diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index a73bb989..99ef2e18 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -471,6 +471,7 @@ defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentia defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell +defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index f9be3e36..44dcf0e7 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -303,6 +303,7 @@ defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentia defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell +defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 309f9f9c..82250c0c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -746,6 +746,7 @@ - Atomic Test #4: Add domain to Trusted sites Zone [windows] - Atomic Test #5: Javascript in registry [windows] - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows] + - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows] - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1218.005 Mshta](../../T1218.005/T1218.005.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index a75835ee..0c3fa110 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -515,6 +515,7 @@ - Atomic Test #4: Add domain to Trusted sites Zone [windows] - Atomic Test #5: Javascript in registry [windows] - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows] + - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows] - [T1218.005 Mshta](../../T1218.005/T1218.005.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 83b6f585..06a772f0 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -31515,6 +31515,30 @@ defense-evasion: ' name: powershell + - name: BlackByte Ransomware Registry Changes - CMD + auto_generated_guid: 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b + description: | + This task recreates the steps taken by BlackByte ransomware before it worms to other machines. See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/ + The steps are as follows: +
    +
  1. 1. Elevate Local Privilege by disabling UAC Remote Restrictions
    2. +
  2. 2. Enable OS to share network connections between different privilege levels
    3. +
  3. 3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths
    4. +
+ The registry keys and their respective values will be created upon successful execution. + supported_platforms: + - windows + executor: + command: | + cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f + cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f + cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1 + reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1 + reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1 + name: command_prompt + elevation_required: true T1601: technique: external_references: diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md index 845779ed..44587434 100644 --- a/atomics/T1112/T1112.md +++ b/atomics/T1112/T1112.md @@ -22,6 +22,8 @@ The Registry of a remote system may be modified to aid in execution of files as - [Atomic Test #6 - Change Powershell Execution Policy to Bypass](#atomic-test-6---change-powershell-execution-policy-to-bypass) +- [Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-7---blackbyte-ransomware-registry-changes---cmd) +
@@ -246,4 +248,47 @@ try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope Lo +
+
+ +## Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD +This task recreates the steps taken by BlackByte ransomware before it worms to other machines. See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/ +The steps are as follows: +
    +
  1. 1. Elevate Local Privilege by disabling UAC Remote Restrictions
    2. +
  2. 2. Enable OS to share network connections between different privilege levels
    3. +
  3. 3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths
    4. +
+The registry keys and their respective values will be created upon successful execution. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b + + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f +cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f +cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f +``` + +#### Cleanup Commands: +```cmd +reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1 +reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1 +reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1 +``` + + + + +