Btops140824 (#2911)

* Create T1222.yaml * Update T1070.004.yaml Added clear of recycle bin using rd * Update T1057.yaml added taskmgr.exe based process viewing * Update T1012.yaml Added SIL status lookup via registry * Update T1057.yaml Fixed up the name ,description for Taskmgr.exe test * Update T1057.yaml Fixed the UUID
2024-09-25 07:40:57 +10:00
parent 8366cf403c
commit 03d7d6ba13
4 changed files with 56 additions and 0 deletions
@@ -113,3 +113,16 @@ atomic_tests:
      reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated      
    name: command_prompt
    elevation_required: true
+- name: Check Software Inventory Logging (SIL) status via Registry
+  auto_generated_guid: 5c784969-1d43-4ac7-8c3d-ed6d025ed10d
+  description: |
+    Microsoft's Software Inventory Logging (SIL) collects information about software installed per host basis. Adversary can use such logs to passively 
+    check for existence of software of interest to them. Status of SIL can be checked via registry.
+    [Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64
+    name: command_prompt
+    elevation_required: true
@@ -136,3 +136,15 @@ atomic_tests:
    command: Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
    name: powershell
    elevation_required: true
+- name: Launch Taskmgr from cmd to View running processes  
+  auto_generated_guid: 4fd35378-39aa-481e-b7c4-e3bf49375c67
+  description: |
+    An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system.
+    [Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      taskmgr.exe /7
+    name: command_prompt
+    elevation_required: false
@@ -214,3 +214,15 @@ atomic_tests:
      New-Item -Path #{teamviewer_log_file} -Force | Out-Null
      Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore
    name: powershell
+- name: Clears Recycle bin via rd
+  auto_generated_guid: f723d13d-48dc-4317-9990-cf43a9ac0bf2
+  description: |
+    An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files.
+    [Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      rd /s /q %systemdrive%\$RECYCLE.BIN
+    name: command_prompt
+    elevation_required: true
@@ -0,0 +1,19 @@
+attack_technique: T1222
+display_name: 'File and Directory Permissions Modification'
+atomic_tests:
+- name: Enable Local and Remote Symbolic Links via fsutil
+  auto_generated_guid: 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02
+  description: |
+    Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      fsutil behavior set SymlinkEvaluation R2L:1 
+      fsutil behavior set SymlinkEvaluation R2R:1
+    cleanup_command: |
+      fsutil behavior set SymlinkEvaluation R2L:0
+      fsutil behavior set SymlinkEvaluation R2R:0
+    name: command_prompt
+    elevation_required: true