmon Event ID 13)\n\nRead more here:\nhttps://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html\n"
 executor: command_prompt
 sigma: false
 sigma_rule: []
diff --git a/yml/13c5e1ae-605b-46c4-a79f-db28c77ff24e.yml b/yml/13c5e1ae-605b-46c4-a79f-db28c77ff24e.yml
index 52db3139..a0a929c8 100644
--- a/yml/13c5e1ae-605b-46c4-a79f-db28c77ff24e.yml
+++ b/yml/13c5e1ae-605b-46c4-a79f-db28c77ff24e.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
+
+  Some files and directories may require elevated or specific user permissions to access.
 guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e
 name: Nix File and Directory Discovery 2
 tactic:
diff --git a/yml/14d55ca0-920e-4b44-8425-37eedd72b173.yml b/yml/14d55ca0-920e-4b44-8425-37eedd72b173.yml
index 76b1385a..cf4ba926 100644
--- a/yml/14d55ca0-920e-4b44-8425-37eedd72b173.yml
+++ b/yml/14d55ca0-920e-4b44-8425-37eedd72b173.yml
@@ -1,8 +1,12 @@
 Attack_name: 'Proxy: Multi-hop Proxy'
 Attack_description: |-
-  To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)
+  Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
 
-  In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.
+  For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
+
+  In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
+
+  Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
 guid: 14d55ca0-920e-4b44-8425-37eedd72b173
 name: Psiphon
 tactic:
diff --git a/yml/14f3af20-61f1-45b8-ad31-4637815f3f44.yml b/yml/14f3af20-61f1-45b8-ad31-4637815f3f44.yml
index ae9d96dd..312b2eb8 100644
--- a/yml/14f3af20-61f1-45b8-ad31-4637815f3f44.yml
+++ b/yml/14f3af20-61f1-45b8-ad31-4637815f3f44.yml
@@ -6,7 +6,8 @@ Attack_description: "An adversary may add additional roles or permissions to an
   or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation,
   particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code>
   API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security
-  Labs AWS Privilege Escalation)"
+  Labs AWS Privilege Escalation)\n\nIn some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside
+  the victim tenant without requiring the adversary to [Create Account](https://attack.mitre.org/techniques/T1136) or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)"
 guid: 14f3af20-61f1-45b8-ad31-4637815f3f44
 name: Simulate - Post BEC persistence via user password reset followed by user added to company administrator role
 tactic:
diff --git a/yml/1553252f-14ea-4d3b-8a08-d7a4211aa945.yml b/yml/1553252f-14ea-4d3b-8a08-d7a4211aa945.yml
index d5491c2a..977571cc 100644
--- a/yml/1553252f-14ea-4d3b-8a08-d7a4211aa945.yml
+++ b/yml/1553252f-14ea-4d3b-8a08-d7a4211aa945.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: 1553252f-14ea-4d3b-8a08-d7a4211aa945
 name: Security Software Discovery - AV Discovery via WMI
 tactic:
diff --git a/yml/15e57006-79dd-46df-9bf9-31bc24fb5a80.yml b/yml/15e57006-79dd-46df-9bf9-31bc24fb5a80.yml
index 0a7e53f3..ed88095b 100644
--- a/yml/15e57006-79dd-46df-9bf9-31bc24fb5a80.yml
+++ b/yml/15e57006-79dd-46df-9bf9-31bc24fb5a80.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80
 name: Opening ports for proxy - HARDRAIN
 tactic:
diff --git a/yml/161d694c-b543-4434-85c3-c3a433e33792.yml b/yml/161d694c-b543-4434-85c3-c3a433e33792.yml
index 6d7d2792..b81a3937 100644
--- a/yml/161d694c-b543-4434-85c3-c3a433e33792.yml
+++ b/yml/161d694c-b543-4434-85c3-c3a433e33792.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Command and Scripting Interpreter: Python'
 Attack_description: |-
-  Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
+  Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
 
   Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
 guid: 161d694c-b543-4434-85c3-c3a433e33792
diff --git a/yml/161dcd85-d014-4f5e-900c-d3eaae82a0f7.yml b/yml/161dcd85-d014-4f5e-900c-d3eaae82a0f7.yml
index c8a069fe..907f3146 100644
--- a/yml/161dcd85-d014-4f5e-900c-d3eaae82a0f7.yml
+++ b/yml/161dcd85-d014-4f5e-900c-d3eaae82a0f7.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7
 name: Enumerate logged on users via CMD (Domain)
 tactic:
diff --git a/yml/16bdbe52-371c-4ccf-b708-79fba61f1db4.yml b/yml/16bdbe52-371c-4ccf-b708-79fba61f1db4.yml
new file mode 100644
index 00000000..53a9ee8d
--- /dev/null
+++ b/yml/16bdbe52-371c-4ccf-b708-79fba61f1db4.yml
@@ -0,0 +1,21 @@
+Attack_name: Modify Registry
+Attack_description: |-
+  Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
+
+  Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.
+
+  Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)
+
+  The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
+guid: 16bdbe52-371c-4ccf-b708-79fba61f1db4
+name: Enable RDP via Registry (fDenyTSConnections)
+tactic:
+  - defense-evasion
+technique:
+  - T1112
+os:
+  - windows
+description: "Modify the registry value of fDenyTSConnections to allow incoming RDP connections. \nThis activity has been observed by multiple ransomware groups, including Hive ransomware. \n[Reference](https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/)\n"
+executor: command_prompt
+sigma: false
+sigma_rule: []
diff --git a/yml/17d046be-fdd0-4cbb-b5c7-55c85d9d0714.yml b/yml/17d046be-fdd0-4cbb-b5c7-55c85d9d0714.yml
index 1a555703..2c75c3a4 100644
--- a/yml/17d046be-fdd0-4cbb-b5c7-55c85d9d0714.yml
+++ b/yml/17d046be-fdd0-4cbb-b5c7-55c85d9d0714.yml
@@ -4,11 +4,10 @@ Attack_description: "Adversaries may grant additional permission levels to maint
   Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation:
   Google Ensuring Your Information is Safe) \n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign
   the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize
-  any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\n\nThis may be used
-  in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they
-  wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in
-  the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation:
-  Bienstock, D. - Defending O365 - 2019)"
+  any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Mandiant Defend UNC2452 White Paper)\n\nThis may be used in persistent threat incidents as well as
+  BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable
+  use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating
+  inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)"
 guid: 17d046be-fdd0-4cbb-b5c7-55c85d9d0714
 name: EXO - Full access mailbox permission granted to a user
 tactic:
diff --git a/yml/19acf63b-55c4-4b6a-8552-00a8865105c8.yml b/yml/19acf63b-55c4-4b6a-8552-00a8865105c8.yml
index 7018d492..489adb64 100644
--- a/yml/19acf63b-55c4-4b6a-8552-00a8865105c8.yml
+++ b/yml/19acf63b-55c4-4b6a-8552-00a8865105c8.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: 19acf63b-55c4-4b6a-8552-00a8865105c8
 name: UltraViewer - RAT Execution
 tactic:
diff --git a/yml/1a02df58-09af-4064-a765-0babe1a0d1e2.yml b/yml/1a02df58-09af-4064-a765-0babe1a0d1e2.yml
index 672e6446..36f76721 100644
--- a/yml/1a02df58-09af-4064-a765-0babe1a0d1e2.yml
+++ b/yml/1a02df58-09af-4064-a765-0babe1a0d1e2.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 1a02df58-09af-4064-a765-0babe1a0d1e2
 name: Download a file with IMEWDBLD.exe
 tactic:
diff --git a/yml/1a94b3fc-b080-450a-b3d8-6d9b57b472ea.yml b/yml/1a94b3fc-b080-450a-b3d8-6d9b57b472ea.yml
index 35a56274..a305e594 100644
--- a/yml/1a94b3fc-b080-450a-b3d8-6d9b57b472ea.yml
+++ b/yml/1a94b3fc-b080-450a-b3d8-6d9b57b472ea.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
 name: Azure - adding user to Azure role in subscription
 tactic:
diff --git a/yml/1b682d84-f075-4f93-9a89-8a8de19ffd6e.yml b/yml/1b682d84-f075-4f93-9a89-8a8de19ffd6e.yml
index 6d57d4fb..89cb27db 100644
--- a/yml/1b682d84-f075-4f93-9a89-8a8de19ffd6e.yml
+++ b/yml/1b682d84-f075-4f93-9a89-8a8de19ffd6e.yml
@@ -2,13 +2,16 @@ Attack_name: 'Indicator Removal on Host: Clear Windows Event Logs'
 Attack_description: |-
   Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
 
-  The event logs can be cleared with the following utility commands:
+
+  With administrator privileges, the event logs can be cleared with the following utility commands:
 
   * <code>wevtutil cl system</code>
   * <code>wevtutil cl application</code>
   * <code>wevtutil cl security</code>
 
-  These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
+  These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging.  Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
+
+  Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.
 guid: 1b682d84-f075-4f93-9a89-8a8de19ffd6e
 name: Clear Event Logs via VBA
 tactic:
diff --git a/yml/1b72b3bd-72f8-4b63-a30b-84e91b9c3578.yml b/yml/1b72b3bd-72f8-4b63-a30b-84e91b9c3578.yml
index eae7c955..687009ce 100644
--- a/yml/1b72b3bd-72f8-4b63-a30b-84e91b9c3578.yml
+++ b/yml/1b72b3bd-72f8-4b63-a30b-84e91b9c3578.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578
 name: GoToAssist Files Detected Test on Windows
 tactic:
diff --git a/yml/1b83cddb-eaa7-45aa-98a5-85fb0a8807ea.yml b/yml/1b83cddb-eaa7-45aa-98a5-85fb0a8807ea.yml
index 5deb215b..2521bf77 100644
--- a/yml/1b83cddb-eaa7-45aa-98a5-85fb0a8807ea.yml
+++ b/yml/1b83cddb-eaa7-45aa-98a5-85fb0a8807ea.yml
@@ -1,20 +1,21 @@
 Attack_name: Steal Application Access Token
 Attack_description: "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized
   API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should
-  Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and
-  containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\n
-  In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal
-  the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)\n\nToken theft can also occur through social engineering, in which case user action may
-  be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used
-  sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token
-  enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization
-  by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn
-  Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE,
-  the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)
-  to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through
-  [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens may function within a limited lifetime,
-  limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them
-  to obtain new access tokens without prompting the user.  \n\n"
+  Always Use Access Tokens to Secure APIs Sept 2019)  Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions
+  of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nFor example, in Kubernetes environments, processes running inside a container may communicate with
+  the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation:
+  Kubernetes Service Accounts)  Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and
+  deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.\n\nToken theft can also
+  occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application
+  desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code
+  Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact
+  with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application
+  designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need
+  to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell,
+  or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them
+  to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation:
+  Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases,
+  adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.  \n\n"
 guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
 name: Azure - Dump All Azure Key Vaults with Microburst
 tactic:
diff --git a/yml/1c68c68d-83a4-4981-974e-8993055fa034.yml b/yml/1c68c68d-83a4-4981-974e-8993055fa034.yml
index 8206aed6..f3c8d0ba 100644
--- a/yml/1c68c68d-83a4-4981-974e-8993055fa034.yml
+++ b/yml/1c68c68d-83a4-4981-974e-8993055fa034.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/1d5711d6-655c-4a47-ae9c-6503c74fa877.yml b/yml/1d5711d6-655c-4a47-ae9c-6503c74fa877.yml
index 79cc885c..b5af868b 100644
--- a/yml/1d5711d6-655c-4a47-ae9c-6503c74fa877.yml
+++ b/yml/1d5711d6-655c-4a47-ae9c-6503c74fa877.yml
@@ -1,11 +1,13 @@
 Attack_name: System Time Discovery
 Attack_description: |-
-  An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)
+  An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
 
-  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service)
+  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)
 
   On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)
 
+  In addition, system calls – such as <code>time()</code> – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)
+
   This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
 guid: 1d5711d6-655c-4a47-ae9c-6503c74fa877
 name: System Time Discovery - PowerShell
diff --git a/yml/1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8.yml b/yml/1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8.yml
index c506c924..24121013 100644
--- a/yml/1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8.yml
+++ b/yml/1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8.yml
@@ -19,6 +19,6 @@ executor: command_prompt
 sigma: true
 sigma_rule:
   - id: 52788a70-f1da-40dd-8fbd-73b5865d6568
-    name: proc_creation_win_lolbin_jsc.yml
+    name: proc_creation_win_jsc_execution.yml
   - id: 297afac9-5d02-4138-8c58-b977bac60556
     name: file_event_win_susp_binary_dropper.yml
diff --git a/yml/1f896ce4-8070-4959-8a25-2658856a70c9.yml b/yml/1f896ce4-8070-4959-8a25-2658856a70c9.yml
index 4fa7c2db..68eb63e2 100644
--- a/yml/1f896ce4-8070-4959-8a25-2658856a70c9.yml
+++ b/yml/1f896ce4-8070-4959-8a25-2658856a70c9.yml
@@ -9,8 +9,10 @@ Attack_description: "Adversaries may create or modify Windows services to repeat
   these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised
   machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation:
   Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries
-  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade
-  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component)."
+  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo make detection analysis more challenging, malicious services may also incorporate [Masquerade
+  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’
+  services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL).
+  This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)"
 guid: 1f896ce4-8070-4959-8a25-2658856a70c9
 name: Modify Service to Run Arbitrary Binary (Powershell)
 tactic:
diff --git a/yml/20aba24b-e61f-4b26-b4ce-4784f763ca20.yml b/yml/20aba24b-e61f-4b26-b4ce-4784f763ca20.yml
index 66fb8ad0..0b41e677 100644
--- a/yml/20aba24b-e61f-4b26-b4ce-4784f763ca20.yml
+++ b/yml/20aba24b-e61f-4b26-b4ce-4784f763ca20.yml
@@ -1,11 +1,13 @@
 Attack_name: System Time Discovery
 Attack_description: |-
-  An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)
+  An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
 
-  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service)
+  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)
 
   On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)
 
+  In addition, system calls – such as <code>time()</code> – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)
+
   This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
 guid: 20aba24b-e61f-4b26-b4ce-4784f763ca20
 name: System Time Discovery
diff --git a/yml/2158908e-b7ef-4c21-8a83-3ce4dd05a924.yml b/yml/2158908e-b7ef-4c21-8a83-3ce4dd05a924.yml
index d7d36d7c..32e486ee 100644
--- a/yml/2158908e-b7ef-4c21-8a83-3ce4dd05a924.yml
+++ b/yml/2158908e-b7ef-4c21-8a83-3ce4dd05a924.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
+
+  Some files and directories may require elevated or specific user permissions to access.
 guid: 2158908e-b7ef-4c21-8a83-3ce4dd05a924
 name: File and Directory Discovery (PowerShell)
 tactic:
diff --git a/yml/2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a.yml b/yml/2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a.yml
index 0ab8f01d..f79ea702 100644
--- a/yml/2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a.yml
+++ b/yml/2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a.yml
@@ -1,11 +1,15 @@
 Attack_name: Software Deployment Tools
-Attack_description: "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally
-  through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).  \n\nAccess to a third-party
-  network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other
-  systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries.
-  (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may
-  be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended
-  purpose."
+Attack_description: "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management
+  and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples
+  of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.  \n\nAccess to network-wide or enterprise-wide endpoint management software
+  may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping
+  the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances,
+  as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
+  joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back
+  to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly
+  abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration;
+  local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or
+  to access specific functionality."
 guid: 2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a
 name: Deploy 7-Zip Using Chocolatey
 tactic:
diff --git a/yml/21caf58e-87ad-440c-a6b8-3ac259964003.yml b/yml/21caf58e-87ad-440c-a6b8-3ac259964003.yml
index ddca8715..50adeb94 100644
--- a/yml/21caf58e-87ad-440c-a6b8-3ac259964003.yml
+++ b/yml/21caf58e-87ad-440c-a6b8-3ac259964003.yml
@@ -1,6 +1,6 @@
 Attack_name: Encrypted Channel
-Attack_description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite
-  the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
+Attack_description: Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the
+  use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
 guid: 21caf58e-87ad-440c-a6b8-3ac259964003
 name: OpenSSL C2
 tactic:
diff --git a/yml/228c7498-be31-48e9-83b7-9cb906504ec8.yml b/yml/228c7498-be31-48e9-83b7-9cb906504ec8.yml
index 4fc37f97..8f6fbcfe 100644
--- a/yml/228c7498-be31-48e9-83b7-9cb906504ec8.yml
+++ b/yml/228c7498-be31-48e9-83b7-9cb906504ec8.yml
@@ -2,6 +2,8 @@ Attack_name: 'Create Account: Cloud Account'
 Attack_description: |-
   Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
 
+  In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment.(Citation: Microsoft Entra ID Service Principals) In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005).(Citation: GCP Service Accounts) While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.(Citation: AWS Instance Profiles)(Citation: AWS Lambda Execution Role)
+
   Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
 
   Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).
diff --git a/yml/234f9b7c-b53d-4f32-897b-b880a6c9ea7b.yml b/yml/234f9b7c-b53d-4f32-897b-b880a6c9ea7b.yml
index 783d9ba4..ae5cfee9 100644
--- a/yml/234f9b7c-b53d-4f32-897b-b880a6c9ea7b.yml
+++ b/yml/234f9b7c-b53d-4f32-897b-b880a6c9ea7b.yml
@@ -1,7 +1,7 @@
 Attack_name: Credentials from Password Stores
-Attack_description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application
-  holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults.
-  Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+Attack_description: 'Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending
+  on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password
+  managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.'
 guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b
 name: Extract Windows Credential Manager via VBA
 tactic:
diff --git a/yml/23b91cd2-c99c-4002-9e41-317c63e024a2.yml b/yml/23b91cd2-c99c-4002-9e41-317c63e024a2.yml
index 16e81d7c..2e9fc309 100644
--- a/yml/23b91cd2-c99c-4002-9e41-317c63e024a2.yml
+++ b/yml/23b91cd2-c99c-4002-9e41-317c63e024a2.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: 23b91cd2-c99c-4002-9e41-317c63e024a2
 name: Security Software Discovery - ps (Linux)
 tactic:
diff --git a/yml/2536dee2-12fb-459a-8c37-971844fa73be.yml b/yml/2536dee2-12fb-459a-8c37-971844fa73be.yml
index 4779a13c..100bd51c 100644
--- a/yml/2536dee2-12fb-459a-8c37-971844fa73be.yml
+++ b/yml/2536dee2-12fb-459a-8c37-971844fa73be.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/263ba6cb-ea2b-41c9-9d4e-b652dadd002c.yml b/yml/263ba6cb-ea2b-41c9-9d4e-b652dadd002c.yml
index 7323c830..19d07a72 100644
--- a/yml/263ba6cb-ea2b-41c9-9d4e-b652dadd002c.yml
+++ b/yml/263ba6cb-ea2b-41c9-9d4e-b652dadd002c.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/26a6b840-4943-4965-8df5-ef1f9a282440.yml b/yml/26a6b840-4943-4965-8df5-ef1f9a282440.yml
index 3fdd2d0c..b30f0215 100644
--- a/yml/26a6b840-4943-4965-8df5-ef1f9a282440.yml
+++ b/yml/26a6b840-4943-4965-8df5-ef1f9a282440.yml
@@ -4,7 +4,9 @@ Attack_description: |-
 
   Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)
 
-  There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
+  There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+
+  There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
 
   After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.
 guid: 26a6b840-4943-4965-8df5-ef1f9a282440
diff --git a/yml/29786d7e-8916-4de6-9c55-be7b093b2706.yml b/yml/29786d7e-8916-4de6-9c55-be7b093b2706.yml
index 7f582cc3..b29a44ec 100644
--- a/yml/29786d7e-8916-4de6-9c55-be7b093b2706.yml
+++ b/yml/29786d7e-8916-4de6-9c55-be7b093b2706.yml
@@ -1,8 +1,8 @@
 Attack_name: 'Event Triggered Execution: Windows Management Instrumentation Event Subscription'
 Attack_description: |-
-  Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
+  Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
 
-  Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
+  Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using `mofcomp.exe`  –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
 
   WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
 guid: 29786d7e-8916-4de6-9c55-be7b093b2706
diff --git a/yml/29e0afca-8d1d-471a-8d34-25512fc48315.yml b/yml/29e0afca-8d1d-471a-8d34-25512fc48315.yml
index 8a6b354c..d0a8062f 100644
--- a/yml/29e0afca-8d1d-471a-8d34-25512fc48315.yml
+++ b/yml/29e0afca-8d1d-471a-8d34-25512fc48315.yml
@@ -2,9 +2,9 @@ Attack_name: Time Providers
 Attack_description: |-
   Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
 
-  Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of  <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
+  Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\`.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
 
-  Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)
+  Adversaries may abuse this architecture to establish persistence, specifically by creating a new arbitrarily named subkey  pointing to a malicious DLL in the `DllName` value. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)
 guid: 29e0afca-8d1d-471a-8d34-25512fc48315
 name: Edit an existing time provider
 tactic:
diff --git a/yml/2b080b99-0deb-4d51-af0f-833d37c4ca6a.yml b/yml/2b080b99-0deb-4d51-af0f-833d37c4ca6a.yml
index 27d29ac5..d02aa33f 100644
--- a/yml/2b080b99-0deb-4d51-af0f-833d37c4ca6a.yml
+++ b/yml/2b080b99-0deb-4d51-af0f-833d37c4ca6a.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a
 name: Curl Download File
 tactic:
diff --git a/yml/2b162bfd-0928-4d4c-9ec3-4d9f88374b52.yml b/yml/2b162bfd-0928-4d4c-9ec3-4d9f88374b52.yml
index e66241fe..a08d8d9f 100644
--- a/yml/2b162bfd-0928-4d4c-9ec3-4d9f88374b52.yml
+++ b/yml/2b162bfd-0928-4d4c-9ec3-4d9f88374b52.yml
@@ -1,12 +1,10 @@
 Attack_name: 'Input Capture: GUI Input Capture'
-Attack_description: "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges
-  than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account
-  Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic
-  normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via
-  various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs)
-  and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On
-  Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation:
-  Spoofing credential dialogs) "
+Attack_description: |-
+  Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).
+
+  Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs)
+
+  Adversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., [Browser Information Discovery](https://attack.mitre.org/techniques/T1217) and/or [Application Window Discovery](https://attack.mitre.org/techniques/T1010)) to spoof prompts when users are naturally accessing sensitive sites/data.
 guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
 name: PowerShell - Prompt User for Password
 tactic:
diff --git a/yml/2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17.yml b/yml/2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17.yml
index a206cbd3..171a3002 100644
--- a/yml/2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17.yml
+++ b/yml/2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
diff --git a/yml/2ca61766-b456-4fcf-a35a-1233685e1cad.yml b/yml/2ca61766-b456-4fcf-a35a-1233685e1cad.yml
index e60b4c8a..bf0ec753 100644
--- a/yml/2ca61766-b456-4fcf-a35a-1233685e1cad.yml
+++ b/yml/2ca61766-b456-4fcf-a35a-1233685e1cad.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 2ca61766-b456-4fcf-a35a-1233685e1cad
 name: OSTAP Worming Activity
 tactic:
diff --git a/yml/3180f7d5-52c0-4493-9ea0-e3431a84773f.yml b/yml/3180f7d5-52c0-4493-9ea0-e3431a84773f.yml
index c965310b..85b1376d 100644
--- a/yml/3180f7d5-52c0-4493-9ea0-e3431a84773f.yml
+++ b/yml/3180f7d5-52c0-4493-9ea0-e3431a84773f.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f
 name: rsync remote file copy (pull)
 tactic:
diff --git a/yml/319e9f6c-7a9e-432e-8c62-9385c803b6f2.yml b/yml/319e9f6c-7a9e-432e-8c62-9385c803b6f2.yml
index 80cb5630..123d45bc 100644
--- a/yml/319e9f6c-7a9e-432e-8c62-9385c803b6f2.yml
+++ b/yml/319e9f6c-7a9e-432e-8c62-9385c803b6f2.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2
 name: Enumerate users and groups
 tactic:
diff --git a/yml/33a29ab1-cabb-407f-9448-269041bf2856.yml b/yml/33a29ab1-cabb-407f-9448-269041bf2856.yml
new file mode 100644
index 00000000..cd6a3b27
--- /dev/null
+++ b/yml/33a29ab1-cabb-407f-9448-269041bf2856.yml
@@ -0,0 +1,22 @@
+Attack_name: 'Impair Defenses: Disable or Modify Linux Audit System'
+Attack_description: |-
+  Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
+
+  Often referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`,  containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)
+
+  With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
+guid: 33a29ab1-cabb-407f-9448-269041bf2856
+name: Delete all auditd rules using auditctl
+tactic:
+  - defense-evasion
+technique:
+  - T1562.012
+os:
+  - linux
+description: 'Using ''auditctl -D'' deletes all existing audit rules, resulting in the loss of previously configured monitoring settings and the audit trail. This action reduces visibility into system activities,
+  potentially leading to compliance concerns and hampering security monitoring efforts. Additionally, it poses a risk of covering unauthorized activities by erasing evidence from audit logs.
+
+  '
+executor: sh
+sigma: false
+sigma_rule: []
diff --git a/yml/348f4d14-4bd3-4f6b-bd8a-61237f78b3ac.yml b/yml/348f4d14-4bd3-4f6b-bd8a-61237f78b3ac.yml
index d1805c1c..3ba45be2 100644
--- a/yml/348f4d14-4bd3-4f6b-bd8a-61237f78b3ac.yml
+++ b/yml/348f4d14-4bd3-4f6b-bd8a-61237f78b3ac.yml
@@ -1,13 +1,15 @@
 Attack_name: 'Valid Accounts: Cloud Accounts'
 Attack_description: "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those
   created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely
-  in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation:
-  Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566),
-  or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\n\nAn adversary may create long
-  lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass
-  security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges
-  through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended
-  scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009)
+  in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation:
+  AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110),
+  [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises
+  systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated,
+  synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined
+  devices.\n\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment.
+  Such credentials may also be used to bypass security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)
+  or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions
+  outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009)
   or other methods. \n"
 guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
 name: Azure Persistence Automation Runbook Created or Modified
diff --git a/yml/34f0a430-9d04-4d98-bcb5-1989f14719f0.yml b/yml/34f0a430-9d04-4d98-bcb5-1989f14719f0.yml
index ef87f68c..646f337f 100644
--- a/yml/34f0a430-9d04-4d98-bcb5-1989f14719f0.yml
+++ b/yml/34f0a430-9d04-4d98-bcb5-1989f14719f0.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Access Token Manipulation: Token Impersonation/Theft'
 Attack_description: |-
-  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
+  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
 
