Generated docs from job=generate-docs branch=master [ci skip]

2022-06-23 19:46:46 +00:00
parent 7312259b59
commit 0d352c3c8e
6 changed files with 230 additions and 0 deletions
@@ -197,6 +197,10 @@ defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And
 defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
 defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
 defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
+defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
+defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
+defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
+defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
 defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
@@ -147,6 +147,10 @@ defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And
 defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
 defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
 defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
+defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
+defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
+defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
+defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
 defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
@@ -272,6 +272,10 @@
  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
  - Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
+  - Atomic Test #35: Disable Windows Toast Notifications [windows]
+  - Atomic Test #36: Disable Windows Security Center Notifications [windows]
+  - Atomic Test #37: Suppress Win Defender Notifications [windows]
+  - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
@@ -205,6 +205,10 @@
  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
  - Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
+  - Atomic Test #35: Disable Windows Toast Notifications [windows]
+  - Atomic Test #36: Disable Windows Security Center Notifications [windows]
+  - Atomic Test #37: Suppress Win Defender Notifications [windows]
+  - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.001 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -10482,6 +10482,79 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: Disable Windows Toast Notifications
+      auto_generated_guid: 003f466a-6010-4b15-803a-cbb478a314d7
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification.
+        See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications
+          /v ToastEnabled /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications
+          /v ToastEnabled /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Security Center Notifications
+      auto_generated_guid: 45914594-8df6-4ea9-b3cc-7eb9321a807e
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows security center notification.
+        See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveShell
+          /v UseActionCenterExperience /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveShell
+          /v UseActionCenterExperience /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Suppress Win Defender Notifications
+      auto_generated_guid: c30dada3-7777-4590-b970-dc890b8cf113
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to suppress the windows defender notification.
+        See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration
+          /v Notification_Suppress /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX
+          Configuration /v Notification_Suppress /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Allow RDP Remote Assistance Feature
+      auto_generated_guid: 86677d0e-0b5e-4a2b-b302-454175f9aa9e
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to allow rdp remote assistance feature. This feature allow specific
+        user to rdp connect on the targeted machine.
+        See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKLM\System\CurrentControlSet\Control\Terminal Server /v
+          fAllowToGetHelp /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete HKLM\System\CurrentControlSet\Control\Terminal
+          Server /v fAllowToGetHelp /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      x_mitre_platforms:
@@ -78,6 +78,14 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode with Network](#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network)

+- [Atomic Test #35 - Disable Windows Toast Notifications](#atomic-test-35---disable-windows-toast-notifications)
+
+- [Atomic Test #36 - Disable Windows Security Center Notifications](#atomic-test-36---disable-windows-security-center-notifications)
+
+- [Atomic Test #37 - Suppress Win Defender Notifications](#atomic-test-37---suppress-win-defender-notifications)
+
+- [Atomic Test #38 - Allow RDP Remote Assistance Feature](#atomic-test-38---allow-rdp-remote-assistance-feature)
+

 <br/>

@@ -1273,4 +1281,137 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMod



+<br/>
+<br/>
+
+## Atomic Test #35 - Disable Windows Toast Notifications
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification.
+See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 003f466a-6010-4b15-803a-cbb478a314d7
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #36 - Disable Windows Security Center Notifications
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows security center notification.
+See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 45914594-8df6-4ea9-b3cc-7eb9321a807e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveShell /v UseActionCenterExperience /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveShell /v UseActionCenterExperience /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #37 - Suppress Win Defender Notifications
+Modify the registry of the currently logged in user using reg.exe via cmd console to suppress the windows defender notification.
+See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c30dada3-7777-4590-b970-dc890b8cf113
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration /v Notification_Suppress /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration /v Notification_Suppress /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #38 - Allow RDP Remote Assistance Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to allow rdp remote assistance feature. This feature allow specific
+user to rdp connect on the targeted machine.
+See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 86677d0e-0b5e-4a2b-b302-454175f9aa9e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetHelp /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKLM\System\CurrentControlSet\Control\Terminal Server /v fAllowToGetHelp /f >nul 2>&1
+```
+
+
+
+
+
 <br/>