diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml index 1d4ccbef..4ba85995 100644 --- a/atomics/T1112/T1112.yaml +++ b/atomics/T1112/T1112.yaml @@ -605,6 +605,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: NetWire RAT Registry Key Creation + auto_generated_guid: 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 description: | NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry. See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ @@ -622,6 +623,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: Ursnif Malware Registry Key Creation + auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0 description: | Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\ More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ @@ -636,6 +638,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: Terminal Server Client Connection History Cleared + auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21 description: | The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 7d29770a..bb85bf27 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -1076,3 +1076,6 @@ c30dada3-7777-4590-b970-dc890b8cf113 86677d0e-0b5e-4a2b-b302-454175f9aa9e 161d694c-b543-4434-85c3-c3a433e33792 ecca999b-e0c8-40e8-8416-ad320b146a75 +65704cd4-6e36-4b90-b6c1-dc29a82c8e56 +c375558d-7c25-45e9-bd64-7b23a97c1db0 +3448824b-3c35-4a9e-a8f5-f887f68bea21