diff --git a/Windows/Persistence/Application_Shimming.md b/Windows/Persistence/Application_Shimming.md deleted file mode 100644 index 0cb07b37..00000000 --- a/Windows/Persistence/Application_Shimming.md +++ /dev/null @@ -1,21 +0,0 @@ -## Application Shimming - -MITRE ATT&CK Technique: [T1138](https://attack.mitre.org/wiki/Technique/T1138) - -#### Deploying a custom shim database to users requires the following actions: - -##### 1.) Placing the custom shim database (*.sdb file) in a location to which the user’s computer has access (either locally or on the network) - -##### 2.) Possibly calling the sdbinst.exe command-line utility to install the custom shim database locally. - -##### 3.) Registry Modification - This is completed either manually or by an installation tool. - - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom - - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB - -#### Detecting the shim execution is difficult. We suggest detection of Shim Installation. - -## Test Script - -[AppCompatShims](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AppCompatShims) diff --git a/Windows/Persistence/Authentication_Package.md b/Windows/Persistence/Authentication_Package.md deleted file mode 100644 index 759b89b0..00000000 --- a/Windows/Persistence/Authentication_Package.md +++ /dev/null @@ -1,5 +0,0 @@ -## Authentication Package - -MITRE ATT&CK Technique: [T1131](https://attack.mitre.org/wiki/Technique/T1131) - - HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ diff --git a/Windows/Persistence/Hooking.md b/Windows/Persistence/Hooking.md deleted file mode 100644 index 8c279f92..00000000 --- a/Windows/Persistence/Hooking.md +++ /dev/null @@ -1,11 +0,0 @@ -## Hooking - -MITRE ATT&CK Technique: [T1179](https://attack.mitre.org/wiki/Technique/T1179) - -### Sample Windows DLL Injection into PowerShell - - mavinject $pid /INJECTRUNNING C:\Atomic\AtomicSSLHook.dll - -## Test Script - -[AtomicSSLHook.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/Hooking/)