   An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
 
diff --git a/yml/36753ded-e5c4-4eb5-bc3c-e8fba236878d.yml b/yml/36753ded-e5c4-4eb5-bc3c-e8fba236878d.yml
index eabde25e..f434979e 100644
--- a/yml/36753ded-e5c4-4eb5-bc3c-e8fba236878d.yml
+++ b/yml/36753ded-e5c4-4eb5-bc3c-e8fba236878d.yml
@@ -1,7 +1,7 @@
 Attack_name: Credentials from Password Stores
-Attack_description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application
-  holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults.
-  Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+Attack_description: 'Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending
+  on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password
+  managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.'
 guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d
 name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
 tactic:
diff --git a/yml/367d4004-5fc0-446d-823f-960c74ae52c3.yml b/yml/367d4004-5fc0-446d-823f-960c74ae52c3.yml
index 5cc04bb7..187a9310 100644
--- a/yml/367d4004-5fc0-446d-823f-960c74ae52c3.yml
+++ b/yml/367d4004-5fc0-446d-823f-960c74ae52c3.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: 367d4004-5fc0-446d-823f-960c74ae52c3
diff --git a/yml/394012d9-2164-4d4f-b9e5-acf30ba933fe.yml b/yml/394012d9-2164-4d4f-b9e5-acf30ba933fe.yml
index a5d989b5..2ba21930 100644
--- a/yml/394012d9-2164-4d4f-b9e5-acf30ba933fe.yml
+++ b/yml/394012d9-2164-4d4f-b9e5-acf30ba933fe.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 394012d9-2164-4d4f-b9e5-acf30ba933fe
 name: Suspicious LAPS Attributes Query with Get-ADComputer all properties
 tactic:
diff --git a/yml/39a295ca-7059-4a88-86f6-09556c1211e7.yml b/yml/39a295ca-7059-4a88-86f6-09556c1211e7.yml
index 40e2f73b..e8a16785 100644
--- a/yml/39a295ca-7059-4a88-86f6-09556c1211e7.yml
+++ b/yml/39a295ca-7059-4a88-86f6-09556c1211e7.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/3a159042-69e6-4398-9a69-3308a4841c85.yml b/yml/3a159042-69e6-4398-9a69-3308a4841c85.yml
index be557ce3..6a790369 100644
--- a/yml/3a159042-69e6-4398-9a69-3308a4841c85.yml
+++ b/yml/3a159042-69e6-4398-9a69-3308a4841c85.yml
@@ -1,13 +1,15 @@
 Attack_name: 'Valid Accounts: Cloud Accounts'
 Attack_description: "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those
   created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely
-  in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation:
-  Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566),
-  or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\n\nAn adversary may create long
-  lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass
-  security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges
-  through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended
-  scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009)
+  in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation:
+  AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110),
+  [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises
+  systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated,
+  synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined
+  devices.\n\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment.
+  Such credentials may also be used to bypass security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)
+  or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions
+  outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009)
   or other methods. \n"
 guid: 3a159042-69e6-4398-9a69-3308a4841c85
 name: GCP - Create Custom IAM Role
diff --git a/yml/3a95cdb2-c6ea-4761-b24e-02b71889b8bb.yml b/yml/3a95cdb2-c6ea-4761-b24e-02b71889b8bb.yml
index 17f20619..8bd54580 100644
--- a/yml/3a95cdb2-c6ea-4761-b24e-02b71889b8bb.yml
+++ b/yml/3a95cdb2-c6ea-4761-b24e-02b71889b8bb.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Command and Scripting Interpreter: Python'
 Attack_description: |-
-  Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
+  Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
 
   Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
 guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
diff --git a/yml/3b0df731-030c-4768-b492-2a3216d90e53.yml b/yml/3b0df731-030c-4768-b492-2a3216d90e53.yml
index 27d0bb6c..42d2b571 100644
--- a/yml/3b0df731-030c-4768-b492-2a3216d90e53.yml
+++ b/yml/3b0df731-030c-4768-b492-2a3216d90e53.yml
@@ -2,7 +2,7 @@ Attack_name: Application Layer Protocol
 Attack_description: "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often
   the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing,
   transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH,
-  or RDP. "
+  or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22) "
 guid: 3b0df731-030c-4768-b492-2a3216d90e53
 name: Telnet C2
 tactic:
diff --git a/yml/3b3809b6-a54b-4f5b-8aff-cb51f2e97b34.yml b/yml/3b3809b6-a54b-4f5b-8aff-cb51f2e97b34.yml
index ad611698..398872f5 100644
--- a/yml/3b3809b6-a54b-4f5b-8aff-cb51f2e97b34.yml
+++ b/yml/3b3809b6-a54b-4f5b-8aff-cb51f2e97b34.yml
@@ -1,10 +1,11 @@
 Attack_name: Process Discovery
-Attack_description: |-
-  Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-  In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.
-
-  On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
+Attack_description: "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on
+  systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057)
+  during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could
+  obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+  Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this
+  is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+  commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)"
 guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
 name: Process Discovery - Get-Process
 tactic:
diff --git a/yml/3c64f177-28e2-49eb-a799-d767b24dd1e0.yml b/yml/3c64f177-28e2-49eb-a799-d767b24dd1e0.yml
index 9ebe3aa4..813ab833 100644
--- a/yml/3c64f177-28e2-49eb-a799-d767b24dd1e0.yml
+++ b/yml/3c64f177-28e2-49eb-a799-d767b24dd1e0.yml
@@ -1,8 +1,8 @@
 Attack_name: 'Event Triggered Execution: Windows Management Instrumentation Event Subscription'
 Attack_description: |-
-  Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
+  Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
 
-  Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
+  Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using `mofcomp.exe`  –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
 
   WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
 guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0
diff --git a/yml/3d456e2b-a7db-4af8-b5b3-720e7c4d9da5.yml b/yml/3d456e2b-a7db-4af8-b5b3-720e7c4d9da5.yml
index 56478a5e..86cc8f3c 100644
--- a/yml/3d456e2b-a7db-4af8-b5b3-720e7c4d9da5.yml
+++ b/yml/3d456e2b-a7db-4af8-b5b3-720e7c4d9da5.yml
@@ -1,14 +1,16 @@
 Attack_name: Browser Extensions
-Attack_description: |-
-  Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
-
-  Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
-
-  Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
-
-  Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
-
-  There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)
+Attack_description: "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize
+  aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser
+  Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering,
+  or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious
+  Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration
+  file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious
+  <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed
+  with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser
+  (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals
+  Creds)(Citation: Catch All Chrome Extension)\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation:
+  Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense
+  Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) "
 guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
 name: Edge Chromium Addon - VPN
 tactic:
diff --git a/yml/3ecd790d-2617-4abf-9a8c-4e8d47da9ee1.yml b/yml/3ecd790d-2617-4abf-9a8c-4e8d47da9ee1.yml
index 115c2024..2cd6a775 100644
--- a/yml/3ecd790d-2617-4abf-9a8c-4e8d47da9ee1.yml
+++ b/yml/3ecd790d-2617-4abf-9a8c-4e8d47da9ee1.yml
@@ -1,14 +1,16 @@
 Attack_name: Browser Extensions
-Attack_description: |-
-  Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
-
-  Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
-
-  Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
-
-  Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
-
-  There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)
+Attack_description: "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize
+  aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser
+  Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering,
+  or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious
+  Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration
+  file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious
+  <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed
+  with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser
+  (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals
+  Creds)(Citation: Catch All Chrome Extension)\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation:
+  Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense
+  Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) "
 guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
 name: Chrome/Chromium (Developer Mode)
 tactic:
diff --git a/yml/3fc9fea2-871d-414d-8ef6-02e85e322b80.yml b/yml/3fc9fea2-871d-414d-8ef6-02e85e322b80.yml
index 2138d967..b37a2e60 100644
--- a/yml/3fc9fea2-871d-414d-8ef6-02e85e322b80.yml
+++ b/yml/3fc9fea2-871d-414d-8ef6-02e85e322b80.yml
@@ -19,4 +19,4 @@ executor: command_prompt
 sigma: true
 sigma_rule:
   - id: 52788a70-f1da-40dd-8fbd-73b5865d6568
-    name: proc_creation_win_lolbin_jsc.yml
+    name: proc_creation_win_jsc_execution.yml
diff --git a/yml/41410c60-614d-4b9d-b66e-b0192dd9c597.yml b/yml/41410c60-614d-4b9d-b66e-b0192dd9c597.yml
index 3e703cea..6f373846 100644
--- a/yml/41410c60-614d-4b9d-b66e-b0192dd9c597.yml
+++ b/yml/41410c60-614d-4b9d-b66e-b0192dd9c597.yml
@@ -1,6 +1,6 @@
 Attack_name: Archive Collected Data
 Attack_description: |-
-  An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
+  An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
 
   Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
 guid: 41410c60-614d-4b9d-b66e-b0192dd9c597
diff --git a/yml/419cca0c-fa52-4572-b0d7-bc7c6f388a27.yml b/yml/419cca0c-fa52-4572-b0d7-bc7c6f388a27.yml
index ee8a24b5..bafeb0e3 100644
--- a/yml/419cca0c-fa52-4572-b0d7-bc7c6f388a27.yml
+++ b/yml/419cca0c-fa52-4572-b0d7-bc7c6f388a27.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27
 name: Tail the UFW firewall log file
 tactic:
diff --git a/yml/42510244-5019-48fa-a0e5-66c3b76e6049.yml b/yml/42510244-5019-48fa-a0e5-66c3b76e6049.yml
index f5242e1e..847d977d 100644
--- a/yml/42510244-5019-48fa-a0e5-66c3b76e6049.yml
+++ b/yml/42510244-5019-48fa-a0e5-66c3b76e6049.yml
@@ -1,6 +1,6 @@
 Attack_name: OS Credential Dumping
 Attack_description: |
-  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
 
   Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
 guid: 42510244-5019-48fa-a0e5-66c3b76e6049
diff --git a/yml/42dc4460-9aa6-45d3-b1a6-3955d34e1fe8.yml b/yml/42dc4460-9aa6-45d3-b1a6-3955d34e1fe8.yml
index 8680ec1d..d472e4de 100644
--- a/yml/42dc4460-9aa6-45d3-b1a6-3955d34e1fe8.yml
+++ b/yml/42dc4460-9aa6-45d3-b1a6-3955d34e1fe8.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8
 name: Windows - PowerShell Download
 tactic:
diff --git a/yml/42e51815-a6cc-4c75-b970-3f0ff54b610e.yml b/yml/42e51815-a6cc-4c75-b970-3f0ff54b610e.yml
index 373fd2ed..d46f7133 100644
--- a/yml/42e51815-a6cc-4c75-b970-3f0ff54b610e.yml
+++ b/yml/42e51815-a6cc-4c75-b970-3f0ff54b610e.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: 42e51815-a6cc-4c75-b970-3f0ff54b610e
 name: UltraVNC Execution
 tactic:
diff --git a/yml/437b2003-a20d-4ed8-834c-4964f24eec63.yml b/yml/437b2003-a20d-4ed8-834c-4964f24eec63.yml
index 872e27a0..bcda9eb7 100644
--- a/yml/437b2003-a20d-4ed8-834c-4964f24eec63.yml
+++ b/yml/437b2003-a20d-4ed8-834c-4964f24eec63.yml
@@ -2,7 +2,7 @@ Attack_name: 'OS Credential Dumping: Proc Filesystem'
 Attack_description: |-
   Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
 
-  When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
+  When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
 
   If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
 guid: 437b2003-a20d-4ed8-834c-4964f24eec63
diff --git a/yml/43819286-91a9-4369-90ed-d31fb4da2c01.yml b/yml/43819286-91a9-4369-90ed-d31fb4da2c01.yml
index ffa8adf3..67482de6 100644
--- a/yml/43819286-91a9-4369-90ed-d31fb4da2c01.yml
+++ b/yml/43819286-91a9-4369-90ed-d31fb4da2c01.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/4449c89b-ec82-43a4-89c1-91e2f1abeecc.yml b/yml/4449c89b-ec82-43a4-89c1-91e2f1abeecc.yml
index a480fba6..951359fa 100644
--- a/yml/4449c89b-ec82-43a4-89c1-91e2f1abeecc.yml
+++ b/yml/4449c89b-ec82-43a4-89c1-91e2f1abeecc.yml
@@ -2,7 +2,7 @@ Attack_name: Masquerading
 Attack_description: |-
   Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
 
-  Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.
+  Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
 guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
 name: Malware Masquerading and Execution from Zip File
 tactic:
diff --git a/yml/453acf13-1dbd-47d7-b28a-172ce9228023.yml b/yml/453acf13-1dbd-47d7-b28a-172ce9228023.yml
index 348ca1ca..3263dee8 100644
--- a/yml/453acf13-1dbd-47d7-b28a-172ce9228023.yml
+++ b/yml/453acf13-1dbd-47d7-b28a-172ce9228023.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/46f8dbe9-22a5-4770-8513-66119c5be63b.yml b/yml/46f8dbe9-22a5-4770-8513-66119c5be63b.yml
index 1e406bd0..988b4f53 100644
--- a/yml/46f8dbe9-22a5-4770-8513-66119c5be63b.yml
+++ b/yml/46f8dbe9-22a5-4770-8513-66119c5be63b.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
 name: Enumerate Active Directory for Unconstrained Delegation
 tactic:
diff --git a/yml/47a539d1-61b9-4364-bf49-a68bc2a95ef0.yml b/yml/47a539d1-61b9-4364-bf49-a68bc2a95ef0.yml
index d193ff8b..59c869f5 100644
--- a/yml/47a539d1-61b9-4364-bf49-a68bc2a95ef0.yml
+++ b/yml/47a539d1-61b9-4364-bf49-a68bc2a95ef0.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/491a4af6-a521-4b74-b23b-f7b3f1ee9e77.yml b/yml/491a4af6-a521-4b74-b23b-f7b3f1ee9e77.yml
index 0f0d5416..c69d3343 100644
--- a/yml/491a4af6-a521-4b74-b23b-f7b3f1ee9e77.yml
+++ b/yml/491a4af6-a521-4b74-b23b-f7b3f1ee9e77.yml
@@ -9,8 +9,10 @@ Attack_description: "Adversaries may create or modify Windows services to repeat
   these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised
   machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation:
   Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries
-  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade
-  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component)."
+  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo make detection analysis more challenging, malicious services may also incorporate [Masquerade
+  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’
+  services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL).
+  This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)"
 guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77
 name: Service Installation PowerShell
 tactic:
diff --git a/yml/49845fc1-7961-4590-a0f0-3dbcf065ae7e.yml b/yml/49845fc1-7961-4590-a0f0-3dbcf065ae7e.yml
index 63da6c46..0ab8da8a 100644
--- a/yml/49845fc1-7961-4590-a0f0-3dbcf065ae7e.yml
+++ b/yml/49845fc1-7961-4590-a0f0-3dbcf065ae7e.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 49845fc1-7961-4590-a0f0-3dbcf065ae7e
 name: Printer Migration Command-Line Tool UNC share folder into a zip file
 tactic:
diff --git a/yml/4a18cc4e-416f-4966-9a9d-75731c4684c0.yml b/yml/4a18cc4e-416f-4966-9a9d-75731c4684c0.yml
index a8325bf9..0870e75a 100644
--- a/yml/4a18cc4e-416f-4966-9a9d-75731c4684c0.yml
+++ b/yml/4a18cc4e-416f-4966-9a9d-75731c4684c0.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: 4a18cc4e-416f-4966-9a9d-75731c4684c0
 name: ScreenConnect Application Download and Install on Windows
 tactic:
diff --git a/yml/4a233a40-caf7-4cf1-890a-c6331bbc72cf.yml b/yml/4a233a40-caf7-4cf1-890a-c6331bbc72cf.yml
index abfecdf2..c8f5b124 100644
--- a/yml/4a233a40-caf7-4cf1-890a-c6331bbc72cf.yml
+++ b/yml/4a233a40-caf7-4cf1-890a-c6331bbc72cf.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
+
+  Some files and directories may require elevated or specific user permissions to access.
 guid: 4a233a40-caf7-4cf1-890a-c6331bbc72cf
 name: ESXi - Enumerate VMDKs available on an ESXi Host
 tactic:
diff --git a/yml/4a41089a-48e0-47aa-82cb-5b81a463bc78.yml b/yml/4a41089a-48e0-47aa-82cb-5b81a463bc78.yml
index 64a8c6b4..7e5ed61f 100644
--- a/yml/4a41089a-48e0-47aa-82cb-5b81a463bc78.yml
+++ b/yml/4a41089a-48e0-47aa-82cb-5b81a463bc78.yml
@@ -6,11 +6,12 @@ Attack_description: "Adversaries may employ various system checks to detect and
   [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082),
   and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware,
   and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include
-  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther
-  common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications,
-  and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \n
-  Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific
-  readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
+  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed,
+  malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such
+  as `malware`, `sample`, or `hash`.\n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings
+  relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port
+  to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment.
+  Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
 guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78
 name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
 tactic:
diff --git a/yml/4b437357-f4e9-4c84-9fa6-9bcee6f826aa.yml b/yml/4b437357-f4e9-4c84-9fa6-9bcee6f826aa.yml
index c6b157fa..05a1070b 100644
--- a/yml/4b437357-f4e9-4c84-9fa6-9bcee6f826aa.yml
+++ b/yml/4b437357-f4e9-4c84-9fa6-9bcee6f826aa.yml
@@ -4,7 +4,9 @@ Attack_description: |-
 
   Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)
 
-  There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
+  There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+
+  There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
 
   After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.
 guid: 4b437357-f4e9-4c84-9fa6-9bcee6f826aa
diff --git a/yml/4c83940d-8ca5-4bb2-8100-f46dc914bc3f.yml b/yml/4c83940d-8ca5-4bb2-8100-f46dc914bc3f.yml
index 4aa35e83..9bdcf4ba 100644
--- a/yml/4c83940d-8ca5-4bb2-8100-f46dc914bc3f.yml
+++ b/yml/4c83940d-8ca5-4bb2-8100-f46dc914bc3f.yml
@@ -1,14 +1,16 @@
 Attack_name: Browser Extensions
-Attack_description: |-
-  Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
-
-  Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
-
-  Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
-
-  Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
-
-  There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)
+Attack_description: "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize
+  aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser
+  Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering,
+  or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious
+  Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration
+  file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious
+  <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed
+  with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser
+  (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals
+  Creds)(Citation: Catch All Chrome Extension)\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation:
+  Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense
+  Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) "
 guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
 name: Chrome/Chromium (Chrome Web Store)
 tactic:
diff --git a/yml/4d77f913-56f5-4a14-b4b1-bf7bb24298ad.yml b/yml/4d77f913-56f5-4a14-b4b1-bf7bb24298ad.yml
index 0d8ddc58..96a078ba 100644
--- a/yml/4d77f913-56f5-4a14-b4b1-bf7bb24298ad.yml
+++ b/yml/4d77f913-56f5-4a14-b4b1-bf7bb24298ad.yml
@@ -6,7 +6,8 @@ Attack_description: "An adversary may add additional roles or permissions to an
   or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation,
   particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code>
   API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security
-  Labs AWS Privilege Escalation)"
+  Labs AWS Privilege Escalation)\n\nIn some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside
+  the victim tenant without requiring the adversary to [Create Account](https://attack.mitre.org/techniques/T1136) or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)"
 guid: 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
 name: Azure AD - Add Company Administrator Role to a user
 tactic:
diff --git a/yml/4e524c4e-0e02-49aa-8df5-93f3f7959b9f.yml b/yml/4e524c4e-0e02-49aa-8df5-93f3f7959b9f.yml
index 192c25d0..d8fa172d 100644
--- a/yml/4e524c4e-0e02-49aa-8df5-93f3f7959b9f.yml
+++ b/yml/4e524c4e-0e02-49aa-8df5-93f3f7959b9f.yml
@@ -2,7 +2,7 @@ Attack_name: Group Policy Discovery
 Attack_description: |-
   Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
 
-  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
+  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
 guid: 4e524c4e-0e02-49aa-8df5-93f3f7959b9f
 name: Get-DomainGPO to display group policy information via PowerView
 tactic:
diff --git a/yml/4ff64f0b-aaf2-4866-b39d-38d9791407cc.yml b/yml/4ff64f0b-aaf2-4866-b39d-38d9791407cc.yml
index 403dab7d..75e8c2f4 100644
--- a/yml/4ff64f0b-aaf2-4866-b39d-38d9791407cc.yml
+++ b/yml/4ff64f0b-aaf2-4866-b39d-38d9791407cc.yml
@@ -1,10 +1,11 @@
 Attack_name: Process Discovery
-Attack_description: |-
-  Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-  In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.
-
-  On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
+Attack_description: "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on
+  systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057)
+  during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could
+  obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+  Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this
+  is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+  commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)"
 guid: 4ff64f0b-aaf2-4866-b39d-38d9791407cc
 name: Process Discovery - ps
 tactic:
diff --git a/yml/502a7dc4-9d6f-4d28-abf2-f0e84692562d.yml b/yml/502a7dc4-9d6f-4d28-abf2-f0e84692562d.yml
index 80681685..8440df36 100644
--- a/yml/502a7dc4-9d6f-4d28-abf2-f0e84692562d.yml
+++ b/yml/502a7dc4-9d6f-4d28-abf2-f0e84692562d.yml
@@ -6,11 +6,12 @@ Attack_description: "Adversaries may employ various system checks to detect and
   [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082),
   and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware,
   and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include
-  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther
-  common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications,
-  and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \n
-  Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific
-  readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
+  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed,
+  malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such
+  as `malware`, `sample`, or `hash`.\n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings
+  relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port
+  to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment.
+  Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
 guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d
 name: Detect Virtualization Environment (Windows)
 tactic:
diff --git a/yml/51005ac7-52e2-45e0-bdab-d17c6d4916cd.yml b/yml/51005ac7-52e2-45e0-bdab-d17c6d4916cd.yml
index 2e1f777d..48b9446f 100644
--- a/yml/51005ac7-52e2-45e0-bdab-d17c6d4916cd.yml
+++ b/yml/51005ac7-52e2-45e0-bdab-d17c6d4916cd.yml
@@ -2,7 +2,7 @@ Attack_name: Masquerading
 Attack_description: |-
   Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
 
