diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml index 997b2a40..1e74ca0f 100644 --- a/atomics/T1112/T1112.yaml +++ b/atomics/T1112/T1112.yaml @@ -160,7 +160,7 @@ atomic_tests: auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 description: | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry. - See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry + See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry supported_platforms: - windows executor: @@ -174,7 +174,7 @@ atomic_tests: auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a description: | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application. - See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry + See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry supported_platforms: - windows executor: @@ -188,7 +188,7 @@ atomic_tests: auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62 description: | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application. - See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry + See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry supported_platforms: - windows executor: @@ -202,7 +202,7 @@ atomic_tests: auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad description: | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center. - See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html + See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html supported_platforms: - windows executor: @@ -216,7 +216,7 @@ atomic_tests: auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d description: | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button. - See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ + See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ supported_platforms: - windows executor: @@ -230,7 +230,7 @@ atomic_tests: auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c description: | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button. - See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2 + See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2 supported_platforms: - windows executor: @@ -246,7 +246,7 @@ atomic_tests: auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0 description: | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature. - See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah + See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah supported_platforms: - windows executor: @@ -260,7 +260,7 @@ atomic_tests: auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 description: | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature. - See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/ + See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/ supported_platforms: - windows executor: @@ -269,4 +269,214 @@ atomic_tests: cleanup_command: | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1 name: command_prompt - elevation_required: true \ No newline at end of file + elevation_required: true +- name: Activate Windows NoDesktop Group Policy Feature + auto_generated_guid: 93386d41-525c-4a1b-8235-134a628dee17 + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Activate Windows NoRun Group Policy Feature + auto_generated_guid: d49ff3cc-8168-4123-b5b3-f057d9abbd55 + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f + name: command_prompt + elevation_required: true +- name: Activate Windows NoFind Group Policy Feature + auto_generated_guid: ffbb407e-7f1d-4c95-b22e-548169db1fbd + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Activate Windows NoControlPanel Group Policy Feature + auto_generated_guid: a450e469-ba54-4de1-9deb-9023a6111690 + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Activate Windows NoFileMenu Group Policy Feature + auto_generated_guid: 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Activate Windows NoClose Group Policy Feature + auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723 + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Activate Windows NoSetTaskbar Group Policy Feature + auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Activate Windows NoTrayContextMenu Group Policy Feature + auto_generated_guid: 4d72d4b1-fa7b-4374-b423-0fe326da49d2 + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Activate Windows NoPropertiesMyDocuments Group Policy Feature + auto_generated_guid: 20fc9daa-bd48-4325-9aff-81b967a84b1d + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Hide Windows Clock Group Policy Feature + auto_generated_guid: 8023db1e-ad06-4966-934b-b6a0ae52689e + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Windows HideSCAHealth Group Policy Feature + auto_generated_guid: a4637291-40b1-4a96-8c82-b28f1d73e54e + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Windows HideSCANetwork Group Policy Feature + auto_generated_guid: 3e757ce7-eca0-411a-9583-1c33b8508d52 + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Windows HideSCAPower Group Policy Feature + auto_generated_guid: 8d85a5d8-702f-436f-bc78-fcd9119496fc + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. + Take note that some Group Policy changes might require a restart to take effect. + See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: Windows HideSCAVolume Group Policy Feature + auto_generated_guid: 7f037590-b4c6-4f13-b3cc-e424c5ab8ade + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. + Take note that some Group Policy changes might require a restart to take effect.. + See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1 + name: command_prompt + elevation_required: true