Generated docs from job=generate-docs branch=master [ci skip]

2022-04-28 01:14:49 +00:00
parent b196333caf
commit 724cb3f50d
6 changed files with 102 additions and 0 deletions
@@ -447,6 +447,8 @@ defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,46856
 defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
 defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
+defense-evasion,T1562.006,Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
+defense-evasion,T1562.006,Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
@@ -288,6 +288,8 @@ defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
+defense-evasion,T1562.006,Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
+defense-evasion,T1562.006,Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
@@ -710,6 +710,8 @@
  - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
  - Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
  - Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
+  - Atomic Test #4: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
+  - Atomic Test #5: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070 Indicator Removal on Host](../../T1070/T1070.md)
  - Atomic Test #1: Indicator Removal using FSUtil [windows]
@@ -490,6 +490,8 @@
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
  - Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
+  - Atomic Test #4: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
+  - Atomic Test #5: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070 Indicator Removal on Host](../../T1070/T1070.md)
  - Atomic Test #1: Indicator Removal using FSUtil [windows]
@@ -30390,6 +30390,32 @@ defense-evasion:
          trace "#{session}" -p "#{provider}" -ets
        name: powershell
        elevation_required: true
+    - name: Disable .NET Event Tracing for Windows Via Registry (cmd)
+      auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b
+      description: Disables ETW for the .NET Framework using the reg.exe utility to
+        update the Windows registry
+      supported_platforms:
+      - windows
+      executor:
+        command: REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD
+          /d 0
+        cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled
+          /f > nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Disable .NET Event Tracing for Windows Via Registry (powershell)
+      auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758
+      description: Disables ETW for the .NET Framework using PowerShell to update
+        the Windows registry
+      supported_platforms:
+      - windows
+      executor:
+        command: New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name
+          ETWEnabled -Value 0 -PropertyType "DWord" -Force
+        cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled
+          /f > $null 2>&1
+        name: powershell
+        elevation_required: true
  T1027.005:
    technique:
      object_marking_refs:
@@ -14,6 +14,10 @@ In the case of network-based reporting of indicators, an adversary may block tra

 - [Atomic Test #3 - Disable Powershell ETW Provider - Windows](#atomic-test-3---disable-powershell-etw-provider---windows)

+- [Atomic Test #4 - Disable .NET Event Tracing for Windows Via Registry (cmd)](#atomic-test-4---disable-net-event-tracing-for-windows-via-registry-cmd)
+
+- [Atomic Test #5 - Disable .NET Event Tracing for Windows Via Registry (powershell)](#atomic-test-5---disable-net-event-tracing-for-windows-via-registry-powershell)
+

 <br/>

@@ -170,4 +174,68 @@ expand-archive -literalpath "$env:temp\PStools.zip" -destinationpath "$env:temp\



+<br/>
+<br/>
+
+## Atomic Test #4 - Disable .NET Event Tracing for Windows Via Registry (cmd)
+Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8a4c33be-a0d3-434a-bee6-315405edbd5b
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
+```
+
+#### Cleanup Commands:
+```cmd
+REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Disable .NET Event Tracing for Windows Via Registry (powershell)
+Disables ETW for the .NET Framework using PowerShell to update the Windows registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 19c07a45-452d-4620-90ed-4c34fffbe758
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
+```
+
+#### Cleanup Commands:
+```powershell
+REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
+```
+
+
+
+
+
 <br/>