-  Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.
+  Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
 guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
 name: System File Copied to Unusual Location
 tactic:
diff --git a/yml/515575ab-d213-42b1-aa64-ef6a2dd4641b.yml b/yml/515575ab-d213-42b1-aa64-ef6a2dd4641b.yml
index f74236e7..69cc84d6 100644
--- a/yml/515575ab-d213-42b1-aa64-ef6a2dd4641b.yml
+++ b/yml/515575ab-d213-42b1-aa64-ef6a2dd4641b.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/51a98f96-0269-4e09-a10f-e307779a8b05.yml b/yml/51a98f96-0269-4e09-a10f-e307779a8b05.yml
index e603bcab..13bff2a9 100644
--- a/yml/51a98f96-0269-4e09-a10f-e307779a8b05.yml
+++ b/yml/51a98f96-0269-4e09-a10f-e307779a8b05.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 51a98f96-0269-4e09-a10f-e307779a8b05
 name: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
 tactic:
diff --git a/yml/52778a8f-a10b-41a4-9eae-52ddb74072bf.yml b/yml/52778a8f-a10b-41a4-9eae-52ddb74072bf.yml
index 2adf2828..37c43c9e 100644
--- a/yml/52778a8f-a10b-41a4-9eae-52ddb74072bf.yml
+++ b/yml/52778a8f-a10b-41a4-9eae-52ddb74072bf.yml
@@ -2,7 +2,7 @@ Attack_name: Group Policy Discovery
 Attack_description: |-
   Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
 
-  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
+  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
 guid: 52778a8f-a10b-41a4-9eae-52ddb74072bf
 name: MSFT Get-GPO Cmdlet
 tactic:
diff --git a/yml/53ead5db-7098-4111-bb3f-563be390e72e.yml b/yml/53ead5db-7098-4111-bb3f-563be390e72e.yml
index 4d920e3b..d3232d24 100644
--- a/yml/53ead5db-7098-4111-bb3f-563be390e72e.yml
+++ b/yml/53ead5db-7098-4111-bb3f-563be390e72e.yml
@@ -1,11 +1,13 @@
 Attack_name: System Time Discovery
 Attack_description: |-
-  An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)
+  An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
 
-  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service)
+  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)
 
   On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)
 
+  In addition, system calls – such as <code>time()</code> – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)
+
   This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
 guid: 53ead5db-7098-4111-bb3f-563be390e72e
 name: System Time with Windows time Command
diff --git a/yml/54782d65-12f0-47a5-b4c1-b70ee23de6df.yml b/yml/54782d65-12f0-47a5-b4c1-b70ee23de6df.yml
index 88849e3b..0b29b272 100644
--- a/yml/54782d65-12f0-47a5-b4c1-b70ee23de6df.yml
+++ b/yml/54782d65-12f0-47a5-b4c1-b70ee23de6df.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 54782d65-12f0-47a5-b4c1-b70ee23de6df
 name: Lolbas replace.exe use to copy file
 tactic:
diff --git a/yml/54a4daf1-71df-4383-9ba7-f1a295d8b6d2.yml b/yml/54a4daf1-71df-4383-9ba7-f1a295d8b6d2.yml
index e316a4b2..6c560f4a 100644
--- a/yml/54a4daf1-71df-4383-9ba7-f1a295d8b6d2.yml
+++ b/yml/54a4daf1-71df-4383-9ba7-f1a295d8b6d2.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
 name: File Download via PowerShell
 tactic:
diff --git a/yml/5598f7cb-cf43-455e-883a-f6008c5d46af.yml b/yml/5598f7cb-cf43-455e-883a-f6008c5d46af.yml
index ef454862..1dcb61c9 100644
--- a/yml/5598f7cb-cf43-455e-883a-f6008c5d46af.yml
+++ b/yml/5598f7cb-cf43-455e-883a-f6008c5d46af.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 5598f7cb-cf43-455e-883a-f6008c5d46af
 name: Admin Account Manipulate
 tactic:
diff --git a/yml/562aa072-524e-459a-ba2b-91f1afccf5ab.yml b/yml/562aa072-524e-459a-ba2b-91f1afccf5ab.yml
index c5436134..beb740b3 100644
--- a/yml/562aa072-524e-459a-ba2b-91f1afccf5ab.yml
+++ b/yml/562aa072-524e-459a-ba2b-91f1afccf5ab.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Create Account: Domain Account'
 Attack_description: |-
-  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.
+  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999)
 
   Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
 guid: 562aa072-524e-459a-ba2b-91f1afccf5ab
diff --git a/yml/56506854-89d6-46a3-9804-b7fde90791f9.yml b/yml/56506854-89d6-46a3-9804-b7fde90791f9.yml
index a06dd861..69b20ae5 100644
--- a/yml/56506854-89d6-46a3-9804-b7fde90791f9.yml
+++ b/yml/56506854-89d6-46a3-9804-b7fde90791f9.yml
@@ -1,12 +1,12 @@
 Attack_name: 'OS Credential Dumping: Cached Domain Credentials'
-Attack_description: |-
-  Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
-
-  On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
-
-  With SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.
-
-  Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
+Attack_description: "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)\n
+  \nOn Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies
+  and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation:
+  ired mscache)\n\nOn Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly
+  VAS). Cached credential hashes are typically located at `/var/lib/sss/db/cache.[domain].ldb` for SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for Quest. Adversaries can use utilities, such as `tdbdump`,
+  on these database files to dump the cached hashes and use [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to obtain the plaintext password.(Citation: Brining MimiKatz to Unix) \n\n
+  With SYSTEM or sudo access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py for Windows or Linikatz
+  for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)\n\nNote: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)"
 guid: 56506854-89d6-46a3-9804-b7fde90791f9
 name: Cached Credential Dump via Cmdkey
 tactic:
diff --git a/yml/56b9589c-9170-4682-8c3d-33b86ecb5119.yml b/yml/56b9589c-9170-4682-8c3d-33b86ecb5119.yml
index 70757e5a..9d70416e 100644
--- a/yml/56b9589c-9170-4682-8c3d-33b86ecb5119.yml
+++ b/yml/56b9589c-9170-4682-8c3d-33b86ecb5119.yml
@@ -1,6 +1,8 @@
 Attack_name: Reflective Code Loading
 Attack_description: |-
-  Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)
+  Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)).
+
+  Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) For example, the `Assembly.Load()` method executed by [PowerShell](https://attack.mitre.org/techniques/T1059/001) may be abused to load raw code into the running process.(Citation: Microsoft AssemblyLoad)
 
   Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)
 guid: 56b9589c-9170-4682-8c3d-33b86ecb5119
diff --git a/yml/5750aa16-0e59-4410-8b9a-8a47ca2788e2.yml b/yml/5750aa16-0e59-4410-8b9a-8a47ca2788e2.yml
index 27a89b37..0169367a 100644
--- a/yml/5750aa16-0e59-4410-8b9a-8a47ca2788e2.yml
+++ b/yml/5750aa16-0e59-4410-8b9a-8a47ca2788e2.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
 name: WMI Reconnaissance Processes
 tactic:
diff --git a/yml/584331dd-75bc-4c02-9e0b-17f5fd81c748.yml b/yml/584331dd-75bc-4c02-9e0b-17f5fd81c748.yml
index c9947aeb..76a64531 100644
--- a/yml/584331dd-75bc-4c02-9e0b-17f5fd81c748.yml
+++ b/yml/584331dd-75bc-4c02-9e0b-17f5fd81c748.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/58bd8c8d-3a1a-4467-a69c-439c75469b07.yml b/yml/58bd8c8d-3a1a-4467-a69c-439c75469b07.yml
new file mode 100644
index 00000000..e85929ac
--- /dev/null
+++ b/yml/58bd8c8d-3a1a-4467-a69c-439c75469b07.yml
@@ -0,0 +1,22 @@
+Attack_name: Debugger Evasion
+Attack_description: |-
+  Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)
+
+  Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.
+
+  Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
+
+  Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)
+guid: 58bd8c8d-3a1a-4467-a69c-439c75469b07
+name: Detect a Debugger Presence in the Machine
+tactic:
+  - defense-evasion
+  - discovery
+technique:
+  - T1622
+os:
+  - windows
+description: Detecting a running debugger process or if the debugger is attached to a process via PowerShell
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/59aa6f26-7620-417e-9318-589e0fb7a372.yml b/yml/59aa6f26-7620-417e-9318-589e0fb7a372.yml
index 24c60b99..a24b3b8f 100644
--- a/yml/59aa6f26-7620-417e-9318-589e0fb7a372.yml
+++ b/yml/59aa6f26-7620-417e-9318-589e0fb7a372.yml
@@ -1,8 +1,8 @@
 Attack_name: Deploy a container
 Attack_description: |-
-  Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.
+  Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)
 
-  Containers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
+  Containers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
 guid: 59aa6f26-7620-417e-9318-589e0fb7a372
 name: Deploy Docker container
 tactic:
diff --git a/yml/5a3497a4-1568-4663-b12a-d4a5ed70c7d7.yml b/yml/5a3497a4-1568-4663-b12a-d4a5ed70c7d7.yml
index 5b9e189f..74bc2ce5 100644
--- a/yml/5a3497a4-1568-4663-b12a-d4a5ed70c7d7.yml
+++ b/yml/5a3497a4-1568-4663-b12a-d4a5ed70c7d7.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Create Account: Domain Account'
 Attack_description: |-
-  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.
+  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999)
 
   Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
 guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7
diff --git a/yml/5b380e96-b0ef-4072-8a8e-f194cb9eb9ac.yml b/yml/5b380e96-b0ef-4072-8a8e-f194cb9eb9ac.yml
index 9b82ded7..5cd04aa3 100644
--- a/yml/5b380e96-b0ef-4072-8a8e-f194cb9eb9ac.yml
+++ b/yml/5b380e96-b0ef-4072-8a8e-f194cb9eb9ac.yml
@@ -1,7 +1,7 @@
 Attack_name: Automated Exfiltration
-Attack_description: "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used,
-  other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over
-  Alternative Protocol](https://attack.mitre.org/techniques/T1048)."
+Attack_description: "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) \n\n
+  When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041)
+  and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)."
 guid: 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
 name: Exfiltration via Encrypted FTP
 tactic:
diff --git a/yml/5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c.yml b/yml/5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c.yml
index da10e557..0acc4a3f 100644
--- a/yml/5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c.yml
+++ b/yml/5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c
 name: File download via nscurl
 tactic:
diff --git a/yml/5e2938fb-f919-47b6-8b29-2f6a1f718e99.yml b/yml/5e2938fb-f919-47b6-8b29-2f6a1f718e99.yml
index 60a6eaa7..c1a47c95 100644
--- a/yml/5e2938fb-f919-47b6-8b29-2f6a1f718e99.yml
+++ b/yml/5e2938fb-f919-47b6-8b29-2f6a1f718e99.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
 name: Adfind - Enumerate Active Directory Exchange AD Objects
 tactic:
diff --git a/yml/5f507e45-8411-4f99-84e7-e38530c45d01.yml b/yml/5f507e45-8411-4f99-84e7-e38530c45d01.yml
index 79bbff59..b5f9f6c6 100644
--- a/yml/5f507e45-8411-4f99-84e7-e38530c45d01.yml
+++ b/yml/5f507e45-8411-4f99-84e7-e38530c45d01.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 5f507e45-8411-4f99-84e7-e38530c45d01
 name: File download with finger.exe on Windows
 tactic:
diff --git a/yml/5ff9d047-6e9c-4357-b39b-5cf89d9b59c7.yml b/yml/5ff9d047-6e9c-4357-b39b-5cf89d9b59c7.yml
index 9491214c..26b7bfed 100644
--- a/yml/5ff9d047-6e9c-4357-b39b-5cf89d9b59c7.yml
+++ b/yml/5ff9d047-6e9c-4357-b39b-5cf89d9b59c7.yml
@@ -1,8 +1,12 @@
 Attack_name: 'Proxy: Multi-hop Proxy'
 Attack_description: |-
-  To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)
+  Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
 
-  In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.
+  For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
+
+  In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
+
+  Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
 guid: 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
 name: Tor Proxy Usage - Debian/Ubuntu/FreeBSD
 tactic:
diff --git a/yml/634bd9b9-dc83-4229-b19f-7f83ba9ad313.yml b/yml/634bd9b9-dc83-4229-b19f-7f83ba9ad313.yml
index c6fb026c..f3300ba0 100644
--- a/yml/634bd9b9-dc83-4229-b19f-7f83ba9ad313.yml
+++ b/yml/634bd9b9-dc83-4229-b19f-7f83ba9ad313.yml
@@ -1,10 +1,10 @@
 Attack_name: Automated Collection
 Attack_description: "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command
-  and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based
-  environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote
-  access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)
-  to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify
-  resources in cloud environments."
+  and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based
+  environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS
+  Phishing 2023) \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
+  and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object
+  Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments."
 guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313
 name: Automated Collection PowerShell
 tactic:
diff --git a/yml/635c9a38-6cbf-47dc-8615-3810bc1167cf.yml b/yml/635c9a38-6cbf-47dc-8615-3810bc1167cf.yml
index fe642378..3deff963 100644
--- a/yml/635c9a38-6cbf-47dc-8615-3810bc1167cf.yml
+++ b/yml/635c9a38-6cbf-47dc-8615-3810bc1167cf.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 635c9a38-6cbf-47dc-8615-3810bc1167cf
 name: Curl Upload File
 tactic:
diff --git a/yml/640cbf6d-659b-498b-ba53-f6dd1a1cc02c.yml b/yml/640cbf6d-659b-498b-ba53-f6dd1a1cc02c.yml
index 3583b455..a86746aa 100644
--- a/yml/640cbf6d-659b-498b-ba53-f6dd1a1cc02c.yml
+++ b/yml/640cbf6d-659b-498b-ba53-f6dd1a1cc02c.yml
@@ -1,10 +1,11 @@
 Attack_name: Process Discovery
-Attack_description: |-
-  Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-  In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.
-
-  On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
+Attack_description: "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on
+  systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057)
+  during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could
+  obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+  Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this
+  is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+  commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)"
 guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
 name: Process Discovery - wmic process
 tactic:
diff --git a/yml/6502c8f0-b775-4dbd-9193-1298f56b6781.yml b/yml/6502c8f0-b775-4dbd-9193-1298f56b6781.yml
index f308651c..0df2416b 100644
--- a/yml/6502c8f0-b775-4dbd-9193-1298f56b6781.yml
+++ b/yml/6502c8f0-b775-4dbd-9193-1298f56b6781.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/66e647d1-8741-4e43-b7c1-334760c2047f.yml b/yml/66e647d1-8741-4e43-b7c1-334760c2047f.yml
index 46a76682..93ed47b5 100644
--- a/yml/66e647d1-8741-4e43-b7c1-334760c2047f.yml
+++ b/yml/66e647d1-8741-4e43-b7c1-334760c2047f.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/66ee226e-64cb-4dae-80e3-5bf5763e4a51.yml b/yml/66ee226e-64cb-4dae-80e3-5bf5763e4a51.yml
index 4fb7bf1f..c2076574 100644
--- a/yml/66ee226e-64cb-4dae-80e3-5bf5763e4a51.yml
+++ b/yml/66ee226e-64cb-4dae-80e3-5bf5763e4a51.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 66ee226e-64cb-4dae-80e3-5bf5763e4a51
 name: Arbitrary file download using the Notepad++ GUP.exe binary
 tactic:
diff --git a/yml/66fb0bc1-3c3f-47e9-a298-550ecfefacbc.yml b/yml/66fb0bc1-3c3f-47e9-a298-550ecfefacbc.yml
index 35944469..5cee76a4 100644
--- a/yml/66fb0bc1-3c3f-47e9-a298-550ecfefacbc.yml
+++ b/yml/66fb0bc1-3c3f-47e9-a298-550ecfefacbc.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/68190529-069b-4ffc-a942-919704158065.yml b/yml/68190529-069b-4ffc-a942-919704158065.yml
index e8395a1c..8d54b5fa 100644
--- a/yml/68190529-069b-4ffc-a942-919704158065.yml
+++ b/yml/68190529-069b-4ffc-a942-919704158065.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 68190529-069b-4ffc-a942-919704158065
 name: 'Domain Password Policy Check: No Number in Password'
 tactic:
diff --git a/yml/68981660-6670-47ee-a5fa-7e74806420a4.yml b/yml/68981660-6670-47ee-a5fa-7e74806420a4.yml
index 6ea2d968..10d6ffe0 100644
--- a/yml/68981660-6670-47ee-a5fa-7e74806420a4.yml
+++ b/yml/68981660-6670-47ee-a5fa-7e74806420a4.yml
@@ -2,6 +2,8 @@ Attack_name: Software Discovery
 Attack_description: |-
   Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
+  Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally.
+
   Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
 guid: 68981660-6670-47ee-a5fa-7e74806420a4
 name: Find and Display Internet Explorer Browser Version
diff --git a/yml/6a3ff8dd-f49c-4272-a658-11c2fe58bd88.yml b/yml/6a3ff8dd-f49c-4272-a658-11c2fe58bd88.yml
index 561d754f..5ea27463 100644
--- a/yml/6a3ff8dd-f49c-4272-a658-11c2fe58bd88.yml
+++ b/yml/6a3ff8dd-f49c-4272-a658-11c2fe58bd88.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/6b1dbaf6-cc8a-4ea6-891f-6058569653bf.yml b/yml/6b1dbaf6-cc8a-4ea6-891f-6058569653bf.yml
index 38b048ea..a72b9be2 100644
--- a/yml/6b1dbaf6-cc8a-4ea6-891f-6058569653bf.yml
+++ b/yml/6b1dbaf6-cc8a-4ea6-891f-6058569653bf.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/6b8b7391-5c0a-4f8c-baee-78d8ce0ce330.yml b/yml/6b8b7391-5c0a-4f8c-baee-78d8ce0ce330.yml
index 242365df..011a30e7 100644
--- a/yml/6b8b7391-5c0a-4f8c-baee-78d8ce0ce330.yml
+++ b/yml/6b8b7391-5c0a-4f8c-baee-78d8ce0ce330.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330
 name: AnyDesk Files Detected Test on Windows
 tactic:
diff --git a/yml/6c499943-b098-4bc6-8d38-0956fc182984.yml b/yml/6c499943-b098-4bc6-8d38-0956fc182984.yml
index 40f38594..65e9ef3d 100644
--- a/yml/6c499943-b098-4bc6-8d38-0956fc182984.yml
+++ b/yml/6c499943-b098-4bc6-8d38-0956fc182984.yml
@@ -6,7 +6,7 @@ Attack_description: |-
 
   Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)
 
-  Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.
+  Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host.
 guid: 6c499943-b098-4bc6-8d38-0956fc182984
 name: Mount host filesystem to escape privileged Docker container
 tactic:
diff --git a/yml/6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8.yml b/yml/6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8.yml
index 0c53f455..32d4066c 100644
--- a/yml/6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8.yml
+++ b/yml/6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Command and Scripting Interpreter: Python'
 Attack_description: |-
-  Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
+  Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)
 
   Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
 guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
diff --git a/yml/6c7a4fd3-5b0b-4b30-a93e-39411b25d889.yml b/yml/6c7a4fd3-5b0b-4b30-a93e-39411b25d889.yml
index 6f864202..5d16db01 100644
--- a/yml/6c7a4fd3-5b0b-4b30-a93e-39411b25d889.yml
+++ b/yml/6c7a4fd3-5b0b-4b30-a93e-39411b25d889.yml
@@ -1,6 +1,6 @@
 Attack_name: OS Credential Dumping
 Attack_description: |
-  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
 
   Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
 guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
diff --git a/yml/6e85bdf9-7bc4-4259-ac0f-f0cb39964443.yml b/yml/6e85bdf9-7bc4-4259-ac0f-f0cb39964443.yml
index 35ec1c44..57677a30 100644
--- a/yml/6e85bdf9-7bc4-4259-ac0f-f0cb39964443.yml
+++ b/yml/6e85bdf9-7bc4-4259-ac0f-f0cb39964443.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 6e85bdf9-7bc4-4259-ac0f-f0cb39964443
 name: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
 tactic:
diff --git a/yml/6f5822d2-d38d-4f48-9bfc-916607ff6b8c.yml b/yml/6f5822d2-d38d-4f48-9bfc-916607ff6b8c.yml
index 0b1e400b..35e0e973 100644
--- a/yml/6f5822d2-d38d-4f48-9bfc-916607ff6b8c.yml
+++ b/yml/6f5822d2-d38d-4f48-9bfc-916607ff6b8c.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 6f5822d2-d38d-4f48-9bfc-916607ff6b8c
 name: Allow Executable Through Firewall Located in Non-Standard Location
 tactic:
diff --git a/yml/6fbc9e68-5ad7-444a-bd11-8bf3136c477e.yml b/yml/6fbc9e68-5ad7-444a-bd11-8bf3136c477e.yml
index cafff7ae..2d5a06a3 100644
--- a/yml/6fbc9e68-5ad7-444a-bd11-8bf3136c477e.yml
+++ b/yml/6fbc9e68-5ad7-444a-bd11-8bf3136c477e.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e
 name: Enumerate all accounts (Domain)
 tactic:
diff --git a/yml/6fdaae87-c05b-42f8-842e-991a74e8376b.yml b/yml/6fdaae87-c05b-42f8-842e-991a74e8376b.yml
index ddc280fd..1006a9d6 100644
--- a/yml/6fdaae87-c05b-42f8-842e-991a74e8376b.yml
+++ b/yml/6fdaae87-c05b-42f8-842e-991a74e8376b.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 6fdaae87-c05b-42f8-842e-991a74e8376b
 name: certreq download
 tactic:
diff --git a/yml/70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf.yml b/yml/70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf.yml
index d5bfa3f4..3b2a7c23 100644
--- a/yml/70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf.yml
+++ b/yml/70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf
 name: MAZE Propagation Script
 tactic:
diff --git a/yml/718aebaa-d0e0-471a-8241-c5afa69c7414.yml b/yml/718aebaa-d0e0-471a-8241-c5afa69c7414.yml
index e510c0be..25cd9636 100644
--- a/yml/718aebaa-d0e0-471a-8241-c5afa69c7414.yml
+++ b/yml/718aebaa-d0e0-471a-8241-c5afa69c7414.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: 718aebaa-d0e0-471a-8241-c5afa69c7414
 name: WMI Reconnaissance Software
 tactic:
diff --git a/yml/7230d01a-0a72-4bd5-9d7f-c6d472bc6a59.yml b/yml/7230d01a-0a72-4bd5-9d7f-c6d472bc6a59.yml
index f61c2581..540e9b11 100644
--- a/yml/7230d01a-0a72-4bd5-9d7f-c6d472bc6a59.yml
+++ b/yml/7230d01a-0a72-4bd5-9d7f-c6d472bc6a59.yml
@@ -2,7 +2,7 @@ Attack_name: Group Policy Discovery
 Attack_description: |-
   Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
 
