From 640330c5135187c7733b4a221da42cf73e2541dd Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bhavin.j.patel91@gmail.com>
Date: Thu, 18 Jan 2024 13:56:30 -0800
Subject: [PATCH] Updated PR 2461 2463 into a new one (#2655)

* updating ttp

* updating atomics from PR and adding new

* update command

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1548.002/T1548.002.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml
index ffb07020..a576eb93 100644
--- a/atomics/T1548.002/T1548.002.yaml
+++ b/atomics/T1548.002/T1548.002.yaml
@@ -667,3 +667,27 @@ atomic_tests:
       Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 1 -Type Dword -Force
     name: powershell
     elevation_required: true
+
+- name: Disable UAC notification via registry keys
+  description: |
+    This atomic regarding UACDisableNotify pertains to the notification behavior of UAC. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. The BlotchyQuasar RAT defense evasion activities that the adversary to disable UAC notifications makes it easier for malware and malicious software to execute with elevated privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify /t REG_DWORD /d 1 /f
+    cleanup_command: |
+       reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify /t REG_DWORD /d 0 /f
+    name: command_prompt
+
+- name: Disable ConsentPromptBehaviorAdmin via registry keys
+  description: |
+    This atomic regarding setting ConsentPromptBehaviorAdmin to 0 configures the UAC so that it does not prompt for consent or credentials when actions requiring elevated privileges are performed by users in the administrators group. This means that any operation that would normally trigger a UAC prompt will proceed automatically without user interaction.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+    cleanup_command: |
+       reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+    name: command_prompt
\ No newline at end of file