From 19f1ee8e97f1e34059fa1c96f4ef98cfbed2acd2 Mon Sep 17 00:00:00 2001
From: John Chamblee <42752805+JChamblee99@users.noreply.github.com>
Date: Thu, 23 Feb 2023 22:32:18 -0600
Subject: [PATCH] Added T1112 Event Viewer persistence (#2346)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index dc55d583..517da768 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -735,3 +735,31 @@ atomic_tests:
       reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /f >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Event Viewer Registry Modification - Redirection URL
+  description: Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will open the URL or execute the program defined in the redirection URL registry entry.
+  supported_platforms:
+  - windows
+  input_arguments:
+    redirection_url:
+      description: URL to open or file URI to execute upon opening the event help
+      type: url
+      default: file://C:\windows\system32\notepad.exe
+  executor:
+    command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "#{redirection_url}" /f
+    cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "http://go.microsoft.com/fwlink/events.asp" /f
+    name: command_prompt
+    elevation_required: true
+- name: Event Viewer Registry Modification - Redirection Program
+  description: Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in thed redirection program registry entry.
+  supported_platforms:
+  - windows
+  input_arguments:
+    redirection_program:
+      description: Path of the program to execute upon opening the event help
+      type: path
+      default: C:\windows\system32\notepad.exe
+  executor:
+    command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /d "#{redirection_program}" /f
+    cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
+    name: command_prompt
+    elevation_required: true