-  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
+  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
 guid: 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59
 name: WinPwn - GPORemoteAccessPolicy
 tactic:
diff --git a/yml/736b4f53-f400-4c22-855d-1a6b5a551600.yml b/yml/736b4f53-f400-4c22-855d-1a6b5a551600.yml
index 8610d1e6..aa5fe91c 100644
--- a/yml/736b4f53-f400-4c22-855d-1a6b5a551600.yml
+++ b/yml/736b4f53-f400-4c22-855d-1a6b5a551600.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 736b4f53-f400-4c22-855d-1a6b5a551600
 name: Adfind -Listing password policy
 tactic:
diff --git a/yml/75f66e03-37d3-4704-9520-3210efbe33ce.yml b/yml/75f66e03-37d3-4704-9520-3210efbe33ce.yml
index c0c01ba1..57bf4a8b 100644
--- a/yml/75f66e03-37d3-4704-9520-3210efbe33ce.yml
+++ b/yml/75f66e03-37d3-4704-9520-3210efbe33ce.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: 75f66e03-37d3-4704-9520-3210efbe33ce
diff --git a/yml/760fe8d2-79d9-494f-905e-a239a3df86f6.yml b/yml/760fe8d2-79d9-494f-905e-a239a3df86f6.yml
index 175d7674..584be557 100644
--- a/yml/760fe8d2-79d9-494f-905e-a239a3df86f6.yml
+++ b/yml/760fe8d2-79d9-494f-905e-a239a3df86f6.yml
@@ -8,7 +8,7 @@ Attack_description: "Adversaries may create or modify systemd services to repeat
   start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped.  \n\nAdversaries have created new service
   files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place
   symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation:
-  Rapid7 Service Persistence 22JUNE2016) "
+  Rapid7 Service Persistence 22JUNE2016) \n\nThe .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions. "
 guid: 760fe8d2-79d9-494f-905e-a239a3df86f6
 name: Create SysV Service
 tactic:
diff --git a/yml/76628574-0bc1-4646-8fe2-8f4427b47d15.yml b/yml/76628574-0bc1-4646-8fe2-8f4427b47d15.yml
index d4c9bfbc..b5c7d3ca 100644
--- a/yml/76628574-0bc1-4646-8fe2-8f4427b47d15.yml
+++ b/yml/76628574-0bc1-4646-8fe2-8f4427b47d15.yml
@@ -1,12 +1,10 @@
 Attack_name: 'Input Capture: GUI Input Capture'
-Attack_description: "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges
-  than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account
-  Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic
-  normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via
-  various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs)
-  and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On
-  Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation:
-  Spoofing credential dialogs) "
+Attack_description: |-
+  Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).
+
+  Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs)
+
+  Adversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., [Browser Information Discovery](https://attack.mitre.org/techniques/T1217) and/or [Application Window Discovery](https://attack.mitre.org/techniques/T1010)) to spoof prompts when users are naturally accessing sensitive sites/data.
 guid: 76628574-0bc1-4646-8fe2-8f4427b47d15
 name: AppleScript - Prompt User for Password
 tactic:
diff --git a/yml/7784c64e-ed0b-4b65-bf63-c86db229fd56.yml b/yml/7784c64e-ed0b-4b65-bf63-c86db229fd56.yml
index ab866e9f..2a975390 100644
--- a/yml/7784c64e-ed0b-4b65-bf63-c86db229fd56.yml
+++ b/yml/7784c64e-ed0b-4b65-bf63-c86db229fd56.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 7784c64e-ed0b-4b65-bf63-c86db229fd56
 name: Disable iptables
 tactic:
diff --git a/yml/784d1349-5a26-4d20-af5e-d6af53bae460.yml b/yml/784d1349-5a26-4d20-af5e-d6af53bae460.yml
index aba79bb5..36af9471 100644
--- a/yml/784d1349-5a26-4d20-af5e-d6af53bae460.yml
+++ b/yml/784d1349-5a26-4d20-af5e-d6af53bae460.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 784d1349-5a26-4d20-af5e-d6af53bae460
 name: 'Domain Password Policy Check: Only Two Character Classes'
 tactic:
diff --git a/yml/7906f0a6-b527-46ee-9026-6e81a9184e08.yml b/yml/7906f0a6-b527-46ee-9026-6e81a9184e08.yml
new file mode 100644
index 00000000..08564339
--- /dev/null
+++ b/yml/7906f0a6-b527-46ee-9026-6e81a9184e08.yml
@@ -0,0 +1,23 @@
+Attack_name: 'Impair Defenses: Disable or Modify Linux Audit System'
+Attack_description: |-
+  Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.
+
+  Often referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`,  containing a sequence of `auditctl` commands loaded at boot time.(Citation: Red Hat System Auditing)(Citation: IzyKnows auditd threat detection 2022)
+
+  With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
+guid: 7906f0a6-b527-46ee-9026-6e81a9184e08
+name: Disable auditd using auditctl
+tactic:
+  - defense-evasion
+technique:
+  - T1562.012
+os:
+  - linux
+description: 'The command `auditctl -e 0` disables the audit system. By setting the parameter to `0`, auditing is deactivated, halting the monitoring and recording of security-related events. This action
+  stops the generation of audit logs, ceasing the collection of data regarding system activities. Disabling auditing may be done for various reasons, such as troubleshooting, performance optimization, or
+  temporarily suspending auditing requirements, but it reduces visibility into system events and can impact security monitoring and compliance efforts.
+
+  '
+executor: sh
+sigma: false
+sigma_rule: []
diff --git a/yml/7a0895f0-84c1-4adf-8491-a21510b1d4c1.yml b/yml/7a0895f0-84c1-4adf-8491-a21510b1d4c1.yml
index 3525e741..748fbbb4 100644
--- a/yml/7a0895f0-84c1-4adf-8491-a21510b1d4c1.yml
+++ b/yml/7a0895f0-84c1-4adf-8491-a21510b1d4c1.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/7a21cce2-6ada-4f7c-afd9-e1e9c481e44a.yml b/yml/7a21cce2-6ada-4f7c-afd9-e1e9c481e44a.yml
index 8d436ca2..2ee1dd19 100644
--- a/yml/7a21cce2-6ada-4f7c-afd9-e1e9c481e44a.yml
+++ b/yml/7a21cce2-6ada-4f7c-afd9-e1e9c481e44a.yml
@@ -1,6 +1,6 @@
 Attack_name: Audio Capture
 Attack_description: |-
-  An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
+  An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
 
   Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
 guid: 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
diff --git a/yml/7a714703-9f6b-461c-b06d-e6aeac650f27.yml b/yml/7a714703-9f6b-461c-b06d-e6aeac650f27.yml
index 0e5b033b..c46652f4 100644
--- a/yml/7a714703-9f6b-461c-b06d-e6aeac650f27.yml
+++ b/yml/7a714703-9f6b-461c-b06d-e6aeac650f27.yml
@@ -1,14 +1,16 @@
 Attack_name: Browser Extensions
-Attack_description: |-
-  Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
-
-  Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
-
-  Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
-
-  Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
-
-  There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)
+Attack_description: "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize
+  aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser
+  Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering,
+  or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious
+  Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration
+  file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious
+  <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed
+  with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser
+  (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals
+  Creds)(Citation: Catch All Chrome Extension)\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation:
+  Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense
+  Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) "
 guid: 7a714703-9f6b-461c-b06d-e6aeac650f27
 name: Google Chrome Load Unpacked Extension With Command Line
 tactic:
diff --git a/yml/7ab0205a-34e4-4a44-9b04-e1541d1a57be.yml b/yml/7ab0205a-34e4-4a44-9b04-e1541d1a57be.yml
index 030bbeb2..6bdf6f88 100644
--- a/yml/7ab0205a-34e4-4a44-9b04-e1541d1a57be.yml
+++ b/yml/7ab0205a-34e4-4a44-9b04-e1541d1a57be.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be
 name: Enumerate Linked Policies In ADSISearcher Discovery
 tactic:
diff --git a/yml/7ae7102c-a099-45c8-b985-4c7a2d05790d.yml b/yml/7ae7102c-a099-45c8-b985-4c7a2d05790d.yml
index 4a2f22c1..32bb8fa3 100644
--- a/yml/7ae7102c-a099-45c8-b985-4c7a2d05790d.yml
+++ b/yml/7ae7102c-a099-45c8-b985-4c7a2d05790d.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/7b697ece-8270-46b5-bbc7-6b9e27081831.yml b/yml/7b697ece-8270-46b5-bbc7-6b9e27081831.yml
index e7c26401..090922e7 100644
--- a/yml/7b697ece-8270-46b5-bbc7-6b9e27081831.yml
+++ b/yml/7b697ece-8270-46b5-bbc7-6b9e27081831.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 7b697ece-8270-46b5-bbc7-6b9e27081831
 name: Edit UFW firewall main configuration file
 tactic:
diff --git a/yml/7b9d85e5-c4ce-4434-8060-d3de83595e69.yml b/yml/7b9d85e5-c4ce-4434-8060-d3de83595e69.yml
index 13c05062..648bd261 100644
--- a/yml/7b9d85e5-c4ce-4434-8060-d3de83595e69.yml
+++ b/yml/7b9d85e5-c4ce-4434-8060-d3de83595e69.yml
@@ -1,8 +1,12 @@
 Attack_name: 'Proxy: Multi-hop Proxy'
 Attack_description: |-
-  To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)
+  Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
 
-  In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.
+  For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
+
+  In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.
+
+  Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
 guid: 7b9d85e5-c4ce-4434-8060-d3de83595e69
 name: Tor Proxy Usage - Windows
 tactic:
diff --git a/yml/7be1bc0f-d8e5-4345-9333-f5f67d742cb9.yml b/yml/7be1bc0f-d8e5-4345-9333-f5f67d742cb9.yml
index e73cb89c..92a3786e 100644
--- a/yml/7be1bc0f-d8e5-4345-9333-f5f67d742cb9.yml
+++ b/yml/7be1bc0f-d8e5-4345-9333-f5f67d742cb9.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Access Token Manipulation: Token Impersonation/Theft'
 Attack_description: |-
-  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
+  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
 
   An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
 
diff --git a/yml/7ccdfcfa-6707-46bc-b812-007ab6ff951c.yml b/yml/7ccdfcfa-6707-46bc-b812-007ab6ff951c.yml
new file mode 100644
index 00000000..f0360e33
--- /dev/null
+++ b/yml/7ccdfcfa-6707-46bc-b812-007ab6ff951c.yml
@@ -0,0 +1,20 @@
+Attack_name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
+Attack_description: "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent
+  to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography,
+  this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity)
+  and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL)
+  often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. "
+guid: 7ccdfcfa-6707-46bc-b812-007ab6ff951c
+name: Exfiltrate data in a file over HTTPS using wget
+tactic:
+  - exfiltration
+technique:
+  - T1048.002
+os:
+  - linux
+description: 'Exfiltrate data over HTTPS using wget --post-file method
+
+  '
+executor: sh
+sigma: false
+sigma_rule: []
diff --git a/yml/7cede33f-0acd-44ef-9774-15511300b24b.yml b/yml/7cede33f-0acd-44ef-9774-15511300b24b.yml
index 6cc6fc49..59316d49 100644
--- a/yml/7cede33f-0acd-44ef-9774-15511300b24b.yml
+++ b/yml/7cede33f-0acd-44ef-9774-15511300b24b.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/7d984ef2-2db2-4cec-b090-e637e1698f61.yml b/yml/7d984ef2-2db2-4cec-b090-e637e1698f61.yml
index 4bdb69f9..5f024326 100644
--- a/yml/7d984ef2-2db2-4cec-b090-e637e1698f61.yml
+++ b/yml/7d984ef2-2db2-4cec-b090-e637e1698f61.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 7d984ef2-2db2-4cec-b090-e637e1698f61
 name: 'Domain Password Policy Check: No Special Character in Password'
 tactic:
diff --git a/yml/7db7a7f9-9531-4840-9b30-46220135441c.yml b/yml/7db7a7f9-9531-4840-9b30-46220135441c.yml
index f0782b62..095321c0 100644
--- a/yml/7db7a7f9-9531-4840-9b30-46220135441c.yml
+++ b/yml/7db7a7f9-9531-4840-9b30-46220135441c.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: 7db7a7f9-9531-4840-9b30-46220135441c
 name: Create a Process using WMI Query and an Encoded Command
 tactic:
diff --git a/yml/7e46c7a5-0142-45be-a858-1a3ecb4fd3cb.yml b/yml/7e46c7a5-0142-45be-a858-1a3ecb4fd3cb.yml
index 3c04b2d7..d1ee8045 100644
--- a/yml/7e46c7a5-0142-45be-a858-1a3ecb4fd3cb.yml
+++ b/yml/7e46c7a5-0142-45be-a858-1a3ecb4fd3cb.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
 name: List opened files by user
 tactic:
diff --git a/yml/7e79a1b6-519e-433c-ad55-3ff293667101.yml b/yml/7e79a1b6-519e-433c-ad55-3ff293667101.yml
index 684e0af3..4bf74dd6 100644
--- a/yml/7e79a1b6-519e-433c-ad55-3ff293667101.yml
+++ b/yml/7e79a1b6-519e-433c-ad55-3ff293667101.yml
@@ -2,6 +2,8 @@ Attack_name: Software Discovery
 Attack_description: |-
   Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
+  Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally.
+
   Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
 guid: 7e79a1b6-519e-433c-ad55-3ff293667101
 name: WinPwn - Dotnetsearch
diff --git a/yml/7e91138a-8e74-456d-a007-973d67a0bb80.yml b/yml/7e91138a-8e74-456d-a007-973d67a0bb80.yml
index acbb2da7..3f3ead7d 100644
--- a/yml/7e91138a-8e74-456d-a007-973d67a0bb80.yml
+++ b/yml/7e91138a-8e74-456d-a007-973d67a0bb80.yml
@@ -2,7 +2,7 @@ Attack_name: 'OS Credential Dumping: Proc Filesystem'
 Attack_description: |-
   Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
 
-  When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
+  When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
 
   If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
 guid: 7e91138a-8e74-456d-a007-973d67a0bb80
diff --git a/yml/7ece1dea-49f1-4d62-bdcc-5801e3292510.yml b/yml/7ece1dea-49f1-4d62-bdcc-5801e3292510.yml
index 95ce9317..ec65d4de 100644
--- a/yml/7ece1dea-49f1-4d62-bdcc-5801e3292510.yml
+++ b/yml/7ece1dea-49f1-4d62-bdcc-5801e3292510.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 7ece1dea-49f1-4d62-bdcc-5801e3292510
 name: GCP - Delete Service Account Key
 tactic:
diff --git a/yml/7f566051-f033-49fb-89de-b6bacab730f0.yml b/yml/7f566051-f033-49fb-89de-b6bacab730f0.yml
index a21daa2e..d68757f2 100644
--- a/yml/7f566051-f033-49fb-89de-b6bacab730f0.yml
+++ b/yml/7f566051-f033-49fb-89de-b6bacab730f0.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: 7f566051-f033-49fb-89de-b6bacab730f0
 name: Security Software Discovery - powershell
 tactic:
diff --git a/yml/7fe741f7-b265-4951-a7c7-320889083b3e.yml b/yml/7fe741f7-b265-4951-a7c7-320889083b3e.yml
index 07d2e1ca..b5226013 100644
--- a/yml/7fe741f7-b265-4951-a7c7-320889083b3e.yml
+++ b/yml/7fe741f7-b265-4951-a7c7-320889083b3e.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/80887bec-5a9b-4efc-a81d-f83eb2eb32ab.yml b/yml/80887bec-5a9b-4efc-a81d-f83eb2eb32ab.yml
index 570bae68..b56a92bf 100644
--- a/yml/80887bec-5a9b-4efc-a81d-f83eb2eb32ab.yml
+++ b/yml/80887bec-5a9b-4efc-a81d-f83eb2eb32ab.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab
 name: Enumerate all accounts on Windows (Local)
 tactic:
diff --git a/yml/80b453d1-eec5-4144-bf08-613a6c3ffe12.yml b/yml/80b453d1-eec5-4144-bf08-613a6c3ffe12.yml
index ae8c76fd..8290854a 100644
--- a/yml/80b453d1-eec5-4144-bf08-613a6c3ffe12.yml
+++ b/yml/80b453d1-eec5-4144-bf08-613a6c3ffe12.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 80b453d1-eec5-4144-bf08-613a6c3ffe12
 name: LockBit Black - Unusual Windows firewall registry modification -Powershell
 tactic:
diff --git a/yml/815bef8b-bf91-4b67-be4c-abe4c2a94ccc.yml b/yml/815bef8b-bf91-4b67-be4c-abe4c2a94ccc.yml
index 7db6232e..c2106a66 100644
--- a/yml/815bef8b-bf91-4b67-be4c-abe4c2a94ccc.yml
+++ b/yml/815bef8b-bf91-4b67-be4c-abe4c2a94ccc.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc
 name: Download a File with Windows Defender MpCmdRun.exe
 tactic:
diff --git a/yml/81959d03-c51f-49a1-bb24-23f1ec885578.yml b/yml/81959d03-c51f-49a1-bb24-23f1ec885578.yml
index b99899c3..f0b787a5 100644
--- a/yml/81959d03-c51f-49a1-bb24-23f1ec885578.yml
+++ b/yml/81959d03-c51f-49a1-bb24-23f1ec885578.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 81959d03-c51f-49a1-bb24-23f1ec885578
 name: 'Domain Password Policy Check: Common Password Use'
 tactic:
diff --git a/yml/81cfdd7f-1f41-4cc5-9845-bb5149438e37.yml b/yml/81cfdd7f-1f41-4cc5-9845-bb5149438e37.yml
new file mode 100644
index 00000000..fda14be9
--- /dev/null
+++ b/yml/81cfdd7f-1f41-4cc5-9845-bb5149438e37.yml
@@ -0,0 +1,28 @@
+Attack_name: Forced Authentication
+Attack_description: |-
+  Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
+
+  The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.
+
+  Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)
+
+  Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)
+
+  There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:
+
+  * A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to <code>file[:]//[remote address]/Normal.dotm</code> to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)
+  * A modified .LNK or .SCF file with the icon filename pointing to an external reference such as <code>\\[remote address]\pic.png</code> that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)
+guid: 81cfdd7f-1f41-4cc5-9845-bb5149438e37
+name: Trigger an authenticated RPC call to a target server with no Sign flag set
+tactic:
+  - credential-access
+technique:
+  - T1187
+os:
+  - windows
+description: |-
+  RpcPing command can be used to trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign flag not Set)
+  Ref: https://twitter.com/splinter_code/status/1421144623678988298
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/83a49600-222b-4866-80a0-37736ad29344.yml b/yml/83a49600-222b-4866-80a0-37736ad29344.yml
index 73894d41..8c195b9c 100644
--- a/yml/83a49600-222b-4866-80a0-37736ad29344.yml
+++ b/yml/83a49600-222b-4866-80a0-37736ad29344.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 83a49600-222b-4866-80a0-37736ad29344
 name: scp remote file copy (push)
 tactic:
diff --git a/yml/84113186-ed3c-4d0d-8a3c-8980c86c1f4a.yml b/yml/84113186-ed3c-4d0d-8a3c-8980c86c1f4a.yml
index 9d617c94..dd536812 100644
--- a/yml/84113186-ed3c-4d0d-8a3c-8980c86c1f4a.yml
+++ b/yml/84113186-ed3c-4d0d-8a3c-8980c86c1f4a.yml
@@ -1,6 +1,6 @@
 Attack_name: OS Credential Dumping
 Attack_description: |
-  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
 
   Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
 guid: 84113186-ed3c-4d0d-8a3c-8980c86c1f4a
diff --git a/yml/8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3.yml b/yml/8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3.yml
index 0c7495ef..b6baf72c 100644
--- a/yml/8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3.yml
+++ b/yml/8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3.yml
@@ -4,6 +4,8 @@ Attack_description: |-
 
   There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
 
+  Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
+
   Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
 
   If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
diff --git a/yml/855fb8b4-b8ab-4785-ae77-09f5df7bff55.yml b/yml/855fb8b4-b8ab-4785-ae77-09f5df7bff55.yml
index 8dbd10f2..6a840f8c 100644
--- a/yml/855fb8b4-b8ab-4785-ae77-09f5df7bff55.yml
+++ b/yml/855fb8b4-b8ab-4785-ae77-09f5df7bff55.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/86fc3f40-237f-4701-b155-81c01c48d697.yml b/yml/86fc3f40-237f-4701-b155-81c01c48d697.yml
index 441ab370..e9b27f1a 100644
--- a/yml/86fc3f40-237f-4701-b155-81c01c48d697.yml
+++ b/yml/86fc3f40-237f-4701-b155-81c01c48d697.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/8822c3b0-d9f9-4daf-a043-491160a31122.yml b/yml/8822c3b0-d9f9-4daf-a043-491160a31122.yml
index 6d6ebc23..a6526bc9 100644
--- a/yml/8822c3b0-d9f9-4daf-a043-491160a31122.yml
+++ b/yml/8822c3b0-d9f9-4daf-a043-491160a31122.yml
@@ -10,8 +10,9 @@ Attack_description: "Adversaries may add adversary-controlled credentials to a c
   in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure
   AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service
   principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \n\nIn AWS environments, adversaries with the appropriate
-  permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the
-  duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)"
+  permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of
+  the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User
+  Federation Persistence)"
 guid: 8822c3b0-d9f9-4daf-a043-491160a31122
 name: AWS - Create Access Key and Secret Key
 tactic:
diff --git a/yml/8822c3b0-d9f9-4daf-a043-49f110a31122.yml b/yml/8822c3b0-d9f9-4daf-a043-49f110a31122.yml
index 068e17e8..6e4ae15a 100644
--- a/yml/8822c3b0-d9f9-4daf-a043-49f110a31122.yml
+++ b/yml/8822c3b0-d9f9-4daf-a043-49f110a31122.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
 name: AWS - Create a group and add a user to that group
 tactic:
diff --git a/yml/88d05800-a5e4-407e-9b53-ece4174f197f.yml b/yml/88d05800-a5e4-407e-9b53-ece4174f197f.yml
index 3ac09c4a..1a728568 100644
--- a/yml/88d05800-a5e4-407e-9b53-ece4174f197f.yml
+++ b/yml/88d05800-a5e4-407e-9b53-ece4174f197f.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 88d05800-a5e4-407e-9b53-ece4174f197f
 name: Disable Microsoft Defender Firewall
 tactic:
diff --git a/yml/8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7.yml b/yml/8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7.yml
index c2e5c916..620e1b4c 100644
--- a/yml/8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7.yml
+++ b/yml/8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7.yml
@@ -1,10 +1,12 @@
 Attack_name: Domain Trust Modification
-Attack_description: "Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a
-  domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects
-  may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating the domain trusts may allow an adversary to escalate privileges and/or evade
-  defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the
-  signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which
-  may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) "
+Attack_description: "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade
+  defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose
+  of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n
+  \nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD)
+  environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary
+  can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable
+  malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \n\nAn adversary may
+  also add a new federated identity provider to an identity tenant such as Okta, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023)"
 guid: 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7
 name: Add Federation to Azure AD
 tactic:
diff --git a/yml/899a7fb5-d197-4951-8614-f19ac4a73ad4.yml b/yml/899a7fb5-d197-4951-8614-f19ac4a73ad4.yml
index 8d003df6..ef9f1c3e 100644
--- a/yml/899a7fb5-d197-4951-8614-f19ac4a73ad4.yml
+++ b/yml/899a7fb5-d197-4951-8614-f19ac4a73ad4.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 899a7fb5-d197-4951-8614-f19ac4a73ad4
 name: Modify/delete iptables firewall rules
 tactic:
diff --git a/yml/8a95b832-2c2a-494d-9cb0-dc9dd97c8bad.yml b/yml/8a95b832-2c2a-494d-9cb0-dc9dd97c8bad.yml
index f496365e..cfc27e31 100644
--- a/yml/8a95b832-2c2a-494d-9cb0-dc9dd97c8bad.yml
+++ b/yml/8a95b832-2c2a-494d-9cb0-dc9dd97c8bad.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad
 name: Turn off UFW logging
 tactic:
diff --git a/yml/8b23cae1-66c1-41c5-b79d-e095b6098b5b.yml b/yml/8b23cae1-66c1-41c5-b79d-e095b6098b5b.yml
index 0eea6c49..4b7babfb 100644
--- a/yml/8b23cae1-66c1-41c5-b79d-e095b6098b5b.yml
+++ b/yml/8b23cae1-66c1-41c5-b79d-e095b6098b5b.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 8b23cae1-66c1-41c5-b79d-e095b6098b5b
 name: Add and delete Packet Filter rules
 tactic:
diff --git a/yml/8b8a6449-be98-4f42-afd2-dedddc7453b2.yml b/yml/8b8a6449-be98-4f42-afd2-dedddc7453b2.yml
index 783f1db3..3aae26e4 100644
--- a/yml/8b8a6449-be98-4f42-afd2-dedddc7453b2.yml
+++ b/yml/8b8a6449-be98-4f42-afd2-dedddc7453b2.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2
 name: Enumerate all accounts via PowerShell (Domain)
 tactic:
diff --git a/yml/8bec51da-7a6d-4346-b941-51eca448c4b0.yml b/yml/8bec51da-7a6d-4346-b941-51eca448c4b0.yml
new file mode 100644
index 00000000..a41076d1
--- /dev/null
+++ b/yml/8bec51da-7a6d-4346-b941-51eca448c4b0.yml
@@ -0,0 +1,20 @@
+Attack_name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
+Attack_description: "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent
+  to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography,
+  this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity)
+  and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL)
+  often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. "
+guid: 8bec51da-7a6d-4346-b941-51eca448c4b0
+name: Exfiltrate data as text over HTTPS using wget
+tactic:
+  - exfiltration
+technique:
+  - T1048.002
+os:
+  - linux
+description: 'Exfiltrate data over HTTPS using wget --post-data method
+
+  '
+executor: sh
+sigma: false
+sigma_rule: []
diff --git a/yml/8c992cb3-a46e-4fd5-b005-b1bab185af31.yml b/yml/8c992cb3-a46e-4fd5-b005-b1bab185af31.yml
index ec135c42..351285a6 100644
--- a/yml/8c992cb3-a46e-4fd5-b005-b1bab185af31.yml
+++ b/yml/8c992cb3-a46e-4fd5-b005-b1bab185af31.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Create Account: Domain Account'
 Attack_description: |-
-  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.
+  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999)
 
   Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
 guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31
diff --git a/yml/8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0.yml b/yml/8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0.yml
index ce3cf205..a3689ad2 100644
--- a/yml/8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0.yml
+++ b/yml/8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0
 name: TeamViewer Files Detected Test on Windows
 tactic:
diff --git a/yml/8d1c2368-b503-40c9-9057-8e42f21c58ad.yml b/yml/8d1c2368-b503-40c9-9057-8e42f21c58ad.yml
index e06ab313..33909a73 100644
--- a/yml/8d1c2368-b503-40c9-9057-8e42f21c58ad.yml
+++ b/yml/8d1c2368-b503-40c9-9057-8e42f21c58ad.yml
@@ -2,6 +2,8 @@ Attack_name: 'Create Account: Cloud Account'
 Attack_description: |-
   Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
 
+  In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment.(Citation: Microsoft Entra ID Service Principals) In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005).(Citation: GCP Service Accounts) While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.(Citation: AWS Instance Profiles)(Citation: AWS Lambda Execution Role)
+
   Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
 
   Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).
diff --git a/yml/8fd5a296-6772-4766-9991-ff4e92af7240.yml b/yml/8fd5a296-6772-4766-9991-ff4e92af7240.yml
index 356b5911..431b5ee3 100644
--- a/yml/8fd5a296-6772-4766-9991-ff4e92af7240.yml
+++ b/yml/8fd5a296-6772-4766-9991-ff4e92af7240.yml
@@ -1,7 +1,7 @@
 Attack_name: Credentials from Password Stores
-Attack_description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application
-  holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults.
-  Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+Attack_description: 'Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending
+  on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password
+  managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.'
 guid: 8fd5a296-6772-4766-9991-ff4e92af7240
 name: Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
 tactic:
diff --git a/yml/90db9e27-8e7c-4c04-b602-a45927884966.yml b/yml/90db9e27-8e7c-4c04-b602-a45927884966.yml
index 6a468b7e..39e5fdfa 100644
--- a/yml/90db9e27-8e7c-4c04-b602-a45927884966.yml
+++ b/yml/90db9e27-8e7c-4c04-b602-a45927884966.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Access Token Manipulation: Token Impersonation/Theft'
 Attack_description: |-
-  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
+  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
 
   An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
 
diff --git a/yml/91f348e6-3760-4997-a93b-2ceee7f254ee.yml b/yml/91f348e6-3760-4997-a93b-2ceee7f254ee.yml
index 40a8e46c..16c924fd 100644
--- a/yml/91f348e6-3760-4997-a93b-2ceee7f254ee.yml
+++ b/yml/91f348e6-3760-4997-a93b-2ceee7f254ee.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 91f348e6-3760-4997-a93b-2ceee7f254ee
 name: Blackbit - Disable Windows Firewall using netsh firewall
 tactic:
diff --git a/yml/92c40b3f-c406-4d1f-8d2b-c039bf5009e4.yml b/yml/92c40b3f-c406-4d1f-8d2b-c039bf5009e4.yml
index c37a2804..4eeb4d7f 100644
--- a/yml/92c40b3f-c406-4d1f-8d2b-c039bf5009e4.yml
+++ b/yml/92c40b3f-c406-4d1f-8d2b-c039bf5009e4.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
 name: Azure AD - adding service principal to Azure AD role
 tactic:
diff --git a/yml/93662494-5ed7-4454-a04c-8c8372808ac2.yml b/yml/93662494-5ed7-4454-a04c-8c8372808ac2.yml
index 25835343..5c62b474 100644
--- a/yml/93662494-5ed7-4454-a04c-8c8372808ac2.yml
+++ b/yml/93662494-5ed7-4454-a04c-8c8372808ac2.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 93662494-5ed7-4454-a04c-8c8372808ac2
 name: Get-DomainUser with PowerView
 tactic:
diff --git a/yml/945da11e-977e-4dab-85d2-f394d03c5887.yml b/yml/945da11e-977e-4dab-85d2-f394d03c5887.yml
index f797a8c7..c2446de0 100644
--- a/yml/945da11e-977e-4dab-85d2-f394d03c5887.yml
+++ b/yml/945da11e-977e-4dab-85d2-f394d03c5887.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 945da11e-977e-4dab-85d2-f394d03c5887
 name: 'Domain Password Policy Check: No Lowercase Character in Password'
 tactic:
diff --git a/yml/94be7646-25f6-467e-af23-585fb13000c8.yml b/yml/94be7646-25f6-467e-af23-585fb13000c8.yml
index 16442244..79c0df51 100644
--- a/yml/94be7646-25f6-467e-af23-585fb13000c8.yml
+++ b/yml/94be7646-25f6-467e-af23-585fb13000c8.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 94be7646-25f6-467e-af23-585fb13000c8
 name: Set a firewall rule using New-NetFirewallRule
 tactic:
diff --git a/yml/94ea9cc3-81f9-4111-8dde-3fb54f36af4b.yml b/yml/94ea9cc3-81f9-4111-8dde-3fb54f36af4b.yml
index 1a064c6c..719f9444 100644
--- a/yml/94ea9cc3-81f9-4111-8dde-3fb54f36af4b.yml
+++ b/yml/94ea9cc3-81f9-4111-8dde-3fb54f36af4b.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
 name: Azure AD - adding permission to application
 tactic:
diff --git a/yml/95018438-454a-468c-a0fa-59c800149b59.yml b/yml/95018438-454a-468c-a0fa-59c800149b59.yml
index a5047ec5..692a218a 100644
--- a/yml/95018438-454a-468c-a0fa-59c800149b59.yml
+++ b/yml/95018438-454a-468c-a0fa-59c800149b59.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: 95018438-454a-468c-a0fa-59c800149b59
 name: Automated AD Recon (ADRecon)
 tactic:
diff --git a/yml/95f5c72f-6dfe-45f3-a8c1-d8faa07176fa.yml b/yml/95f5c72f-6dfe-45f3-a8c1-d8faa07176fa.yml
index 090b48a8..d59f9f62 100644
--- a/yml/95f5c72f-6dfe-45f3-a8c1-d8faa07176fa.yml
+++ b/yml/95f5c72f-6dfe-45f3-a8c1-d8faa07176fa.yml
@@ -20,24 +20,13 @@ technique:
   - T1562.003
 os:
   - windows
-description: |
-  In Windows operating systems, command line auditing is controlled through the following registry value:
-
-    Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
-    Registry Value: ProcessCreationIncludeCmdLine_Enabled
-
-  When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
-  This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
-  By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
-  Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
-
-  Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
-    Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
-    Registry events (Windows Event ID 4657, Sysmon Event ID 13)
-
-  Read more here:
-  https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
-  https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+description: "In Windows operating systems, command line auditing is controlled through the following registry value:\n\n  Registry Path: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\
+  Audit\n  \n  Registry Value: ProcessCreationIncludeCmdLine_Enabled\n\nWhen command line auditing is enabled, the system records detailed information about command execution, including the command executed,
+  the user account responsible for executing the command, and the timestamp of the execution.\nThis information is crucial for security monitoring and forensic analysis, as it helps organizations detect
+  and investigate unauthorized or malicious activities within their systems.\nBy default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate
+  registry settings to activate it.\nConversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks
+  while perpetrating malicious activities.\n\nBecause this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:\n  Powershell Logging (Windows Powershell Event ID 400, 800, 4103,
+  4104)\n  Registry events (Windows Event ID 4657, Sysmon Event ID 13)\n\nRead more here:\nhttps://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key\n"
 executor: powershell
 sigma: false
 sigma_rule: []
diff --git a/yml/96345bfc-8ae7-4b6a-80b7-223200f24ef9.yml b/yml/96345bfc-8ae7-4b6a-80b7-223200f24ef9.yml
index 6f919628..804ad87e 100644
--- a/yml/96345bfc-8ae7-4b6a-80b7-223200f24ef9.yml
+++ b/yml/96345bfc-8ae7-4b6a-80b7-223200f24ef9.yml
@@ -1,6 +1,6 @@
 Attack_name: OS Credential Dumping
 Attack_description: |
-  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
 
   Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
 guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9
diff --git a/yml/9636dd6e-7599-40d2-8eee-ac16434f35ed.yml b/yml/9636dd6e-7599-40d2-8eee-ac16434f35ed.yml
index bde59718..1a67099b 100644
--- a/yml/9636dd6e-7599-40d2-8eee-ac16434f35ed.yml
+++ b/yml/9636dd6e-7599-40d2-8eee-ac16434f35ed.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed
 name: Open a local port through Windows Firewall to any profile
 tactic:
diff --git a/yml/97116a3f-efac-4b26-8336-b9cb18c45188.yml b/yml/97116a3f-efac-4b26-8336-b9cb18c45188.yml
index e992c8c0..71922951 100644
--- a/yml/97116a3f-efac-4b26-8336-b9cb18c45188.yml
+++ b/yml/97116a3f-efac-4b26-8336-b9cb18c45188.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: 97116a3f-efac-4b26-8336-b9cb18c45188
 name: Download a file using wscript
 tactic:
diff --git a/yml/981e2942-e433-44e9-afc1-8c957a1496b6.yml b/yml/981e2942-e433-44e9-afc1-8c957a1496b6.yml
index 4071b472..2e3d87e3 100644
--- a/yml/981e2942-e433-44e9-afc1-8c957a1496b6.yml
+++ b/yml/981e2942-e433-44e9-afc1-8c957a1496b6.yml
@@ -9,8 +9,10 @@ Attack_description: "Adversaries may create or modify Windows services to repeat
   these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised
   machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation:
   Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries
-  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade
-  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component)."
+  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo make detection analysis more challenging, malicious services may also incorporate [Masquerade
+  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’
+  services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL).
+  This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)"
 guid: 981e2942-e433-44e9-afc1-8c957a1496b6
 name: Service Installation CMD
 tactic:
diff --git a/yml/9c15a7de-de14-46c3-bc2a-6d94130986ae.yml b/yml/9c15a7de-de14-46c3-bc2a-6d94130986ae.yml
index a268abd6..d5602af0 100644
--- a/yml/9c15a7de-de14-46c3-bc2a-6d94130986ae.yml
+++ b/yml/9c15a7de-de14-46c3-bc2a-6d94130986ae.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/9c3ad250-b185-4444-b5a9-d69218a10c95.yml b/yml/9c3ad250-b185-4444-b5a9-d69218a10c95.yml
index 013281a1..0f198c0d 100644
--- a/yml/9c3ad250-b185-4444-b5a9-d69218a10c95.yml
+++ b/yml/9c3ad250-b185-4444-b5a9-d69218a10c95.yml
@@ -1,6 +1,6 @@
 Attack_name: Audio Capture
 Attack_description: |-
-  An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
+  An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
 
   Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
 guid: 9c3ad250-b185-4444-b5a9-d69218a10c95
diff --git a/yml/9c6d799b-c111-4749-a42f-ec2f8cb51448.yml b/yml/9c6d799b-c111-4749-a42f-ec2f8cb51448.yml
index 79ece3cd..bd958445 100644
--- a/yml/9c6d799b-c111-4749-a42f-ec2f8cb51448.yml
+++ b/yml/9c6d799b-c111-4749-a42f-ec2f8cb51448.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Access Token Manipulation: Token Impersonation/Theft'
 Attack_description: |-
-  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
+  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
 
   An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
 
diff --git a/yml/9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0.yml b/yml/9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0.yml
index 1a8faf99..5b2bf36d 100644
--- a/yml/9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0.yml
+++ b/yml/9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0.yml
@@ -1,7 +1,7 @@
 Attack_name: Automated Exfiltration
-Attack_description: "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used,
-  other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over
-  Alternative Protocol](https://attack.mitre.org/techniques/T1048)."
+Attack_description: "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) \n\n
+  When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041)
+  and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)."
 guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
 name: IcedID Botnet HTTP PUT
 tactic:
diff --git a/yml/9c8ef159-c666-472f-9874-90c8d60d136b.yml b/yml/9c8ef159-c666-472f-9874-90c8d60d136b.yml
index 8f5c04e7..1089249d 100644
--- a/yml/9c8ef159-c666-472f-9874-90c8d60d136b.yml
+++ b/yml/9c8ef159-c666-472f-9874-90c8d60d136b.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: 9c8ef159-c666-472f-9874-90c8d60d136b
 name: WMI Execute Remote Process
 tactic:
diff --git a/yml/9d0072c8-7cca-45c4-bd14-f852cfa35cf0.yml b/yml/9d0072c8-7cca-45c4-bd14-f852cfa35cf0.yml
index 2bdebd7b..8ec65c68 100644
--- a/yml/9d0072c8-7cca-45c4-bd14-f852cfa35cf0.yml
+++ b/yml/9d0072c8-7cca-45c4-bd14-f852cfa35cf0.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/9d04efee-eff5-4240-b8d2-07792b873608.yml b/yml/9d04efee-eff5-4240-b8d2-07792b873608.yml
index f3a74ed9..fe4e227a 100644
--- a/yml/9d04efee-eff5-4240-b8d2-07792b873608.yml
+++ b/yml/9d04efee-eff5-4240-b8d2-07792b873608.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/9dca5a1d-f78c-4a8d-accb-d6de67cfed6b.yml b/yml/9dca5a1d-f78c-4a8d-accb-d6de67cfed6b.yml
index 7acc3567..95faffbc 100644
--- a/yml/9dca5a1d-f78c-4a8d-accb-d6de67cfed6b.yml
+++ b/yml/9dca5a1d-f78c-4a8d-accb-d6de67cfed6b.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: 9dca5a1d-f78c-4a8d-accb-d6de67cfed6b
 name: Security Software Discovery - Windows Firewall Enumeration
 tactic:
diff --git a/yml/9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6.yml b/yml/9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6.yml
index 19959ab3..f3550912 100644
--- a/yml/9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6.yml
+++ b/yml/9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6.yml
@@ -1,6 +1,6 @@
 Attack_name: OS Credential Dumping
 Attack_description: |
-  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
 
   Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
 guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
diff --git a/yml/9e507bb8-1d30-4e3b-a49b-cb5727d7ea79.yml b/yml/9e507bb8-1d30-4e3b-a49b-cb5727d7ea79.yml
index 7fbaa657..15560971 100644
--- a/yml/9e507bb8-1d30-4e3b-a49b-cb5727d7ea79.yml
+++ b/yml/9e507bb8-1d30-4e3b-a49b-cb5727d7ea79.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
diff --git a/yml/9fd99609-1854-4f3c-b47b-97d9a5972bd1.yml b/yml/9fd99609-1854-4f3c-b47b-97d9a5972bd1.yml
index 2d40ea6a..29aa7003 100644
--- a/yml/9fd99609-1854-4f3c-b47b-97d9a5972bd1.yml
+++ b/yml/9fd99609-1854-4f3c-b47b-97d9a5972bd1.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: 9fd99609-1854-4f3c-b47b-97d9a5972bd1
 name: Stop/Start UFW firewall systemctl
 tactic:
diff --git a/yml/9fdd83fd-bd53-46e5-a716-9dec89c8ae8e.yml b/yml/9fdd83fd-bd53-46e5-a716-9dec89c8ae8e.yml
index 3a1cbe19..c1a6ad57 100644
--- a/yml/9fdd83fd-bd53-46e5-a716-9dec89c8ae8e.yml
+++ b/yml/9fdd83fd-bd53-46e5-a716-9dec89c8ae8e.yml
@@ -1,13 +1,15 @@
 Attack_name: 'Valid Accounts: Cloud Accounts'
 Attack_description: "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those
   created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely
-  in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation:
-  Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566),
-  or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.\n\nAn adversary may create long
-  lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass
-  security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges
-  through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended
-  scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009)
+  in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation:
+  AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110),
+  [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises
+  systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated,
+  synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined
+  devices.\n\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment.
+  Such credentials may also be used to bypass security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)
+  or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions
+  outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009)
   or other methods. \n"
 guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e
 name: Creating GCP Service Account and Service Account Key
diff --git a/yml/a12b5531-acab-4618-a470-0dafb294a87a.yml b/yml/a12b5531-acab-4618-a470-0dafb294a87a.yml
index 03f94fd6..d6838393 100644
--- a/yml/a12b5531-acab-4618-a470-0dafb294a87a.yml
+++ b/yml/a12b5531-acab-4618-a470-0dafb294a87a.yml
@@ -10,8 +10,9 @@ Attack_description: "Adversaries may add adversary-controlled credentials to a c
   in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure
   AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service
   principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \n\nIn AWS environments, adversaries with the appropriate
-  permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the
-  duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)"
+  permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of
+  the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User
+  Federation Persistence)"
 guid: a12b5531-acab-4618-a470-0dafb294a87a
 name: Azure AD Application Hijacking - App Registration
 tactic:
diff --git a/yml/a138085e-bfe5-46ba-a242-74a6fb884af3.yml b/yml/a138085e-bfe5-46ba-a242-74a6fb884af3.yml
index 130f0541..07f941af 100644
--- a/yml/a138085e-bfe5-46ba-a242-74a6fb884af3.yml
+++ b/yml/a138085e-bfe5-46ba-a242-74a6fb884af3.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: a138085e-bfe5-46ba-a242-74a6fb884af3
 name: Enumerate logged on users via CMD (Local)
 tactic:
diff --git a/yml/a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b.yml b/yml/a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b.yml
index b43ec0fe..8212276f 100644
--- a/yml/a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b.yml
+++ b/yml/a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
 name: Windows - BITSAdmin BITS Download
 tactic:
diff --git a/yml/a21118de-b11e-4ebd-b655-42f11142df0c.yml b/yml/a21118de-b11e-4ebd-b655-42f11142df0c.yml
index 47664015..161888c3 100644
--- a/yml/a21118de-b11e-4ebd-b655-42f11142df0c.yml
+++ b/yml/a21118de-b11e-4ebd-b655-42f11142df0c.yml
@@ -1,7 +1,7 @@
 Attack_name: Unsecured Credentials
-Attack_description: Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including
-  plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)),
-  or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).
+Attack_description: 'Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including
+  plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)),  or
+  other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)'
 guid: a21118de-b11e-4ebd-b655-42f11142df0c
 name: AWS - Retrieve EC2 Password Data using stratus
 tactic:
diff --git a/yml/a27418de-bdce-4ebd-b655-38f04842bf0c.yml b/yml/a27418de-bdce-4ebd-b655-38f04842bf0c.yml
index 870a9725..fec339d8 100644
--- a/yml/a27418de-bdce-4ebd-b655-38f04842bf0c.yml
+++ b/yml/a27418de-bdce-4ebd-b655-38f04842bf0c.yml
@@ -2,7 +2,7 @@ Attack_name: 'OS Credential Dumping: Proc Filesystem'
 Attack_description: |-
   Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
 
-  When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
+  When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
 
