new atomic T1112 (#1281)

* new atomic T1112

* typo fix

Co-authored-by: P4T12ICK <pbareib@splunk.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/Indexes/Indexes-CSV/index.csv

@@ -358,6 +358,7 @@ defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,2
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
 defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
+defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -144,6 +144,7 @@ defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,2
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
 defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
+defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -668,6 +668,7 @@
   - Atomic Test #3: Modify registry to store logon credentials [windows]
   - Atomic Test #4: Add domain to Trusted sites Zone [windows]
   - Atomic Test #5: Javascript in registry [windows]
+  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -266,6 +266,7 @@
   - Atomic Test #3: Modify registry to store logon credentials [windows]
   - Atomic Test #4: Add domain to Trusted sites Zone [windows]
   - Atomic Test #5: Javascript in registry [windows]
+  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]

atomics/Indexes/index.yaml

@@ -29312,6 +29312,27 @@ defense-evasion:
         cleanup_command: 'Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
           Settings" -Name T1112 -ErrorAction Ignore
 
+'
+        name: powershell
+    - name: Change Powershell Execution Policy to Bypass
+      auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245
+      description: |
+        Attackers needs to change the powershell execution policy in order to run their malicious powershell scripts.
+        They can either specify it during the execution of the powershell script or change the registry value for it.
+      supported_platforms:
+      - windows
+      input_arguments:
+        default_execution_policy:
+          description: Specify the default poweshell execution policy
+          type: String
+          default: Default
+      executor:
+        command: 'Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine
+
+'
+        cleanup_command: 'Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy}
+          -Scope LocalMachine
+
 '
         name: powershell
   T1218.005:

atomics/T1112/T1112.md

@@ -20,6 +20,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #5 - Javascript in registry](#atomic-test-5---javascript-in-registry)
 
+- [Atomic Test #6 - Change Powershell Execution Policy to Bypass](#atomic-test-6---change-powershell-execution-policy-to-bypass)
+
 
 <br/>
 
@@ -186,4 +188,38 @@ Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Se
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Change Powershell Execution Policy to Bypass
+Attackers needs to change the powershell execution policy in order to run their malicious powershell scripts.
+They can either specify it during the execution of the powershell script or change the registry value for it.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| default_execution_policy | Specify the default poweshell execution policy | String | Default|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine
+```
+
+
+
+
+
 <br/>

atomics/T1112/T1112.yaml

@@ -91,3 +91,21 @@ atomic_tests:
       Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
     name: powershell
 
+- name: Change Powershell Execution Policy to Bypass
+  auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245
+  description: |
+    Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
+    They can either specify it during the execution of the powershell script or change the registry value for it.
+  supported_platforms:
+  - windows
+  input_arguments:
+    default_execution_policy:
+      description: Specify the default poweshell execution policy
+      type: String
+      default: Default
+  executor:
+    command: |
+      Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine
+    cleanup_command: |
+      Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine
+    name: powershell