diff --git a/atomics/T1012/T1012.yaml b/atomics/T1012/T1012.yaml index 0f0f4118..435e4c94 100644 --- a/atomics/T1012/T1012.yaml +++ b/atomics/T1012/T1012.yaml @@ -113,3 +113,16 @@ atomic_tests: reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated name: command_prompt elevation_required: true +- name: Check Software Inventory Logging (SIL) status via Registry + auto_generated_guid: 5c784969-1d43-4ac7-8c3d-ed6d025ed10d + description: | + Microsoft's Software Inventory Logging (SIL) collects information about software installed per host basis. Adversary can use such logs to passively + check for existence of software of interest to them. Status of SIL can be checked via registry. + [Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/) + supported_platforms: + - windows + executor: + command: | + reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 + name: command_prompt + elevation_required: true diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml index 50ca618a..ed534072 100644 --- a/atomics/T1057/T1057.yaml +++ b/atomics/T1057/T1057.yaml @@ -136,3 +136,15 @@ atomic_tests: command: Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}" name: powershell elevation_required: true +- name: Launch Taskmgr from cmd to View running processes + auto_generated_guid: 4fd35378-39aa-481e-b7c4-e3bf49375c67 + description: | + An adverary may launch taskmgr.exe with the /7 switch via command prompt to view processes running on the system. + [Reference](https://github.com/trellix-enterprise/ac3-threat-sightings/blob/main/sightings/Sightings_Conti_Ransomware.yml) + supported_platforms: + - windows + executor: + command: | + taskmgr.exe /7 + name: command_prompt + elevation_required: false diff --git a/atomics/T1070.004/T1070.004.yaml b/atomics/T1070.004/T1070.004.yaml index 9f98b94b..152bf74c 100644 --- a/atomics/T1070.004/T1070.004.yaml +++ b/atomics/T1070.004/T1070.004.yaml @@ -214,3 +214,15 @@ atomic_tests: New-Item -Path #{teamviewer_log_file} -Force | Out-Null Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore name: powershell +- name: Clears Recycle bin via rd + auto_generated_guid: f723d13d-48dc-4317-9990-cf43a9ac0bf2 + description: | + An adversary clears the recycle bin in the system partition using rd to remove traces of deleted files. + [Reference](https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/) + supported_platforms: + - windows + executor: + command: | + rd /s /q %systemdrive%\$RECYCLE.BIN + name: command_prompt + elevation_required: true diff --git a/atomics/T1222/T1222.yaml b/atomics/T1222/T1222.yaml new file mode 100644 index 00000000..265a04a8 --- /dev/null +++ b/atomics/T1222/T1222.yaml @@ -0,0 +1,19 @@ +attack_technique: T1222 +display_name: 'File and Directory Permissions Modification' +atomic_tests: +- name: Enable Local and Remote Symbolic Links via fsutil + auto_generated_guid: 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02 + description: | + Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths. + [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/) + supported_platforms: + - windows + executor: + command: | + fsutil behavior set SymlinkEvaluation R2L:1 + fsutil behavior set SymlinkEvaluation R2R:1 + cleanup_command: | + fsutil behavior set SymlinkEvaluation R2L:0 + fsutil behavior set SymlinkEvaluation R2R:0 + name: command_prompt + elevation_required: true