   If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
 guid: a27418de-bdce-4ebd-b655-38f04842bf0c
diff --git a/yml/a3a0d4c9-c068-4563-a08d-583bd05b884c.yml b/yml/a3a0d4c9-c068-4563-a08d-583bd05b884c.yml
index 7844f96d..28bc5f6d 100644
--- a/yml/a3a0d4c9-c068-4563-a08d-583bd05b884c.yml
+++ b/yml/a3a0d4c9-c068-4563-a08d-583bd05b884c.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/a4420f93-5386-4290-b780-f4f66abc7070.yml b/yml/a4420f93-5386-4290-b780-f4f66abc7070.yml
index e9c996a3..eabbe142 100644
--- a/yml/a4420f93-5386-4290-b780-f4f66abc7070.yml
+++ b/yml/a4420f93-5386-4290-b780-f4f66abc7070.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/a4651931-ebbb-4cde-9363-ddf3d66214cb.yml b/yml/a4651931-ebbb-4cde-9363-ddf3d66214cb.yml
index 9763f215..22a20c8a 100644
--- a/yml/a4651931-ebbb-4cde-9363-ddf3d66214cb.yml
+++ b/yml/a4651931-ebbb-4cde-9363-ddf3d66214cb.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: a4651931-ebbb-4cde-9363-ddf3d66214cb
 name: LockBit Black - Unusual Windows firewall registry modification -cmd
 tactic:
diff --git a/yml/a54d497e-8dbe-4558-9895-44944baa395f.yml b/yml/a54d497e-8dbe-4558-9895-44944baa395f.yml
index d571e6ef..8926a7c8 100644
--- a/yml/a54d497e-8dbe-4558-9895-44944baa395f.yml
+++ b/yml/a54d497e-8dbe-4558-9895-44944baa395f.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: a54d497e-8dbe-4558-9895-44944baa395f
 name: Account Enumeration with LDAPDomainDump
 tactic:
diff --git a/yml/a55a22e9-a3d3-42ce-bd48-2653adb8f7a9.yml b/yml/a55a22e9-a3d3-42ce-bd48-2653adb8f7a9.yml
index 8ba7d193..155f4c24 100644
--- a/yml/a55a22e9-a3d3-42ce-bd48-2653adb8f7a9.yml
+++ b/yml/a55a22e9-a3d3-42ce-bd48-2653adb8f7a9.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
 name: Domain Account and Group Manipulate
 tactic:
diff --git a/yml/a5b2f6a0-24b4-493e-9590-c699f75723ca.yml b/yml/a5b2f6a0-24b4-493e-9590-c699f75723ca.yml
index 6471e008..1c0b0602 100644
--- a/yml/a5b2f6a0-24b4-493e-9590-c699f75723ca.yml
+++ b/yml/a5b2f6a0-24b4-493e-9590-c699f75723ca.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/a960185f-aef6-4547-8350-d1ce16680d09.yml b/yml/a960185f-aef6-4547-8350-d1ce16680d09.yml
index 84e08106..f7be410a 100644
--- a/yml/a960185f-aef6-4547-8350-d1ce16680d09.yml
+++ b/yml/a960185f-aef6-4547-8350-d1ce16680d09.yml
@@ -6,11 +6,12 @@ Attack_description: "Adversaries may employ various system checks to detect and
   [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082),
   and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware,
   and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include
-  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther
-  common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications,
-  and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \n
-  Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific
-  readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
+  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed,
+  malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such
+  as `malware`, `sample`, or `hash`.\n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings
+  relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port
+  to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment.
+  Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
 guid: a960185f-aef6-4547-8350-d1ce16680d09
 name: Detect Virtualization Environment (MacOS)
 tactic:
diff --git a/yml/aa1180e2-f329-4e1e-8625-2472ec0bfaf3.yml b/yml/aa1180e2-f329-4e1e-8625-2472ec0bfaf3.yml
index 898bb873..804915ea 100644
--- a/yml/aa1180e2-f329-4e1e-8625-2472ec0bfaf3.yml
+++ b/yml/aa1180e2-f329-4e1e-8625-2472ec0bfaf3.yml
@@ -1,10 +1,10 @@
 Attack_name: Automated Collection
 Attack_description: "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command
-  and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based
-  environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote
-  access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)
-  to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify
-  resources in cloud environments."
+  and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based
+  environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS
+  Phishing 2023) \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
+  and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object
+  Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments."
 guid: aa1180e2-f329-4e1e-8625-2472ec0bfaf3
 name: Recon information for export with Command Prompt
 tactic:
diff --git a/yml/aaa87b0e-5232-4649-ae5c-f1724a4b2798.yml b/yml/aaa87b0e-5232-4649-ae5c-f1724a4b2798.yml
index edc3b5da..3b1a7689 100644
--- a/yml/aaa87b0e-5232-4649-ae5c-f1724a4b2798.yml
+++ b/yml/aaa87b0e-5232-4649-ae5c-f1724a4b2798.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: aaa87b0e-5232-4649-ae5c-f1724a4b2798
diff --git a/yml/abf00f6c-9983-4d9a-afbc-6b1c6c6448e1.yml b/yml/abf00f6c-9983-4d9a-afbc-6b1c6c6448e1.yml
index 2965cc13..f4f7994f 100644
--- a/yml/abf00f6c-9983-4d9a-afbc-6b1c6c6448e1.yml
+++ b/yml/abf00f6c-9983-4d9a-afbc-6b1c6c6448e1.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: abf00f6c-9983-4d9a-afbc-6b1c6c6448e1
 name: Suspicious LAPS Attributes Query with adfind all properties
 tactic:
diff --git a/yml/ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b.yml b/yml/ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b.yml
index d2aa3c84..276e8416 100644
--- a/yml/ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b.yml
+++ b/yml/ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
 name: Enumerate all accounts via PowerShell (Local)
 tactic:
diff --git a/yml/afe369c2-b42e-447f-98a3-fb1f4e2b8552.yml b/yml/afe369c2-b42e-447f-98a3-fb1f4e2b8552.yml
index 498a0a75..0d4f1505 100644
--- a/yml/afe369c2-b42e-447f-98a3-fb1f4e2b8552.yml
+++ b/yml/afe369c2-b42e-447f-98a3-fb1f4e2b8552.yml
@@ -1,7 +1,7 @@
 Attack_name: Credentials from Password Stores
-Attack_description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application
-  holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults.
-  Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+Attack_description: 'Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending
+  on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password
+  managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.'
 guid: afe369c2-b42e-447f-98a3-fb1f4e2b8552
 name: WinPwn - Loot local Credentials - Wifi Credentials
 tactic:
diff --git a/yml/afedc8c4-038c-4d82-b3e5-623a95f8a612.yml b/yml/afedc8c4-038c-4d82-b3e5-623a95f8a612.yml
index 12c4f4fa..18c90d0a 100644
--- a/yml/afedc8c4-038c-4d82-b3e5-623a95f8a612.yml
+++ b/yml/afedc8c4-038c-4d82-b3e5-623a95f8a612.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
 name: Disable Microsoft Defender Firewall via Registry
 tactic:
diff --git a/yml/b13e9306-3351-4b4b-a6e8-477358b0b498.yml b/yml/b13e9306-3351-4b4b-a6e8-477358b0b498.yml
index 6f7c23c6..c984ca52 100644
--- a/yml/b13e9306-3351-4b4b-a6e8-477358b0b498.yml
+++ b/yml/b13e9306-3351-4b4b-a6e8-477358b0b498.yml
@@ -2,13 +2,16 @@ Attack_name: 'Indicator Removal on Host: Clear Windows Event Logs'
 Attack_description: |-
   Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
 
-  The event logs can be cleared with the following utility commands:
+
+  With administrator privileges, the event logs can be cleared with the following utility commands:
 
   * <code>wevtutil cl system</code>
   * <code>wevtutil cl application</code>
   * <code>wevtutil cl security</code>
 
-  These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
+  These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging.  Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
+
+  Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.
 guid: b13e9306-3351-4b4b-a6e8-477358b0b498
 name: Delete System Logs Using Clear-EventLog
 tactic:
diff --git a/yml/b1729c57-9384-4d1c-9b99-9b220afb384e.yml b/yml/b1729c57-9384-4d1c-9b99-9b220afb384e.yml
index 958c41ed..92543a73 100644
--- a/yml/b1729c57-9384-4d1c-9b99-9b220afb384e.yml
+++ b/yml/b1729c57-9384-4d1c-9b99-9b220afb384e.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: b1729c57-9384-4d1c-9b99-9b220afb384e
 name: Nimgrab - Transfer Files
 tactic:
diff --git a/yml/b1b8128b-c5d4-4de9-bf70-e60419274562.yml b/yml/b1b8128b-c5d4-4de9-bf70-e60419274562.yml
index 4a4feae3..c48f43bf 100644
--- a/yml/b1b8128b-c5d4-4de9-bf70-e60419274562.yml
+++ b/yml/b1b8128b-c5d4-4de9-bf70-e60419274562.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: b1b8128b-c5d4-4de9-bf70-e60419274562
 name: MSP360 Connect Execution
 tactic:
diff --git a/yml/b1cbdf8b-6078-48f5-a890-11ea19d7f8e9.yml b/yml/b1cbdf8b-6078-48f5-a890-11ea19d7f8e9.yml
index da123c11..7d84ce91 100644
--- a/yml/b1cbdf8b-6078-48f5-a890-11ea19d7f8e9.yml
+++ b/yml/b1cbdf8b-6078-48f5-a890-11ea19d7f8e9.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/b2563a4e-c4b8-429c-8d47-d5bcb227ba7a.yml b/yml/b2563a4e-c4b8-429c-8d47-d5bcb227ba7a.yml
index 4dbf1332..3fdc0daa 100644
--- a/yml/b2563a4e-c4b8-429c-8d47-d5bcb227ba7a.yml
+++ b/yml/b2563a4e-c4b8-429c-8d47-d5bcb227ba7a.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: b2563a4e-c4b8-429c-8d47-d5bcb227ba7a
 name: Add and delete UFW firewall rules
 tactic:
diff --git a/yml/b299c120-44a7-4d68-b8e2-8ba5a28511ec.yml b/yml/b299c120-44a7-4d68-b8e2-8ba5a28511ec.yml
index 2bbd1c3c..bf8dac06 100644
--- a/yml/b299c120-44a7-4d68-b8e2-8ba5a28511ec.yml
+++ b/yml/b299c120-44a7-4d68-b8e2-8ba5a28511ec.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: b299c120-44a7-4d68-b8e2-8ba5a28511ec
 name: 'Domain Password Policy Check: No Uppercase Character in Password'
 tactic:
diff --git a/yml/b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3.yml b/yml/b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3.yml
index 6193accc..d11ccfc5 100644
--- a/yml/b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3.yml
+++ b/yml/b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
 name: WMI Execute Local Process
 tactic:
diff --git a/yml/b4988cad-6ed2-434d-ace5-ea2670782129.yml b/yml/b4988cad-6ed2-434d-ace5-ea2670782129.yml
index 734ed7f1..6c32187d 100644
--- a/yml/b4988cad-6ed2-434d-ace5-ea2670782129.yml
+++ b/yml/b4988cad-6ed2-434d-ace5-ea2670782129.yml
@@ -1,11 +1,15 @@
 Attack_name: Software Deployment Tools
-Attack_description: "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally
-  through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).  \n\nAccess to a third-party
-  network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other
-  systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries.
-  (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may
-  be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended
-  purpose."
+Attack_description: "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management
+  and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples
+  of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.  \n\nAccess to network-wide or enterprise-wide endpoint management software
+  may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping
+  the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances,
+  as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
+  joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back
+  to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly
+  abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration;
+  local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or
+  to access specific functionality."
 guid: b4988cad-6ed2-434d-ace5-ea2670782129
 name: Radmin Viewer Utility
 tactic:
diff --git a/yml/b51239b4-0129-474f-a2b4-70f855b9f2c2.yml b/yml/b51239b4-0129-474f-a2b4-70f855b9f2c2.yml
index 1d91d1cd..84d35143 100644
--- a/yml/b51239b4-0129-474f-a2b4-70f855b9f2c2.yml
+++ b/yml/b51239b4-0129-474f-a2b4-70f855b9f2c2.yml
@@ -1,10 +1,11 @@
 Attack_name: Process Discovery
-Attack_description: |-
-  Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-  In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.
-
-  On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
+Attack_description: "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on
+  systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057)
+  during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could
+  obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+  Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this
+  is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+  commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)"
 guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
 name: Process Discovery - get-wmiObject
 tactic:
diff --git a/yml/b5656f67-d67f-4de8-8e62-b5581630f528.yml b/yml/b5656f67-d67f-4de8-8e62-b5581630f528.yml
index be9dc176..8a7e4c64 100644
--- a/yml/b5656f67-d67f-4de8-8e62-b5581630f528.yml
+++ b/yml/b5656f67-d67f-4de8-8e62-b5581630f528.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/b7037b89-947a-427a-ba29-e7e9f09bc045.yml b/yml/b7037b89-947a-427a-ba29-e7e9f09bc045.yml
index 1422061d..fac0ebec 100644
--- a/yml/b7037b89-947a-427a-ba29-e7e9f09bc045.yml
+++ b/yml/b7037b89-947a-427a-ba29-e7e9f09bc045.yml
@@ -1,12 +1,10 @@
 Attack_name: 'Input Capture: GUI Input Capture'
-Attack_description: "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges
-  than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account
-  Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic
-  normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via
-  various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs)
-  and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On
-  Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation:
-  Spoofing credential dialogs) "
+Attack_description: |-
+  Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).
+
+  Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs)
+
+  Adversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., [Browser Information Discovery](https://attack.mitre.org/techniques/T1217) and/or [Application Window Discovery](https://attack.mitre.org/techniques/T1010)) to spoof prompts when users are naturally accessing sensitive sites/data.
 guid: b7037b89-947a-427a-ba29-e7e9f09bc045
 name: AppleScript - Spoofing a credential prompt using osascript
 tactic:
diff --git a/yml/b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1.yml b/yml/b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1.yml
index 3d968678..900bec76 100644
--- a/yml/b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1.yml
+++ b/yml/b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Pre-OS Boot: System Firmware'
 Attack_description: |-
-  Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
+  Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)
 
   System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.
 guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
diff --git a/yml/b8a563d4-a836-4993-a74e-0a19b8481bfe.yml b/yml/b8a563d4-a836-4993-a74e-0a19b8481bfe.yml
index 37ee1ad3..345f1afa 100644
--- a/yml/b8a563d4-a836-4993-a74e-0a19b8481bfe.yml
+++ b/yml/b8a563d4-a836-4993-a74e-0a19b8481bfe.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: b8a563d4-a836-4993-a74e-0a19b8481bfe
 name: Wevtutil - Discover NTLM Users Remote
 tactic:
diff --git a/yml/b8e747c3-bdf7-4d71-bce2-f1df2a057406.yml b/yml/b8e747c3-bdf7-4d71-bce2-f1df2a057406.yml
index 67011c1f..0536702f 100644
--- a/yml/b8e747c3-bdf7-4d71-bce2-f1df2a057406.yml
+++ b/yml/b8e747c3-bdf7-4d71-bce2-f1df2a057406.yml
@@ -10,8 +10,9 @@ Attack_description: "Adversaries may add adversary-controlled credentials to a c
   in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure
   AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service
   principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) \n\nIn AWS environments, adversaries with the appropriate
-  permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the
-  duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)"
+  permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to [Forge Web Credentials](https://attack.mitre.org/techniques/T1606) tied to the permissions of
+  the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User
+  Federation Persistence)"
 guid: b8e747c3-bdf7-4d71-bce2-f1df2a057406
 name: Azure AD Application Hijacking - Service Principal
 tactic:
diff --git a/yml/b95fd967-4e62-4109-b48d-265edfd28c3a.yml b/yml/b95fd967-4e62-4109-b48d-265edfd28c3a.yml
index bc4e52d3..1d07cb82 100644
--- a/yml/b95fd967-4e62-4109-b48d-265edfd28c3a.yml
+++ b/yml/b95fd967-4e62-4109-b48d-265edfd28c3a.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: b95fd967-4e62-4109-b48d-265edfd28c3a
 name: Adfind - Enumerate Active Directory Admins
 tactic:
diff --git a/yml/b9d22b9a-9778-4426-abf0-568ea64e9c33.yml b/yml/b9d22b9a-9778-4426-abf0-568ea64e9c33.yml
index 74dbefea..52629714 100644
--- a/yml/b9d22b9a-9778-4426-abf0-568ea64e9c33.yml
+++ b/yml/b9d22b9a-9778-4426-abf0-568ea64e9c33.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: b9d22b9a-9778-4426-abf0-568ea64e9c33
 name: scp remote file copy (pull)
 tactic:
diff --git a/yml/ba62ce11-e820-485f-9c17-6f3c857cd840.yml b/yml/ba62ce11-e820-485f-9c17-6f3c857cd840.yml
index 62fda385..3d0eab6f 100644
--- a/yml/ba62ce11-e820-485f-9c17-6f3c857cd840.yml
+++ b/yml/ba62ce11-e820-485f-9c17-6f3c857cd840.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: ba62ce11-e820-485f-9c17-6f3c857cd840
 name: Security Software Discovery - ps (macOS)
 tactic:
diff --git a/yml/bac8a340-be64-4491-a0cc-0985cb227f5a.yml b/yml/bac8a340-be64-4491-a0cc-0985cb227f5a.yml
index 3e0e5801..1c8e6292 100644
--- a/yml/bac8a340-be64-4491-a0cc-0985cb227f5a.yml
+++ b/yml/bac8a340-be64-4491-a0cc-0985cb227f5a.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: bac8a340-be64-4491-a0cc-0985cb227f5a
 name: ESXi - Disable Firewall via Esxcli
 tactic:
diff --git a/yml/bc071188-459f-44d5-901a-f8f2625b2d2e.yml b/yml/bc071188-459f-44d5-901a-f8f2625b2d2e.yml
index eb9ded2b..8ee5492c 100644
--- a/yml/bc071188-459f-44d5-901a-f8f2625b2d2e.yml
+++ b/yml/bc071188-459f-44d5-901a-f8f2625b2d2e.yml
@@ -1,7 +1,7 @@
 Attack_name: Credentials from Password Stores
-Attack_description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application
-  holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults.
-  Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+Attack_description: 'Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending
+  on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password
+  managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.'
 guid: bc071188-459f-44d5-901a-f8f2625b2d2e
 name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
 tactic:
diff --git a/yml/bc25c04b-841e-4965-855f-d1f645d7ab73.yml b/yml/bc25c04b-841e-4965-855f-d1f645d7ab73.yml
index ce4fc16a..a11029ca 100644
--- a/yml/bc25c04b-841e-4965-855f-d1f645d7ab73.yml
+++ b/yml/bc25c04b-841e-4965-855f-d1f645d7ab73.yml
@@ -2,7 +2,7 @@ Attack_name: Group Policy Discovery
 Attack_description: |-
   Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
 
-  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
+  Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain or Tenant Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
 guid: bc25c04b-841e-4965-855f-d1f645d7ab73
 name: WinPwn - GPOAudit
 tactic:
diff --git a/yml/bd4cf0d1-7646-474e-8610-78ccf5a097c4.yml b/yml/bd4cf0d1-7646-474e-8610-78ccf5a097c4.yml
index 151e9717..10b0af62 100644
--- a/yml/bd4cf0d1-7646-474e-8610-78ccf5a097c4.yml
+++ b/yml/bd4cf0d1-7646-474e-8610-78ccf5a097c4.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4
diff --git a/yml/bdc373c5-e9cf-4563-8a7b-a9ba720a90f3.yml b/yml/bdc373c5-e9cf-4563-8a7b-a9ba720a90f3.yml
index 34460393..5995d828 100644
--- a/yml/bdc373c5-e9cf-4563-8a7b-a9ba720a90f3.yml
+++ b/yml/bdc373c5-e9cf-4563-8a7b-a9ba720a90f3.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: bdc373c5-e9cf-4563-8a7b-a9ba720a90f3
 name: Linux Download File and Run
 tactic:
diff --git a/yml/beaf815a-c883-4194-97e9-fdbbb2bbdd7c.yml b/yml/beaf815a-c883-4194-97e9-fdbbb2bbdd7c.yml
index 1e2de73a..45fead7e 100644
--- a/yml/beaf815a-c883-4194-97e9-fdbbb2bbdd7c.yml
+++ b/yml/beaf815a-c883-4194-97e9-fdbbb2bbdd7c.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c
 name: Edit UFW firewall user.rules file
 tactic:
diff --git a/yml/c01cad7f-7a4c-49df-985e-b190dcf6a279.yml b/yml/c01cad7f-7a4c-49df-985e-b190dcf6a279.yml
index 58134ee1..5de3e5f0 100644
--- a/yml/c01cad7f-7a4c-49df-985e-b190dcf6a279.yml
+++ b/yml/c01cad7f-7a4c-49df-985e-b190dcf6a279.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: c01cad7f-7a4c-49df-985e-b190dcf6a279
 name: iwr or Invoke Web-Request download
 tactic:
diff --git a/yml/c107778c-dcf5-47c5-af2e-1d058a3df3ea.yml b/yml/c107778c-dcf5-47c5-af2e-1d058a3df3ea.yml
index 4547d69f..24eeda36 100644
--- a/yml/c107778c-dcf5-47c5-af2e-1d058a3df3ea.yml
+++ b/yml/c107778c-dcf5-47c5-af2e-1d058a3df3ea.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: c107778c-dcf5-47c5-af2e-1d058a3df3ea
 name: WMI Reconnaissance Users
 tactic:
diff --git a/yml/c1d8c4eb-88da-4927-ae97-c7c25893803b.yml b/yml/c1d8c4eb-88da-4927-ae97-c7c25893803b.yml
index 0a93360a..7e1a314b 100644
--- a/yml/c1d8c4eb-88da-4927-ae97-c7c25893803b.yml
+++ b/yml/c1d8c4eb-88da-4927-ae97-c7c25893803b.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: c1d8c4eb-88da-4927-ae97-c7c25893803b
 name: Edit UFW firewall ufw.conf file
 tactic:
diff --git a/yml/c35ac4a8-19de-43af-b9f8-755da7e89c89.yml b/yml/c35ac4a8-19de-43af-b9f8-755da7e89c89.yml
index 6115d901..c452ee82 100644
--- a/yml/c35ac4a8-19de-43af-b9f8-755da7e89c89.yml
+++ b/yml/c35ac4a8-19de-43af-b9f8-755da7e89c89.yml
@@ -8,7 +8,7 @@ Attack_description: "Adversaries may create or modify systemd services to repeat
   start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped.  \n\nAdversaries have created new service
   files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place
   symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation:
-  Rapid7 Service Persistence 22JUNE2016) "
+  Rapid7 Service Persistence 22JUNE2016) \n\nThe .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions. "
 guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
 name: Create Systemd Service file,  Enable the service , Modify and Reload the service.
 tactic:
diff --git a/yml/c37bc535-5c62-4195-9cc3-0517673171d8.yml b/yml/c37bc535-5c62-4195-9cc3-0517673171d8.yml
index d6222ddc..2f1f3baf 100644
--- a/yml/c37bc535-5c62-4195-9cc3-0517673171d8.yml
+++ b/yml/c37bc535-5c62-4195-9cc3-0517673171d8.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/c3e35b58-fe1c-480b-b540-7600fb612563.yml b/yml/c3e35b58-fe1c-480b-b540-7600fb612563.yml
index ac4e80ec..e11486d9 100644
--- a/yml/c3e35b58-fe1c-480b-b540-7600fb612563.yml
+++ b/yml/c3e35b58-fe1c-480b-b540-7600fb612563.yml
@@ -2,7 +2,7 @@ Attack_name: 'Office Application Startup: Office Test'
 Attack_description: |-
   Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)
 
-  There exist user and global Registry keys for the Office Test feature:
+  There exist user and global Registry keys for the Office Test feature, such as:
 
   * <code>HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf</code>
   * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf</code>
diff --git a/yml/c3f6d794-50dd-482f-b640-0384fbb7db26.yml b/yml/c3f6d794-50dd-482f-b640-0384fbb7db26.yml
index 61d3ef25..66bd176f 100644
--- a/yml/c3f6d794-50dd-482f-b640-0384fbb7db26.yml
+++ b/yml/c3f6d794-50dd-482f-b640-0384fbb7db26.yml
@@ -1,10 +1,10 @@
 Attack_name: Automated Collection
 Attack_description: "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command
-  and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based
-  environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote
-  access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)
-  to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify
-  resources in cloud environments."
+  and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based
+  environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS
+  Phishing 2023) \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
+  and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object
+  Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments."
 guid: c3f6d794-50dd-482f-b640-0384fbb7db26
 name: Recon information for export with PowerShell
 tactic:
diff --git a/yml/c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b.yml b/yml/c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b.yml
index aea33a63..bdbc532d 100644
--- a/yml/c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b.yml
+++ b/yml/c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b.yml
@@ -2,6 +2,8 @@ Attack_name: Software Discovery
 Attack_description: |-
   Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
+  Such software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally.
+
   Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).
 guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b
 name: Applications Installed
diff --git a/yml/c4ae0701-88d3-4cd8-8bce-4801ed9f97e4.yml b/yml/c4ae0701-88d3-4cd8-8bce-4801ed9f97e4.yml
index 77f79b04..36527b09 100644
--- a/yml/c4ae0701-88d3-4cd8-8bce-4801ed9f97e4.yml
+++ b/yml/c4ae0701-88d3-4cd8-8bce-4801ed9f97e4.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: c4ae0701-88d3-4cd8-8bce-4801ed9f97e4
 name: Edit UFW firewall sysctl.conf file
 tactic:
diff --git a/yml/c510d25b-1667-467d-8331-a56d3e9bc4ff.yml b/yml/c510d25b-1667-467d-8331-a56d3e9bc4ff.yml
index 5db5a862..6dab7543 100644
--- a/yml/c510d25b-1667-467d-8331-a56d3e9bc4ff.yml
+++ b/yml/c510d25b-1667-467d-8331-a56d3e9bc4ff.yml
@@ -1,8 +1,12 @@
 Attack_name: Windows Management Instrumentation
 Attack_description: |-
-  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
+  Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
 
