security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Disable Windows Notification And Some Group Policy Features. (#1813)

Browse Source 
* Update T1112.yaml

* Update T1112.yaml

* typos

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
tccontre
2022-03-16 01:44:39 +01:00
committed by GitHub
parent 341b5b1987
commit 1cb8a5395b
1 changed files with 219 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1112/T1112.yaml
+219 -9
View File
@@ -160,7 +160,7 @@ atomic_tests:
auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
supported_platforms:
- windows
executor:
@@ -174,7 +174,7 @@ atomic_tests:
auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
supported_platforms:
- windows
executor:
@@ -188,7 +188,7 @@ atomic_tests:
auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
supported_platforms:
- windows
executor:
@@ -202,7 +202,7 @@ atomic_tests:
auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
supported_platforms:
- windows
executor:
@@ -216,7 +216,7 @@ atomic_tests:
auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
supported_platforms:
- windows
executor:
@@ -230,7 +230,7 @@ atomic_tests:
auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
supported_platforms:
- windows
executor:
@@ -246,7 +246,7 @@ atomic_tests:
auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
supported_platforms:
- windows
executor:
@@ -260,7 +260,7 @@ atomic_tests:
auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
supported_platforms:
- windows
executor:
@@ -269,4 +269,214 @@ atomic_tests:
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
name: command_prompt
elevation_required: true
elevation_required: true
- name: Activate Windows NoDesktop Group Policy Feature
auto_generated_guid: 93386d41-525c-4a1b-8235-134a628dee17
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Activate Windows NoRun Group Policy Feature
auto_generated_guid: d49ff3cc-8168-4123-b5b3-f057d9abbd55
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f
name: command_prompt
elevation_required: true
- name: Activate Windows NoFind Group Policy Feature
auto_generated_guid: ffbb407e-7f1d-4c95-b22e-548169db1fbd
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Activate Windows NoControlPanel Group Policy Feature
auto_generated_guid: a450e469-ba54-4de1-9deb-9023a6111690
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Activate Windows NoFileMenu Group Policy Feature
auto_generated_guid: 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Activate Windows NoClose Group Policy Feature
auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Activate Windows NoSetTaskbar Group Policy Feature
auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Activate Windows NoTrayContextMenu Group Policy Feature
auto_generated_guid: 4d72d4b1-fa7b-4374-b423-0fe326da49d2
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Activate Windows NoPropertiesMyDocuments Group Policy Feature
auto_generated_guid: 20fc9daa-bd48-4325-9aff-81b967a84b1d
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Hide Windows Clock Group Policy Feature
auto_generated_guid: 8023db1e-ad06-4966-934b-b6a0ae52689e
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Windows HideSCAHealth Group Policy Feature
auto_generated_guid: a4637291-40b1-4a96-8c82-b28f1d73e54e
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Windows HideSCANetwork Group Policy Feature
auto_generated_guid: 3e757ce7-eca0-411a-9583-1c33b8508d52
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Windows HideSCAPower Group Policy Feature
auto_generated_guid: 8d85a5d8-702f-436f-bc78-fcd9119496fc
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Windows HideSCAVolume Group Policy Feature
auto_generated_guid: 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy.
Take note that some Group Policy changes might require a restart to take effect..
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
supported_platforms:
- windows
executor:
command: |
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1
name: command_prompt
elevation_required: true