Generated docs from job=generate-docs branch=master [ci skip]

2024-01-18 21:57:17 +00:00
parent 9141822411
commit 65348695f9
9 changed files with 266 additions and 2 deletions
@@ -60,6 +60,8 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
@@ -627,6 +629,8 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
@@ -39,6 +39,8 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
@@ -428,6 +430,8 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
@@ -76,6 +76,8 @@
  - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
  - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
  - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
+  - Atomic Test #25: Disable UAC notification via registry keys [windows]
+  - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
 - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
  - Atomic Test #1: Sudo usage [macos, linux]
  - Atomic Test #2: Sudo usage (freebsd) [linux]
@@ -830,6 +832,8 @@
  - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
  - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
  - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
+  - Atomic Test #25: Disable UAC notification via registry keys [windows]
+  - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
 - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
  - Atomic Test #1: Sudo usage [macos, linux]
  - Atomic Test #2: Sudo usage (freebsd) [linux]
@@ -52,6 +52,8 @@
  - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
  - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
  - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
+  - Atomic Test #25: Disable UAC notification via registry keys [windows]
+  - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
@@ -586,6 +588,8 @@
  - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
  - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
  - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
+  - Atomic Test #25: Disable UAC notification via registry keys [windows]
+  - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -2801,6 +2801,51 @@ defense-evasion:
          '
        name: powershell
        elevation_required: true
+    - name: Disable UAC notification via registry keys
+      auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
+      description: 'This atomic regarding UACDisableNotify pertains to the notification
+        behavior of UAC. UAC is a critical security feature in Windows that prevents
+        unauthorized changes to the operating system. It prompts the user for permission
+        or an administrator password before allowing actions that could affect the
+        system''s operation or change settings that affect other users. The BlotchyQuasar
+        RAT defense evasion activities that the adversary to disable UAC notifications
+        makes it easier for malware and malicious software to execute with elevated
+        privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disable ConsentPromptBehaviorAdmin via registry keys
+      auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
+      description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
+        configures the UAC so that it does not prompt for consent or credentials when
+        actions requiring elevated privileges are performed by users in the administrators
+        group. This means that any operation that would normally trigger a UAC prompt
+        will proceed automatically without user interaction.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+
+          '
+        name: command_prompt
  T1548.003:
    technique:
      x_mitre_platforms:
@@ -32117,6 +32162,51 @@ privilege-escalation:
          '
        name: powershell
        elevation_required: true
+    - name: Disable UAC notification via registry keys
+      auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
+      description: 'This atomic regarding UACDisableNotify pertains to the notification
+        behavior of UAC. UAC is a critical security feature in Windows that prevents
+        unauthorized changes to the operating system. It prompts the user for permission
+        or an administrator password before allowing actions that could affect the
+        system''s operation or change settings that affect other users. The BlotchyQuasar
+        RAT defense evasion activities that the adversary to disable UAC notifications
+        makes it easier for malware and malicious software to execute with elevated
+        privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disable ConsentPromptBehaviorAdmin via registry keys
+      auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
+      description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
+        configures the UAC so that it does not prompt for consent or credentials when
+        actions requiring elevated privileges are performed by users in the administrators
+        group. This means that any operation that would normally trigger a UAC prompt
+        will proceed automatically without user interaction.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+
+          '
+        name: command_prompt
  T1548.003:
    technique:
      x_mitre_platforms:
@@ -2146,6 +2146,51 @@ defense-evasion:
          '
        name: powershell
        elevation_required: true
+    - name: Disable UAC notification via registry keys
+      auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
+      description: 'This atomic regarding UACDisableNotify pertains to the notification
+        behavior of UAC. UAC is a critical security feature in Windows that prevents
+        unauthorized changes to the operating system. It prompts the user for permission
+        or an administrator password before allowing actions that could affect the
+        system''s operation or change settings that affect other users. The BlotchyQuasar
+        RAT defense evasion activities that the adversary to disable UAC notifications
+        makes it easier for malware and malicious software to execute with elevated
+        privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disable ConsentPromptBehaviorAdmin via registry keys
+      auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
+      description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
+        configures the UAC so that it does not prompt for consent or credentials when
+        actions requiring elevated privileges are performed by users in the administrators
+        group. This means that any operation that would normally trigger a UAC prompt
+        will proceed automatically without user interaction.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+
+          '
+        name: command_prompt
  T1548.003:
    technique:
      x_mitre_platforms:
@@ -26657,6 +26702,51 @@ privilege-escalation:
          '
        name: powershell
        elevation_required: true
+    - name: Disable UAC notification via registry keys
+      auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
+      description: 'This atomic regarding UACDisableNotify pertains to the notification
+        behavior of UAC. UAC is a critical security feature in Windows that prevents
+        unauthorized changes to the operating system. It prompts the user for permission
+        or an administrator password before allowing actions that could affect the
+        system''s operation or change settings that affect other users. The BlotchyQuasar
+        RAT defense evasion activities that the adversary to disable UAC notifications
+        makes it easier for malware and malicious software to execute with elevated
+        privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disable ConsentPromptBehaviorAdmin via registry keys
+      auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
+      description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
+        configures the UAC so that it does not prompt for consent or credentials when
+        actions requiring elevated privileges are performed by users in the administrators
+        group. This means that any operation that would normally trigger a UAC prompt
+        will proceed automatically without user interaction.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+
+          '
+        name: command_prompt
  T1548.003:
    technique:
      x_mitre_platforms:
@@ -60,6 +60,10 @@ Another bypass is possible through some lateral movement techniques if credentia

 - [Atomic Test #24 - Disable UAC - Switch to the secure desktop when prompting for elevation via registry key](#atomic-test-24---disable-uac---switch-to-the-secure-desktop-when-prompting-for-elevation-via-registry-key)

+- [Atomic Test #25 - Disable UAC notification via registry keys](#atomic-test-25---disable-uac-notification-via-registry-keys)
+
+- [Atomic Test #26 - Disable ConsentPromptBehaviorAdmin via registry keys](#atomic-test-26---disable-consentpromptbehavioradmin-via-registry-keys)
+

 <br/>

@@ -1224,4 +1228,68 @@ Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System



+<br/>
+<br/>
+
+## Atomic Test #25 - Disable UAC notification via registry keys
+This atomic regarding UACDisableNotify pertains to the notification behavior of UAC. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. The BlotchyQuasar RAT defense evasion activities that the adversary to disable UAC notifications makes it easier for malware and malicious software to execute with elevated privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 160a7c77-b00e-4111-9e45-7c2a44eda3fd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify /t REG_DWORD /d 0 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #26 - Disable ConsentPromptBehaviorAdmin via registry keys
+This atomic regarding setting ConsentPromptBehaviorAdmin to 0 configures the UAC so that it does not prompt for consent or credentials when actions requiring elevated privileges are performed by users in the administrators group. This means that any operation that would normally trigger a UAC prompt will proceed automatically without user interaction.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a768aaa2-2442-475c-8990-69cf33af0f4e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+```
+
+
+
+
+
 <br/>