From 4dbf79a202335ed40cf8560970a5e32a64547bda Mon Sep 17 00:00:00 2001 From: arames13 <91679765+arames13@users.noreply.github.com> Date: Wed, 3 Aug 2022 10:19:14 -0500 Subject: [PATCH] update T1562.001 (#2064) Co-authored-by: anupama ramesh Co-authored-by: Carrie Roberts --- atomics/T1562.001/T1562.001.yaml | 60 ++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index e5cceee5..1d24ce14 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -663,4 +663,64 @@ atomic_tests: Set-MpPreference -dscrptsc 0 Set-MpPreference -dbaf 0 name: powershell + elevation_required: true +- name: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd + description: | + LockBit Black - Disable Privacy Settings Experience Using Registry + supported_platforms: + - windows + executor: + command: | + reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /t REG_DWORD /d 1 /f + cleanup_command: | + reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: LockBit Black - Use Registry Editor to turn on automatic logon -cmd + description: | + LockBit Black - Use Registry Editor to turn on automatic logon + supported_platforms: + - windows + executor: + command: | + reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 1 /f + reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Administrator /f + reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /t REG_SZ /d contoso.com /f + reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d password1 /f + cleanup_command: | + reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /f >nul 2>&1 + reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /f >nul 2>&1 + reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1 + reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1 + name: command_prompt + elevation_required: true +- name: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell + description: | + LockBit Black - Disable Privacy Settings Experience Using Registry + supported_platforms: + - windows + executor: + command: | + New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -PropertyType DWord -Value 0 -Force + cleanup_command: | + Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -Force -ErrorAction Ignore + name: powershell + elevation_required: true +- name: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell + description: | + Lockbit Black - Use Registry Editor to turn on automatic logon + supported_platforms: + - windows + executor: + command: | + New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -PropertyType DWord -Value 1 -Force + New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value Administrator -Force + New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Value contoso.com -Force + New-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value password1 -Force + cleanup_command: | + Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Force -ErrorAction Ignore + Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Force -ErrorAction Ignore + Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore + Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore + name: powershell elevation_required: true \ No newline at end of file