Generated docs from job=generate-docs branch=master [ci skip]

2023-09-02 01:36:39 +00:00
parent 81d3e7889a
commit 38368fe078
10 changed files with 161 additions and 2 deletions
@@ -1183,6 +1183,7 @@ lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,2,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
+lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,4,Disable NLA for RDP via Command Prompt,01d1c6c0-faf0-408e-b368-752a02285cb2,command_prompt
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
@@ -1470,6 +1471,7 @@ discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,
 discovery,T1082,System Information Discovery,24,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
 discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
 discovery,T1082,System Information Discovery,26,Driver Enumeration using DriverQuery,bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9,command_prompt
+discovery,T1082,System Information Discovery,27,System Information Discovery,4060ee98-01ae-4c8e-8aad-af8300519cc7,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
@@ -807,6 +807,7 @@ lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,2,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
+lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,4,Disable NLA for RDP via Command Prompt,01d1c6c0-faf0-408e-b368-752a02285cb2,command_prompt
 credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
@@ -1007,6 +1008,7 @@ discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpu
 discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
 discovery,T1082,System Information Discovery,25,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
 discovery,T1082,System Information Discovery,26,Driver Enumeration using DriverQuery,bd85e3d1-4aeb-4a1d-850f-7be3cb8d60b9,command_prompt
+discovery,T1082,System Information Discovery,27,System Information Discovery,4060ee98-01ae-4c8e-8aad-af8300519cc7,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
 discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
@@ -1896,6 +1896,7 @@
  - Atomic Test #1: RDP to DomainController [windows]
  - Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell [windows]
  - Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
+  - Atomic Test #4: Disable NLA for RDP via Command Prompt [windows]
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1077 Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

@@ -2282,6 +2283,7 @@
  - Atomic Test #24: Linux List Kernel Modules [linux]
  - Atomic Test #25: System Information Discovery with WMIC [windows]
  - Atomic Test #26: Driver Enumeration using DriverQuery [windows]
+  - Atomic Test #27: System Information Discovery [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1348,6 +1348,7 @@
  - Atomic Test #1: RDP to DomainController [windows]
  - Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell [windows]
  - Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
+  - Atomic Test #4: Disable NLA for RDP via Command Prompt [windows]
 - T1077 Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # credential-access
@@ -1629,6 +1630,7 @@
  - Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
  - Atomic Test #25: System Information Discovery with WMIC [windows]
  - Atomic Test #26: Driver Enumeration using DriverQuery [windows]
+  - Atomic Test #27: System Information Discovery [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -84416,6 +84416,30 @@ lateral-movement:
          net start TermService >nul 2>&1
        name: command_prompt
        elevation_required: true
+    - name: Disable NLA for RDP via Command Prompt
+      auto_generated_guid: 01d1c6c0-faf0-408e-b368-752a02285cb2
+      description: |
+        Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt
+        Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/
+        See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py
+      supported_platforms:
+      - windows
+      input_arguments:
+        Default_UserAuthentication:
+          description: Default UserAuthentication registry value
+          type: string
+          default: '1'
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
+          Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f
+
+          '
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
+          Server\WinStations\RDP-Tcp" /v UserAuthentication /d #{Default_UserAuthentication}
+          /t REG_DWORD -f >nul 2>&1
+
+          '
+        name: command_prompt
  T1550.001:
    technique:
      modified: '2023-05-04T18:04:17.588Z'
@@ -99060,6 +99084,22 @@ discovery:
          driverquery /v
          driverquery /si
        name: command_prompt
+    - name: System Information Discovery
+      auto_generated_guid: 4060ee98-01ae-4c8e-8aad-af8300519cc7
+      description: 'The script gathernetworkinfo.vbs is employed to collect system
+        information such as the operating system, DNS details, firewall configuration,
+        etc. Outputs are stored in c:\Windows\System32\config or c:\Windows\System32\reg.
+        https://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'wscript.exe C:\Windows\System32\gatherNetworkInfo.vbs
+
+          '
+        elevation_required: true
+        name: command_prompt
  T1010:
    technique:
      modified: '2023-04-15T16:46:04.776Z'
@@ -72960,6 +72960,30 @@ lateral-movement:
          net start TermService >nul 2>&1
        name: command_prompt
        elevation_required: true
+    - name: Disable NLA for RDP via Command Prompt
+      auto_generated_guid: 01d1c6c0-faf0-408e-b368-752a02285cb2
+      description: |
+        Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt
+        Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/
+        See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py
+      supported_platforms:
+      - windows
+      input_arguments:
+        Default_UserAuthentication:
+          description: Default UserAuthentication registry value
+          type: string
+          default: '1'
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
+          Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f
+
+          '
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
+          Server\WinStations\RDP-Tcp" /v UserAuthentication /d #{Default_UserAuthentication}
+          /t REG_DWORD -f >nul 2>&1
+
+          '
+        name: command_prompt
  T1550.001:
    technique:
      modified: '2023-05-04T18:04:17.588Z'
@@ -84860,6 +84884,22 @@ discovery:
          driverquery /v
          driverquery /si
        name: command_prompt
+    - name: System Information Discovery
+      auto_generated_guid: 4060ee98-01ae-4c8e-8aad-af8300519cc7
+      description: 'The script gathernetworkinfo.vbs is employed to collect system
+        information such as the operating system, DNS details, firewall configuration,
+        etc. Outputs are stored in c:\Windows\System32\config or c:\Windows\System32\reg.
+        https://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'wscript.exe C:\Windows\System32\gatherNetworkInfo.vbs
+
+          '
+        elevation_required: true
+        name: command_prompt
  T1010:
    technique:
      modified: '2023-04-15T16:46:04.776Z'
@@ -14,6 +14,8 @@ Adversaries may connect to a remote system over RDP/RDS to expand access if the

 - [Atomic Test #3 - Changing RDP Port to Non Standard Port via Command_Prompt](#atomic-test-3---changing-rdp-port-to-non-standard-port-via-command_prompt)

+- [Atomic Test #4 - Disable NLA for RDP via Command Prompt](#atomic-test-4---disable-nla-for-rdp-via-command-prompt)
+

 <br/>

@@ -155,4 +157,43 @@ net start TermService >nul 2>&1



+<br/>
+<br/>
+
+## Atomic Test #4 - Disable NLA for RDP via Command Prompt
+Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt
+Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/
+See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 01d1c6c0-faf0-408e-b368-752a02285cb2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| Default_UserAuthentication | Default UserAuthentication registry value | string | 1|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d #{Default_UserAuthentication} /t REG_DWORD -f >nul 2>&1
+```
+
+
+
+
+
 <br/>
@@ -60,6 +60,8 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a

 - [Atomic Test #26 - Driver Enumeration using DriverQuery](#atomic-test-26---driver-enumeration-using-driverquery)

+- [Atomic Test #27 - System Information Discovery](#atomic-test-27---system-information-discovery)
+

 <br/>

@@ -931,4 +933,32 @@ driverquery /si



+<br/>
+<br/>
+
+## Atomic Test #27 - System Information Discovery
+The script gathernetworkinfo.vbs is employed to collect system information such as the operating system, DNS details, firewall configuration, etc. Outputs are stored in c:\Windows\System32\config or c:\Windows\System32\reg. https://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4060ee98-01ae-4c8e-8aad-af8300519cc7
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+wscript.exe C:\Windows\System32\gatherNetworkInfo.vbs
+```
+
+
+
+
+
+
 <br/>