-  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+  The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
+
+  An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
+
+  **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
 guid: c510d25b-1667-467d-8331-a56d3e9bc4ff
 name: Application uninstall using WMIC
 tactic:
diff --git a/yml/c5806a4f-62b8-4900-980b-c7ec004e9908.yml b/yml/c5806a4f-62b8-4900-980b-c7ec004e9908.yml
index 6f4be84a..f9e40ac5 100644
--- a/yml/c5806a4f-62b8-4900-980b-c7ec004e9908.yml
+++ b/yml/c5806a4f-62b8-4900-980b-c7ec004e9908.yml
@@ -1,10 +1,11 @@
 Attack_name: Process Discovery
-Attack_description: |-
-  Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
-  In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.
-
-  On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
+Attack_description: "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on
+  systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057)
+  during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could
+  obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+  Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this
+  is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+  commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)"
 guid: c5806a4f-62b8-4900-980b-c7ec004e9908
 name: Process Discovery - tasklist
 tactic:
diff --git a/yml/c5bec457-43c9-4a18-9a24-fe151d8971b7.yml b/yml/c5bec457-43c9-4a18-9a24-fe151d8971b7.yml
index 99af0f3a..e35620e4 100644
--- a/yml/c5bec457-43c9-4a18-9a24-fe151d8971b7.yml
+++ b/yml/c5bec457-43c9-4a18-9a24-fe151d8971b7.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
+
+  Some files and directories may require elevated or specific user permissions to access.
 guid: c5bec457-43c9-4a18-9a24-fe151d8971b7
 name: Launch DirLister Executable
 tactic:
diff --git a/yml/c67ba807-f48b-446e-b955-e4928cd1bf91.yml b/yml/c67ba807-f48b-446e-b955-e4928cd1bf91.yml
index f9bdf135..f9c992c1 100644
--- a/yml/c67ba807-f48b-446e-b955-e4928cd1bf91.yml
+++ b/yml/c67ba807-f48b-446e-b955-e4928cd1bf91.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/c6c34f61-1c3e-40fb-8a58-d017d88286d8.yml b/yml/c6c34f61-1c3e-40fb-8a58-d017d88286d8.yml
index 55186b82..e58c5e47 100644
--- a/yml/c6c34f61-1c3e-40fb-8a58-d017d88286d8.yml
+++ b/yml/c6c34f61-1c3e-40fb-8a58-d017d88286d8.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
+
+  Some files and directories may require elevated or specific user permissions to access.
 guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
 name: Simulating MAZE Directory Enumeration
 tactic:
diff --git a/yml/c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef.yml b/yml/c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef.yml
index ab532e7c..7c545d25 100644
--- a/yml/c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef.yml
+++ b/yml/c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
 name: Enumerate Default Domain Admin Details (Domain)
 tactic:
diff --git a/yml/c7a0bb71-70ce-4a53-b115-881f241b795b.yml b/yml/c7a0bb71-70ce-4a53-b115-881f241b795b.yml
index dc825537..cc33ad6b 100644
--- a/yml/c7a0bb71-70ce-4a53-b115-881f241b795b.yml
+++ b/yml/c7a0bb71-70ce-4a53-b115-881f241b795b.yml
@@ -1,6 +1,6 @@
 Attack_name: Audio Capture
 Attack_description: |-
-  An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
+  An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)
 
   Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
 guid: c7a0bb71-70ce-4a53-b115-881f241b795b
diff --git a/yml/c89becbe-1758-4e7d-a0f4-97d2188a23e3.yml b/yml/c89becbe-1758-4e7d-a0f4-97d2188a23e3.yml
index ae662c0b..8c91cd26 100644
--- a/yml/c89becbe-1758-4e7d-a0f4-97d2188a23e3.yml
+++ b/yml/c89becbe-1758-4e7d-a0f4-97d2188a23e3.yml
@@ -1,7 +1,7 @@
 Attack_name: Credentials from Password Stores
-Attack_description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application
-  holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults.
-  Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+Attack_description: 'Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending
+  on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password
+  managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.'
 guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
 name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
 tactic:
diff --git a/yml/c8f4bc29-a151-48da-b3be-4680af56f404.yml b/yml/c8f4bc29-a151-48da-b3be-4680af56f404.yml
index d1bc701a..5665a983 100644
--- a/yml/c8f4bc29-a151-48da-b3be-4680af56f404.yml
+++ b/yml/c8f4bc29-a151-48da-b3be-4680af56f404.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: c8f4bc29-a151-48da-b3be-4680af56f404
 name: Azure - adding service principal to Azure role in subscription
 tactic:
diff --git a/yml/c93f2492-9ebe-44b5-8b45-36574cccfe67.yml b/yml/c93f2492-9ebe-44b5-8b45-36574cccfe67.yml
index 3d02a4f0..01a42c83 100644
--- a/yml/c93f2492-9ebe-44b5-8b45-36574cccfe67.yml
+++ b/yml/c93f2492-9ebe-44b5-8b45-36574cccfe67.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/c955a599-3653-4fe5-b631-f11c00eb0397.yml b/yml/c955a599-3653-4fe5-b631-f11c00eb0397.yml
index 0f7e1950..644cfaaf 100644
--- a/yml/c955a599-3653-4fe5-b631-f11c00eb0397.yml
+++ b/yml/c955a599-3653-4fe5-b631-f11c00eb0397.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: c955a599-3653-4fe5-b631-f11c00eb0397
 name: View accounts with UID 0
 tactic:
diff --git a/yml/c99a829f-0bb8-4187-b2c6-d47d1df74cab.yml b/yml/c99a829f-0bb8-4187-b2c6-d47d1df74cab.yml
index bc3b2967..4926db2e 100644
--- a/yml/c99a829f-0bb8-4187-b2c6-d47d1df74cab.yml
+++ b/yml/c99a829f-0bb8-4187-b2c6-d47d1df74cab.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab
 name: whois file download
 tactic:
diff --git a/yml/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.yml b/yml/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.yml
index af9c76f9..eaa34e66 100644
--- a/yml/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.yml
+++ b/yml/c9dc9de3-f961-4284-bd2d-f959c9f9fda5.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: c9dc9de3-f961-4284-bd2d-f959c9f9fda5
diff --git a/yml/cb379146-53f1-43e0-b884-7ce2c635ff5b.yml b/yml/cb379146-53f1-43e0-b884-7ce2c635ff5b.yml
index e4699d9f..103f6a05 100644
--- a/yml/cb379146-53f1-43e0-b884-7ce2c635ff5b.yml
+++ b/yml/cb379146-53f1-43e0-b884-7ce2c635ff5b.yml
@@ -1,10 +1,10 @@
 Attack_name: Automated Collection
 Attack_description: "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command
-  and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based
-  environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote
-  access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)
-  to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify
-  resources in cloud environments."
+  and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based
+  environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS
+  Phishing 2023) \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
+  and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object
+  Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments."
 guid: cb379146-53f1-43e0-b884-7ce2c635ff5b
 name: Automated Collection Command Prompt
 tactic:
diff --git a/yml/cb790029-17e6-4c43-b96f-002ce5f10938.yml b/yml/cb790029-17e6-4c43-b96f-002ce5f10938.yml
index c3415a3d..6af0efa4 100644
--- a/yml/cb790029-17e6-4c43-b96f-002ce5f10938.yml
+++ b/yml/cb790029-17e6-4c43-b96f-002ce5f10938.yml
@@ -1,14 +1,16 @@
 Attack_name: Browser Extensions
-Attack_description: |-
-  Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
-
-  Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
-
-  Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
-
-  Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
-
-  There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)
+Attack_description: "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize
+  aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser
+  Extension)(Citation: Chrome Extensions Definition)\n\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering,
+  or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious
+  Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration
+  file to silently install additional extensions.\n\nPrevious to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious
+  <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed
+  with user interaction.(Citation: xorrior chrome extensions macOS)\n\nOnce the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser
+  (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals
+  Creds)(Citation: Catch All Chrome Extension)\n\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation:
+  Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense
+  Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) "
 guid: cb790029-17e6-4c43-b96f-002ce5f10938
 name: Firefox
 tactic:
diff --git a/yml/cbb6799a-425c-4f83-9194-5447a909d67f.yml b/yml/cbb6799a-425c-4f83-9194-5447a909d67f.yml
index 2a606ef3..a4f6c9d4 100644
--- a/yml/cbb6799a-425c-4f83-9194-5447a909d67f.yml
+++ b/yml/cbb6799a-425c-4f83-9194-5447a909d67f.yml
@@ -2,11 +2,11 @@ Attack_name: 'Phishing: Spearphishing Attachment'
 Attack_description: "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing.
   Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering
   targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204)
-  to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables,
-  PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of
-  the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions
-  on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables
-  appear to be document files, or files exploiting one application appear to be a file for a different one. "
+  to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment
+  such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly
+  executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to
+  do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions
+  and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. "
 guid: cbb6799a-425c-4f83-9194-5447a909d67f
 name: Word spawned a command shell and used an IP address in the command line
 tactic:
diff --git a/yml/ce483c35-c74b-45a7-a670-631d1e69db3d.yml b/yml/ce483c35-c74b-45a7-a670-631d1e69db3d.yml
index 8c209ece..3a5fcd17 100644
--- a/yml/ce483c35-c74b-45a7-a670-631d1e69db3d.yml
+++ b/yml/ce483c35-c74b-45a7-a670-631d1e69db3d.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: ce483c35-c74b-45a7-a670-631d1e69db3d
 name: WinPwn - generaldomaininfo
 tactic:
diff --git a/yml/cf21060a-80b3-4238-a595-22525de4ab81.yml b/yml/cf21060a-80b3-4238-a595-22525de4ab81.yml
index 30f2cc6f..1f38db5a 100644
--- a/yml/cf21060a-80b3-4238-a595-22525de4ab81.yml
+++ b/yml/cf21060a-80b3-4238-a595-22525de4ab81.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/d03683ec-aae0-42f9-9b4c-534780e0f8e1.yml b/yml/d03683ec-aae0-42f9-9b4c-534780e0f8e1.yml
index 721c0827..51e5b31e 100644
--- a/yml/d03683ec-aae0-42f9-9b4c-534780e0f8e1.yml
+++ b/yml/d03683ec-aae0-42f9-9b4c-534780e0f8e1.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: d03683ec-aae0-42f9-9b4c-534780e0f8e1
 name: LogMeIn Files Detected Test on Windows
 tactic:
diff --git a/yml/d1fa2a69-b0a2-4e8a-9112-529b00c19a41.yml b/yml/d1fa2a69-b0a2-4e8a-9112-529b00c19a41.yml
new file mode 100644
index 00000000..83a75a3e
--- /dev/null
+++ b/yml/d1fa2a69-b0a2-4e8a-9112-529b00c19a41.yml
@@ -0,0 +1,19 @@
+Attack_name: Network Share Discovery
+Attack_description: "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential
+  systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over
+  a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system
+  for available shared drives using the <code>net view \\\\\\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing
+  -l</code> command lists all shared points used for smb services."
+guid: d1fa2a69-b0a2-4e8a-9112-529b00c19a41
+name: Enumerate All Network Shares with SharpShares
+tactic:
+  - discovery
+technique:
+  - T1135
+os:
+  - windows
+description: "SharpShares is a command line tool that can be integrated with Cobalt Strike's execute-assembly module, allowing for the enumeration of network shares. \nThis technique has been utilized by
+  various ransomware groups, including BianLian.\n[Reference](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a)\n"
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/d239772b-88e2-4a2e-8473-897503401bcc.yml b/yml/d239772b-88e2-4a2e-8473-897503401bcc.yml
index fa75d343..854e10db 100644
--- a/yml/d239772b-88e2-4a2e-8473-897503401bcc.yml
+++ b/yml/d239772b-88e2-4a2e-8473-897503401bcc.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: d239772b-88e2-4a2e-8473-897503401bcc
 name: Download a file with Microsoft Connection Manager Auto-Download
 tactic:
@@ -26,6 +28,6 @@ sigma_rule:
   - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
     name: proc_creation_win_cmd_redirect.yml
   - id: f37aba28-a9e6-4045-882c-d5004043b337
-    name: proc_creation_win_lolbin_cmdl32.yml
+    name: proc_creation_win_cmdl32_arbitrary_file_download.yml
   - id: 86085955-ea48-42a2-9dd3-85d4c36b167d
     name: proc_creation_win_taskkill_execution.yml
diff --git a/yml/d3415a0e-66ef-429b-acf4-a768876954f6.yml b/yml/d3415a0e-66ef-429b-acf4-a768876954f6.yml
index 2e1540dd..1861594c 100644
--- a/yml/d3415a0e-66ef-429b-acf4-a768876954f6.yml
+++ b/yml/d3415a0e-66ef-429b-acf4-a768876954f6.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: d3415a0e-66ef-429b-acf4-a768876954f6
 name: Security Software Discovery - Windows Defender Enumeration
 tactic:
diff --git a/yml/d34ef297-f178-4462-871e-9ce618d44e50.yml b/yml/d34ef297-f178-4462-871e-9ce618d44e50.yml
index 64abd227..81a699dc 100644
--- a/yml/d34ef297-f178-4462-871e-9ce618d44e50.yml
+++ b/yml/d34ef297-f178-4462-871e-9ce618d44e50.yml
@@ -1,9 +1,9 @@
 Attack_name: 'Boot or Logon Autostart Execution: Port Monitors'
 Attack_description: "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code>
-  API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\\Windows\\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot.
-  The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL
-  to <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors</code>. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n
-  \nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM."
+  API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\\Windows\\System32</code> and will be loaded and run by the print spooler service, `spoolsv.exe`,
+  under SYSTEM level permissions on boot.(Citation: Bloxham) \n\nAlternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the `Driver` value
+  of an existing or new arbitrarily named subkey of <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors</code>. The Registry key contains entries for the following:\n\n* Local Port\n* Standard
+  TCP/IP Port\n* USB Monitor\n* WSD Port\n"
 guid: d34ef297-f178-4462-871e-9ce618d44e50
 name: Add Port Monitor persistence in Registry
 tactic:
diff --git a/yml/d400090a-d8ca-4be0-982e-c70598a23de9.yml b/yml/d400090a-d8ca-4be0-982e-c70598a23de9.yml
index d42c56df..76043045 100644
--- a/yml/d400090a-d8ca-4be0-982e-c70598a23de9.yml
+++ b/yml/d400090a-d8ca-4be0-982e-c70598a23de9.yml
@@ -1,6 +1,6 @@
 Attack_name: OS Credential Dumping
 Attack_description: |
-  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
+  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
 
   Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
 guid: d400090a-d8ca-4be0-982e-c70598a23de9
diff --git a/yml/d5b886d9-d1c7-4b6e-a7b0-460041bf2823.yml b/yml/d5b886d9-d1c7-4b6e-a7b0-460041bf2823.yml
index cdb26d22..6918378b 100644
--- a/yml/d5b886d9-d1c7-4b6e-a7b0-460041bf2823.yml
+++ b/yml/d5b886d9-d1c7-4b6e-a7b0-460041bf2823.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: d5b886d9-d1c7-4b6e-a7b0-460041bf2823
 name: Password Change on Directory Service Restore Mode (DSRM) Account
 tactic:
diff --git a/yml/d5d5a6b0-0f92-42d8-985d-47aafa2dd4db.yml b/yml/d5d5a6b0-0f92-42d8-985d-47aafa2dd4db.yml
index dff6eda0..3dd87b04 100644
--- a/yml/d5d5a6b0-0f92-42d8-985d-47aafa2dd4db.yml
+++ b/yml/d5d5a6b0-0f92-42d8-985d-47aafa2dd4db.yml
@@ -1,11 +1,13 @@
 Attack_name: System Time Discovery
 Attack_description: |-
-  An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)
+  An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
 
-  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service)
+  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)
 
   On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)
 
+  In addition, system calls – such as <code>time()</code> – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)
+
   This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
 guid: d5d5a6b0-0f92-42d8-985d-47aafa2dd4db
 name: System Time Discovery W32tm as a Delay
diff --git a/yml/d9841bf8-f161-4c73-81e9-fd773a5ff8c1.yml b/yml/d9841bf8-f161-4c73-81e9-fd773a5ff8c1.yml
index ffc109bf..fdba0c49 100644
--- a/yml/d9841bf8-f161-4c73-81e9-fd773a5ff8c1.yml
+++ b/yml/d9841bf8-f161-4c73-81e9-fd773a5ff8c1.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1
 name: Allow SMB and RDP on Microsoft Defender Firewall
 tactic:
diff --git a/yml/d9e4f24f-aa67-4c6e-bcbf-85622b697a7c.yml b/yml/d9e4f24f-aa67-4c6e-bcbf-85622b697a7c.yml
index d0199163..182adbe3 100644
--- a/yml/d9e4f24f-aa67-4c6e-bcbf-85622b697a7c.yml
+++ b/yml/d9e4f24f-aa67-4c6e-bcbf-85622b697a7c.yml
@@ -8,7 +8,7 @@ Attack_description: "Adversaries may create or modify systemd services to repeat
   start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped.  \n\nAdversaries have created new service
   files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place
   symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation:
-  Rapid7 Service Persistence 22JUNE2016) "
+  Rapid7 Service Persistence 22JUNE2016) \n\nThe .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions. "
 guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c
 name: Create Systemd Service
 tactic:
diff --git a/yml/da4f751a-020b-40d7-b9ff-d433b7799803.yml b/yml/da4f751a-020b-40d7-b9ff-d433b7799803.yml
index d71c8eab..6bd01ac7 100644
--- a/yml/da4f751a-020b-40d7-b9ff-d433b7799803.yml
+++ b/yml/da4f751a-020b-40d7-b9ff-d433b7799803.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: da4f751a-020b-40d7-b9ff-d433b7799803
diff --git a/yml/da558b07-69ae-41b9-b9d4-4d98154a7049.yml b/yml/da558b07-69ae-41b9-b9d4-4d98154a7049.yml
index 044bee66..da026b48 100644
--- a/yml/da558b07-69ae-41b9-b9d4-4d98154a7049.yml
+++ b/yml/da558b07-69ae-41b9-b9d4-4d98154a7049.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/db965264-3117-4bad-b7b7-2523b7856b92.yml b/yml/db965264-3117-4bad-b7b7-2523b7856b92.yml
index 9af05a2c..5174301d 100644
--- a/yml/db965264-3117-4bad-b7b7-2523b7856b92.yml
+++ b/yml/db965264-3117-4bad-b7b7-2523b7856b92.yml
@@ -1,7 +1,7 @@
 Attack_name: Credentials from Password Stores
-Attack_description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application
-  holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults.
-  Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+Attack_description: 'Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending
+  on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password
+  managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.'
 guid: db965264-3117-4bad-b7b7-2523b7856b92
 name: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
 tactic:
diff --git a/yml/dc7726d2-8ccb-4cc6-af22-0d5afb53a548.yml b/yml/dc7726d2-8ccb-4cc6-af22-0d5afb53a548.yml
index d775b377..351e6de7 100644
--- a/yml/dc7726d2-8ccb-4cc6-af22-0d5afb53a548.yml
+++ b/yml/dc7726d2-8ccb-4cc6-af22-0d5afb53a548.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Create Account: Domain Account'
 Attack_description: |-
-  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.
+  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999)
 
   Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
 guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548
diff --git a/yml/dd3b61dd-7bbc-48cd-ab51-49ad1a776df0.yml b/yml/dd3b61dd-7bbc-48cd-ab51-49ad1a776df0.yml
index c0e95277..7db0bbff 100644
--- a/yml/dd3b61dd-7bbc-48cd-ab51-49ad1a776df0.yml
+++ b/yml/dd3b61dd-7bbc-48cd-ab51-49ad1a776df0.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0
 name: certutil download (urlcache)
 tactic:
diff --git a/yml/dddd4aca-bbed-46f0-984d-e4c5971c51ea.yml b/yml/dddd4aca-bbed-46f0-984d-e4c5971c51ea.yml
index 4d7b92c0..460ad021 100644
--- a/yml/dddd4aca-bbed-46f0-984d-e4c5971c51ea.yml
+++ b/yml/dddd4aca-bbed-46f0-984d-e4c5971c51ea.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/dea6c349-f1c6-44f3-87a1-1ed33a59a607.yml b/yml/dea6c349-f1c6-44f3-87a1-1ed33a59a607.yml
index b205649c..ab616b16 100644
--- a/yml/dea6c349-f1c6-44f3-87a1-1ed33a59a607.yml
+++ b/yml/dea6c349-f1c6-44f3-87a1-1ed33a59a607.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/df1efab7-bc6d-4b88-8be9-91f55ae017aa.yml b/yml/df1efab7-bc6d-4b88-8be9-91f55ae017aa.yml
index 1c7cd807..c46e6f4c 100644
--- a/yml/df1efab7-bc6d-4b88-8be9-91f55ae017aa.yml
+++ b/yml/df1efab7-bc6d-4b88-8be9-91f55ae017aa.yml
@@ -2,9 +2,9 @@ Attack_name: Time Providers
 Attack_description: |-
   Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
 
-  Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of  <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
+  Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\`.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
 
-  Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)
+  Adversaries may abuse this architecture to establish persistence, specifically by creating a new arbitrarily named subkey  pointing to a malicious DLL in the `DllName` value. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017)
 guid: df1efab7-bc6d-4b88-8be9-91f55ae017aa
 name: Create a new time provider
 tactic:
diff --git a/yml/dfbd1a21-540d-4574-9731-e852bd6fe840.yml b/yml/dfbd1a21-540d-4574-9731-e852bd6fe840.yml
index b566caf7..c1728627 100644
--- a/yml/dfbd1a21-540d-4574-9731-e852bd6fe840.yml
+++ b/yml/dfbd1a21-540d-4574-9731-e852bd6fe840.yml
@@ -6,11 +6,12 @@ Attack_description: "Adversaries may employ various system checks to detect and
   [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082),
   and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware,
   and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include
-  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther
-  common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications,
-  and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \n
-  Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific
-  readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
+  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed,
+  malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such
+  as `malware`, `sample`, or `hash`.\n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings
+  relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port
+  to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment.
+  Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
 guid: dfbd1a21-540d-4574-9731-e852bd6fe840
 name: Detect Virtualization Environment (Linux)
 tactic:
diff --git a/yml/e129d73b-3e03-4ae9-bf1e-67fc8921e0fd.yml b/yml/e129d73b-3e03-4ae9-bf1e-67fc8921e0fd.yml
index 09d5b9fb..a49617a3 100644
--- a/yml/e129d73b-3e03-4ae9-bf1e-67fc8921e0fd.yml
+++ b/yml/e129d73b-3e03-4ae9-bf1e-67fc8921e0fd.yml
@@ -6,11 +6,12 @@ Attack_description: "Adversaries may employ various system checks to detect and
   [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082),
   and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware,
   and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include
-  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nOther
-  common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications,
-  and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \n
-  Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific
-  readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
+  generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed,
+  malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such
+  as `malware`, `sample`, or `hash`.\n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings
+  relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port
+  to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment.
+  Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)"
 guid: e129d73b-3e03-4ae9-bf1e-67fc8921e0fd
 name: Detect Virtualization Environment (FreeBSD)
 tactic:
diff --git a/yml/e1ec8d20-509a-4b9a-b820-06c9b2da8eb7.yml b/yml/e1ec8d20-509a-4b9a-b820-06c9b2da8eb7.yml
index 725459e5..85f2413a 100644
--- a/yml/e1ec8d20-509a-4b9a-b820-06c9b2da8eb7.yml
+++ b/yml/e1ec8d20-509a-4b9a-b820-06c9b2da8eb7.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
 name: Adfind - Enumerate Active Directory User Objects
 tactic:
diff --git a/yml/e2028771-1bfb-48f5-b5e6-e50ee0942a14.yml b/yml/e2028771-1bfb-48f5-b5e6-e50ee0942a14.yml
index 8665d0a1..36e8672a 100644
--- a/yml/e2028771-1bfb-48f5-b5e6-e50ee0942a14.yml
+++ b/yml/e2028771-1bfb-48f5-b5e6-e50ee0942a14.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/e2480aee-23f3-4f34-80ce-de221e27cd19.yml b/yml/e2480aee-23f3-4f34-80ce-de221e27cd19.yml
index 78eb5ea0..da63fae7 100644
--- a/yml/e2480aee-23f3-4f34-80ce-de221e27cd19.yml
+++ b/yml/e2480aee-23f3-4f34-80ce-de221e27cd19.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/e43cfdaf-3fb8-4a45-8de0-7eee8741d072.yml b/yml/e43cfdaf-3fb8-4a45-8de0-7eee8741d072.yml
index 32c95526..1e708c87 100644
--- a/yml/e43cfdaf-3fb8-4a45-8de0-7eee8741d072.yml
+++ b/yml/e43cfdaf-3fb8-4a45-8de0-7eee8741d072.yml
@@ -4,7 +4,9 @@ Attack_description: |-
 
   Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)
 
-  There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
+  There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
+
+  There are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)
 
   After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.
 guid: e43cfdaf-3fb8-4a45-8de0-7eee8741d072
diff --git a/yml/e447b83b-a698-4feb-bed1-a7aaf45c3443.yml b/yml/e447b83b-a698-4feb-bed1-a7aaf45c3443.yml
index 72887e58..216e7aba 100644
--- a/yml/e447b83b-a698-4feb-bed1-a7aaf45c3443.yml
+++ b/yml/e447b83b-a698-4feb-bed1-a7aaf45c3443.yml
@@ -1,11 +1,15 @@
 Attack_name: Software Deployment Tools
-Attack_description: "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally
-  through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).  \n\nAccess to a third-party
-  network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other
-  systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. Network infrastructure may also have administration tools that can be similarly abused by adversaries.
-  (Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may
-  be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended
-  purpose."
+Attack_description: "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management
+  and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples
+  of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.  \n\nAccess to network-wide or enterprise-wide endpoint management software
+  may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping
+  the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances,
+  as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices
+  joined to Azure AD.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back
+  to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly
+  abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration;
+  local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or
+  to access specific functionality."
 guid: e447b83b-a698-4feb-bed1-a7aaf45c3443
 name: PDQ Deploy RAT
 tactic:
diff --git a/yml/e62d23ef-3153-4837-8625-fa4a3829134d.yml b/yml/e62d23ef-3153-4837-8625-fa4a3829134d.yml
index e99d0e87..45641f75 100644
--- a/yml/e62d23ef-3153-4837-8625-fa4a3829134d.yml
+++ b/yml/e62d23ef-3153-4837-8625-fa4a3829134d.yml
@@ -2,6 +2,8 @@ Attack_name: 'Create Account: Cloud Account'
 Attack_description: |-
   Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
 
+  In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment.(Citation: Microsoft Entra ID Service Principals) In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005).(Citation: GCP Service Accounts) While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.(Citation: AWS Instance Profiles)(Citation: AWS Lambda Execution Role)
+
   Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
 
   Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).
diff --git a/yml/e6abb60e-26b8-41da-8aae-0c35174b0967.yml b/yml/e6abb60e-26b8-41da-8aae-0c35174b0967.yml
index a1977bdf..8001a308 100644
--- a/yml/e6abb60e-26b8-41da-8aae-0c35174b0967.yml
+++ b/yml/e6abb60e-26b8-41da-8aae-0c35174b0967.yml
@@ -2,13 +2,16 @@ Attack_name: 'Indicator Removal on Host: Clear Windows Event Logs'
 Attack_description: |-
   Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
 
-  The event logs can be cleared with the following utility commands:
+
+  With administrator privileges, the event logs can be cleared with the following utility commands:
 
   * <code>wevtutil cl system</code>
   * <code>wevtutil cl application</code>
   * <code>wevtutil cl security</code>
 
-  These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
+  These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command <code>Remove-EventLog -LogName Security</code> to delete the Security EventLog and after reboot, disable future logging.  Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
+
+  Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.
 guid: e6abb60e-26b8-41da-8aae-0c35174b0967
 name: Clear Logs
 tactic:
diff --git a/yml/e6f36545-dc1e-47f0-9f48-7f730f54a02e.yml b/yml/e6f36545-dc1e-47f0-9f48-7f730f54a02e.yml
index e6dd6eb1..ecafdf39 100644
--- a/yml/e6f36545-dc1e-47f0-9f48-7f730f54a02e.yml
+++ b/yml/e6f36545-dc1e-47f0-9f48-7f730f54a02e.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e
 name: Enumerate users and groups
 tactic:
diff --git a/yml/e6fe5095-545d-4c8b-a0ae-e863914be3aa.yml b/yml/e6fe5095-545d-4c8b-a0ae-e863914be3aa.yml
index a183a6ba..9aa9cff8 100644
--- a/yml/e6fe5095-545d-4c8b-a0ae-e863914be3aa.yml
+++ b/yml/e6fe5095-545d-4c8b-a0ae-e863914be3aa.yml
@@ -1,10 +1,10 @@
 Attack_name: Network Sniffing
 Attack_description: |-
-  Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+  Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 
   Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
 
-  Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+  Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.
 
   In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
 
diff --git a/yml/eb5adf16-b601-4926-bca7-dad22adffb37.yml b/yml/eb5adf16-b601-4926-bca7-dad22adffb37.yml
index 17bae5de..919e69f2 100644
--- a/yml/eb5adf16-b601-4926-bca7-dad22adffb37.yml
+++ b/yml/eb5adf16-b601-4926-bca7-dad22adffb37.yml
@@ -13,10 +13,11 @@ Attack_description: |
   * <code>sekurlsa::Minidump lsassdump.dmp</code>
   * <code>sekurlsa::logonPasswords</code>
 
-  Built-in Windows tools such as comsvcs.dll can also be used:
+  Built-in Windows tools such as `comsvcs.dll` can also be used:
 
   * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
 
+  Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
 
   Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
 
diff --git a/yml/ecca999b-e0c8-40e8-8416-ad320b146a75.yml b/yml/ecca999b-e0c8-40e8-8416-ad320b146a75.yml
index 18a526df..af18e3a3 100644
--- a/yml/ecca999b-e0c8-40e8-8416-ad320b146a75.yml
+++ b/yml/ecca999b-e0c8-40e8-8416-ad320b146a75.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: ecca999b-e0c8-40e8-8416-ad320b146a75
 name: NetSupport - RAT Execution
 tactic:
diff --git a/yml/ed0335ac-0354-400c-8148-f6151d20035a.yml b/yml/ed0335ac-0354-400c-8148-f6151d20035a.yml
index f38cc8f4..2544d456 100644
--- a/yml/ed0335ac-0354-400c-8148-f6151d20035a.yml
+++ b/yml/ed0335ac-0354-400c-8148-f6151d20035a.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: ed0335ac-0354-400c-8148-f6151d20035a
 name: Lolbas replace.exe use to copy UNC file
 tactic:
diff --git a/yml/ed366cde-7d12-49df-a833-671904770b9f.yml b/yml/ed366cde-7d12-49df-a833-671904770b9f.yml
index 7b18b24f..eb684494 100644
--- a/yml/ed366cde-7d12-49df-a833-671904770b9f.yml
+++ b/yml/ed366cde-7d12-49df-a833-671904770b9f.yml
@@ -9,8 +9,10 @@ Attack_description: "Adversaries may create or modify Windows services to repeat
   these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised
   machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation:
   Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries
-  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade
-  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component)."
+  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo make detection analysis more challenging, malicious services may also incorporate [Masquerade
+  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’
+  services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL).
+  This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)"
 guid: ed366cde-7d12-49df-a833-671904770b9f
 name: Modify Fax service to run PowerShell
 tactic:
diff --git a/yml/ed952f70-91d4-445a-b7ff-30966bfb1aff.yml b/yml/ed952f70-91d4-445a-b7ff-30966bfb1aff.yml
index 66aac610..cf67eb2c 100644
--- a/yml/ed952f70-91d4-445a-b7ff-30966bfb1aff.yml
+++ b/yml/ed952f70-91d4-445a-b7ff-30966bfb1aff.yml
@@ -11,6 +11,7 @@ Attack_description: |-
   * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
   * <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>
   * <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
+  * <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)
 
   On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
 
diff --git a/yml/ef0581fd-528e-4662-87bc-4c2affb86940.yml b/yml/ef0581fd-528e-4662-87bc-4c2affb86940.yml
index 02abc2e5..393d18db 100644
--- a/yml/ef0581fd-528e-4662-87bc-4c2affb86940.yml
+++ b/yml/ef0581fd-528e-4662-87bc-4c2affb86940.yml
@@ -9,8 +9,10 @@ Attack_description: "Adversaries may create or modify Windows services to repeat
   these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised
   machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation:
   Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries
-  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade
-  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component)."
+  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo make detection analysis more challenging, malicious services may also incorporate [Masquerade
+  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’
+  services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL).
+  This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)"
 guid: ef0581fd-528e-4662-87bc-4c2affb86940
 name: TinyTurla backdoor service w64time
 tactic:
diff --git a/yml/f095e373-b936-4eb4-8d22-f47ccbfbe64a.yml b/yml/f095e373-b936-4eb4-8d22-f47ccbfbe64a.yml
index 432b05c9..05e27d46 100644
--- a/yml/f095e373-b936-4eb4-8d22-f47ccbfbe64a.yml
+++ b/yml/f095e373-b936-4eb4-8d22-f47ccbfbe64a.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Access Token Manipulation: Token Impersonation/Theft'
 Attack_description: |-
-  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
+  Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.
 
   An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
 
diff --git a/yml/f151ee37-9e2b-47e6-80e4-550b9f999b7a.yml b/yml/f151ee37-9e2b-47e6-80e4-550b9f999b7a.yml
index d8abb6e5..3f747b0b 100644
--- a/yml/f151ee37-9e2b-47e6-80e4-550b9f999b7a.yml
+++ b/yml/f151ee37-9e2b-47e6-80e4-550b9f999b7a.yml
@@ -1,11 +1,13 @@
 Attack_name: 'Hide Artifacts: Hidden Window'
 Attack_description: "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries
-  out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nOn Windows, there are a variety of
-  features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows
-  hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)\n\nSimilarly, on macOS the configurations for how applications run are listed in property
-  list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use
-  for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not
-  to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)"
+  out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nAdversaries may abuse these functionalities
+  to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)\n\nOn macOS, the configurations for how applications run
+  are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in
+  the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nSimilarly, on Windows there are a variety of features in scripting languages,
+  such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is <code>powershell.exe
+  -WindowStyle Hidden</code>.(Citation: PowerShell About 2019)\n\nIn addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding <code>explorer.exe</code>
+  process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack)  All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible
+  to other desktops windows."
 guid: f151ee37-9e2b-47e6-80e4-550b9f999b7a
 name: Hidden Window
 tactic:
diff --git a/yml/f1641ba9-919a-4323-b74f-33372333bf0e.yml b/yml/f1641ba9-919a-4323-b74f-33372333bf0e.yml
index 94857b76..9f326f30 100644
--- a/yml/f1641ba9-919a-4323-b74f-33372333bf0e.yml
+++ b/yml/f1641ba9-919a-4323-b74f-33372333bf0e.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: f1641ba9-919a-4323-b74f-33372333bf0e
 name: RustDesk Files Detected Test on Windows
 tactic:
diff --git a/yml/f449c933-0891-407f-821e-7916a21a1a6f.yml b/yml/f449c933-0891-407f-821e-7916a21a1a6f.yml
index fb6f6406..b80ac7e5 100644
--- a/yml/f449c933-0891-407f-821e-7916a21a1a6f.yml
+++ b/yml/f449c933-0891-407f-821e-7916a21a1a6f.yml
@@ -1,11 +1,13 @@
 Attack_name: System Time Discovery
 Attack_description: |-
-  An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)
+  An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
 
-  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service)
+  System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)
 
   On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)
 
+  In addition, system calls – such as <code>time()</code> – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)
+
   This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
 guid: f449c933-0891-407f-821e-7916a21a1a6f
 name: System Time Discovery in FreeBSD/macOS
diff --git a/yml/f450461c-18d1-4452-9f0d-2c42c3f08624.yml b/yml/f450461c-18d1-4452-9f0d-2c42c3f08624.yml
index d2ee4366..6953bd76 100644
--- a/yml/f450461c-18d1-4452-9f0d-2c42c3f08624.yml
+++ b/yml/f450461c-18d1-4452-9f0d-2c42c3f08624.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: f450461c-18d1-4452-9f0d-2c42c3f08624
 name: Kerbrute - userenum
 tactic:
diff --git a/yml/f564c297-7978-4aa9-b37a-d90477feea4e.yml b/yml/f564c297-7978-4aa9-b37a-d90477feea4e.yml
index 430c01b5..fcd7b5ef 100644
--- a/yml/f564c297-7978-4aa9-b37a-d90477feea4e.yml
+++ b/yml/f564c297-7978-4aa9-b37a-d90477feea4e.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: f564c297-7978-4aa9-b37a-d90477feea4e
 name: sftp remote file copy (push)
 tactic:
diff --git a/yml/f8aab3dd-5990-4bf8-b8ab-2226c951696f.yml b/yml/f8aab3dd-5990-4bf8-b8ab-2226c951696f.yml
index 954d4776..6e1f3730 100644
--- a/yml/f8aab3dd-5990-4bf8-b8ab-2226c951696f.yml
+++ b/yml/f8aab3dd-5990-4bf8-b8ab-2226c951696f.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f
 name: Enumerate all accounts (Local)
 tactic:
diff --git a/yml/f92a380f-ced9-491f-b338-95a991418ce2.yml b/yml/f92a380f-ced9-491f-b338-95a991418ce2.yml
index 488ff92b..85ca4a33 100644
--- a/yml/f92a380f-ced9-491f-b338-95a991418ce2.yml
+++ b/yml/f92a380f-ced9-491f-b338-95a991418ce2.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: f92a380f-ced9-491f-b338-95a991418ce2
 name: Security Software Discovery
 tactic:
diff --git a/yml/fa37b633-e097-4415-b2b8-c5bf4c86e423.yml b/yml/fa37b633-e097-4415-b2b8-c5bf4c86e423.yml
index 56ebbd6f..ee3221c5 100644
--- a/yml/fa37b633-e097-4415-b2b8-c5bf4c86e423.yml
+++ b/yml/fa37b633-e097-4415-b2b8-c5bf4c86e423.yml
@@ -2,7 +2,7 @@ Attack_name: 'OS Credential Dumping: Proc Filesystem'
 Attack_description: |-
   Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
 
-  When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
+  When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
 
   If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
 guid: fa37b633-e097-4415-b2b8-c5bf4c86e423
diff --git a/yml/fa5a2759-41d7-4e13-a19c-e8f28a53566f.yml b/yml/fa5a2759-41d7-4e13-a19c-e8f28a53566f.yml
index 636c48f0..f51d588b 100644
--- a/yml/fa5a2759-41d7-4e13-a19c-e8f28a53566f.yml
+++ b/yml/fa5a2759-41d7-4e13-a19c-e8f28a53566f.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f
 name: svchost writing a file to a UNC path
 tactic:
diff --git a/yml/fa96c21c-5fd6-4428-aa28-51a2fbecdbdc.yml b/yml/fa96c21c-5fd6-4428-aa28-51a2fbecdbdc.yml
index fd5f77c1..10d0586c 100644
--- a/yml/fa96c21c-5fd6-4428-aa28-51a2fbecdbdc.yml
+++ b/yml/fa96c21c-5fd6-4428-aa28-51a2fbecdbdc.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: fa96c21c-5fd6-4428-aa28-51a2fbecdbdc
 name: Security Software Discovery - pgrep (FreeBSD)
 tactic:
diff --git a/yml/fb4151a2-db33-4f8c-b7f8-78ea8790f961.yml b/yml/fb4151a2-db33-4f8c-b7f8-78ea8790f961.yml
index 1c06319c..c6d14dec 100644
--- a/yml/fb4151a2-db33-4f8c-b7f8-78ea8790f961.yml
+++ b/yml/fb4151a2-db33-4f8c-b7f8-78ea8790f961.yml
@@ -9,8 +9,10 @@ Attack_description: "Adversaries may create or modify Windows services to repeat
   these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised
   machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation:
   Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries
-  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade
-  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component)."
+  may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo make detection analysis more challenging, malicious services may also incorporate [Masquerade
+  Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’
+  services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL).
+  This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)"
 guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
 name: Remote Service Installation CMD
 tactic:
diff --git a/yml/fbff3f1f-b0bf-448e-840f-7e1687affdce.yml b/yml/fbff3f1f-b0bf-448e-840f-7e1687affdce.yml
index aa62a858..c0f77db3 100644
--- a/yml/fbff3f1f-b0bf-448e-840f-7e1687affdce.yml
+++ b/yml/fbff3f1f-b0bf-448e-840f-7e1687affdce.yml
@@ -3,8 +3,9 @@ Attack_description: "An adversary may use legitimate desktop support and remote
   such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and
   may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)\n\nRemote access
   software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They
-  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\n \nAdversaries may similarly abuse response features included
-  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003))."
+  may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.\n \nAdversaries may similarly abuse response features included
+  in EDR and other defensive tools that enable remote access.\n\nInstallation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).
+  Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)"
 guid: fbff3f1f-b0bf-448e-840f-7e1687affdce
 name: RemotePC Software Execution
 tactic:
diff --git a/yml/fc5f9414-bd67-4f5f-a08e-e5381e29cbd1.yml b/yml/fc5f9414-bd67-4f5f-a08e-e5381e29cbd1.yml
index 35b83133..fa48d3f0 100644
--- a/yml/fc5f9414-bd67-4f5f-a08e-e5381e29cbd1.yml
+++ b/yml/fc5f9414-bd67-4f5f-a08e-e5381e29cbd1.yml
@@ -1,8 +1,9 @@
 Attack_name: Account Manipulation
 Attack_description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to
-  a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password
-  updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on
-  systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
+  a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies,
+  such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already
+  have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged
+  [Valid Accounts](https://attack.mitre.org/techniques/T1078)."
 guid: fc5f9414-bd67-4f5f-a08e-e5381e29cbd1
 name: 'Domain Password Policy Check: Short Password'
 tactic:
diff --git a/yml/fcec2963-9951-4173-9bfa-98d8b7834e62.yml b/yml/fcec2963-9951-4173-9bfa-98d8b7834e62.yml
index c9b8c6c0..b8c9ce4d 100644
--- a/yml/fcec2963-9951-4173-9bfa-98d8b7834e62.yml
+++ b/yml/fcec2963-9951-4173-9bfa-98d8b7834e62.yml
@@ -1,6 +1,6 @@
 Attack_name: 'Create Account: Domain Account'
 Attack_description: |-
-  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.
+  Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999)
 
   Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
 guid: fcec2963-9951-4173-9bfa-98d8b7834e62
diff --git a/yml/fdd0c913-714b-4c13-b40f-1824d6c015f2.yml b/yml/fdd0c913-714b-4c13-b40f-1824d6c015f2.yml
index 84982517..25cd4f1b 100644
--- a/yml/fdd0c913-714b-4c13-b40f-1824d6c015f2.yml
+++ b/yml/fdd0c913-714b-4c13-b40f-1824d6c015f2.yml
@@ -2,7 +2,7 @@ Attack_name: 'Unsecured Credentials: Credentials In Files'
 Attack_description: |-
   Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 
-  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)
+  It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)
 
   In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)
 guid: fdd0c913-714b-4c13-b40f-1824d6c015f2
diff --git a/yml/fe135572-edcd-49a2-afe6-1d39521c5a9a.yml b/yml/fe135572-edcd-49a2-afe6-1d39521c5a9a.yml
index 1d0fbd23..94118bea 100644
--- a/yml/fe135572-edcd-49a2-afe6-1d39521c5a9a.yml
+++ b/yml/fe135572-edcd-49a2-afe6-1d39521c5a9a.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
 
   Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
+
+  Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
 guid: fe135572-edcd-49a2-afe6-1d39521c5a9a
 name: Stop/Start UFW firewall
 tactic:
diff --git a/yml/fe613cf3-8009-4446-9a0f-bc78a15b66c9.yml b/yml/fe613cf3-8009-4446-9a0f-bc78a15b66c9.yml
index adf51768..b5b1fb0a 100644
--- a/yml/fe613cf3-8009-4446-9a0f-bc78a15b66c9.yml
+++ b/yml/fe613cf3-8009-4446-9a0f-bc78a15b66c9.yml
@@ -1,10 +1,10 @@
 Attack_name: 'Software Discovery: Security Software Discovery'
 Attack_description: |-
-  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
 
-  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+  Adversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.
 guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9
 name: Security Software Discovery - Sysmon Service
 tactic:
diff --git a/yml/fecd0dfd-fb55-45fa-a10b-6250272d0832.yml b/yml/fecd0dfd-fb55-45fa-a10b-6250272d0832.yml
index cfec9ebd..1c043cd8 100644
--- a/yml/fecd0dfd-fb55-45fa-a10b-6250272d0832.yml
+++ b/yml/fecd0dfd-fb55-45fa-a10b-6250272d0832.yml
@@ -1,8 +1,8 @@
 Attack_name: 'Event Triggered Execution: Windows Management Instrumentation Event Subscription'
 Attack_description: |-
-  Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
+  Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
 
-  Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
+  Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using `mofcomp.exe`  –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
 
   WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
 guid: fecd0dfd-fb55-45fa-a10b-6250272d0832
diff --git a/yml/fed9be70-0186-4bde-9f8a-20945f9370c2.yml b/yml/fed9be70-0186-4bde-9f8a-20945f9370c2.yml
index 0f7a956a..d649c2ec 100644
--- a/yml/fed9be70-0186-4bde-9f8a-20945f9370c2.yml
+++ b/yml/fed9be70-0186-4bde-9f8a-20945f9370c2.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Local Account'
 Attack_description: |-
   Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
 
-  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
+  Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.
 guid: fed9be70-0186-4bde-9f8a-20945f9370c2
 name: View sudoers access
 tactic:
diff --git a/yml/ffbcfd62-15d6-4989-a21a-80bfc8e58bb5.yml b/yml/ffbcfd62-15d6-4989-a21a-80bfc8e58bb5.yml
index b3cb08fe..2cf28df7 100644
--- a/yml/ffbcfd62-15d6-4989-a21a-80bfc8e58bb5.yml
+++ b/yml/ffbcfd62-15d6-4989-a21a-80bfc8e58bb5.yml
@@ -2,7 +2,7 @@ Attack_name: 'Account Discovery: Domain Account'
 Attack_description: "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting
   specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,
   <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code>
-  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.  "
+  and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  "
 guid: ffbcfd62-15d6-4989-a21a-80bfc8e58bb5
 name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
 tactic:
diff --git a/yml/ffc8b249-372a-4b74-adcd-e4c0430842de.yml b/yml/ffc8b249-372a-4b74-adcd-e4c0430842de.yml
index 6eba9d8d..c5c19293 100644
--- a/yml/ffc8b249-372a-4b74-adcd-e4c0430842de.yml
+++ b/yml/ffc8b249-372a-4b74-adcd-e4c0430842de.yml
@@ -3,6 +3,8 @@ Attack_description: |-
   Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
   Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
+
+  Some files and directories may require elevated or specific user permissions to access.
 guid: ffc8b249-372a-4b74-adcd-e4c0430842de
 name: Nix File and Directory Discovery
 tactic:
diff --git a/yml/ffd492e3-0455-4518-9fb1-46527c9f241b.yml b/yml/ffd492e3-0455-4518-9fb1-46527c9f241b.yml
index 68eeaaa4..e21c2397 100644
--- a/yml/ffd492e3-0455-4518-9fb1-46527c9f241b.yml
+++ b/yml/ffd492e3-0455-4518-9fb1-46527c9f241b.yml
@@ -4,10 +4,12 @@ Attack_description: "Adversaries may transfer tools or other files from an exter
   victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
   as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
   and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
-  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
-  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
-  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol
+  handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566)
+  lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the
+  victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to
+  transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers
+  the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: ffd492e3-0455-4518-9fb1-46527c9f241b
 name: certutil download (verifyctl)
 tactic: