security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated PR 2461 2463 into a new one (#2655)

Browse Source 
* updating ttp

* updating atomics from PR and adding new

* update command

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Bhavin Patel
2024-01-18 13:56:30 -08:00
committed by GitHub
parent 5c828eca90
commit 640330c513
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1548.002/T1548.002.yaml
+24
View File
@@ -667,3 +667,27 @@ atomic_tests:
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 1 -Type Dword -Force
name: powershell
elevation_required: true
- name: Disable UAC notification via registry keys
description: |
This atomic regarding UACDisableNotify pertains to the notification behavior of UAC. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. The BlotchyQuasar RAT defense evasion activities that the adversary to disable UAC notifications makes it easier for malware and malicious software to execute with elevated privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify /t REG_DWORD /d 1 /f
cleanup_command: |
reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify /t REG_DWORD /d 0 /f
name: command_prompt
- name: Disable ConsentPromptBehaviorAdmin via registry keys
description: |
This atomic regarding setting ConsentPromptBehaviorAdmin to 0 configures the UAC so that it does not prompt for consent or credentials when actions requiring elevated privileges are performed by users in the administrators group. This means that any operation that would normally trigger a UAC prompt will proceed automatically without user interaction.
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
cleanup_command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
name: command_prompt