Generated docs from job=generate-docs branch=master [ci skip]

2023-02-24 04:33:12 +00:00
parent 9ec5c8bcaf
commit 8ec0ff54c6
9 changed files with 172 additions and 2 deletions
@@ -225,6 +225,8 @@ defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applic
 defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
 defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
 defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
+defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
+defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
@@ -170,6 +170,8 @@ defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applic
 defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
 defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
 defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
+defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
+defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -300,6 +300,8 @@
  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
+  - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
+  - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -228,6 +228,8 @@
  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
+  - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
+  - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -11152,6 +11152,48 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: Event Viewer Registry Modification - Redirection URL
+      auto_generated_guid: 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae
+      description: Modify event viewer registry values to alter the behavior of the
+        online help redirection. Upon opening an event in event viewer and attempting
+        to view the help page for the event, it will open the URL or execute the program
+        defined in the redirection URL registry entry.
+      supported_platforms:
+      - windows
+      input_arguments:
+        redirection_url:
+          description: URL to open or file URI to execute upon opening the event help
+          type: url
+          default: file://C:\windows\system32\notepad.exe
+      executor:
+        command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event
+          Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "#{redirection_url}" /f
+        cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event
+          Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "http://go.microsoft.com/fwlink/events.asp"
+          /f
+        name: command_prompt
+        elevation_required: true
+    - name: Event Viewer Registry Modification - Redirection Program
+      auto_generated_guid: 81483501-b8a5-4225-8b32-52128e2f69db
+      description: Modify event viewer registry values to alter the behavior of the
+        online help redirection. Upon opening an event in event viewer and attempting
+        to view the help page for the event, it will execute the program defined in
+        thed redirection program registry entry.
+      supported_platforms:
+      - windows
+      input_arguments:
+        redirection_program:
+          description: Path of the program to execute upon opening the event help
+          type: path
+          default: C:\windows\system32\notepad.exe
+      executor:
+        command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event
+          Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /d "#{redirection_program}"
+          /f
+        cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event
+          Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      x_mitre_platforms:
@@ -9691,6 +9691,48 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: Event Viewer Registry Modification - Redirection URL
+      auto_generated_guid: 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae
+      description: Modify event viewer registry values to alter the behavior of the
+        online help redirection. Upon opening an event in event viewer and attempting
+        to view the help page for the event, it will open the URL or execute the program
+        defined in the redirection URL registry entry.
+      supported_platforms:
+      - windows
+      input_arguments:
+        redirection_url:
+          description: URL to open or file URI to execute upon opening the event help
+          type: url
+          default: file://C:\windows\system32\notepad.exe
+      executor:
+        command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event
+          Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "#{redirection_url}" /f
+        cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event
+          Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "http://go.microsoft.com/fwlink/events.asp"
+          /f
+        name: command_prompt
+        elevation_required: true
+    - name: Event Viewer Registry Modification - Redirection Program
+      auto_generated_guid: 81483501-b8a5-4225-8b32-52128e2f69db
+      description: Modify event viewer registry values to alter the behavior of the
+        online help redirection. Upon opening an event in event viewer and attempting
+        to view the help page for the event, it will execute the program defined in
+        thed redirection program registry entry.
+      supported_platforms:
+      - windows
+      input_arguments:
+        redirection_program:
+          description: Path of the program to execute upon opening the event help
+          type: path
+          default: C:\windows\system32\notepad.exe
+      executor:
+        command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event
+          Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /d "#{redirection_program}"
+          /f
+        cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event
+          Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      x_mitre_platforms:
@@ -102,6 +102,10 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #46 - Mimic Ransomware - Allow Multiple RDP Sessions per User](#atomic-test-46---mimic-ransomware---allow-multiple-rdp-sessions-per-user)

+- [Atomic Test #47 - Event Viewer Registry Modification - Redirection URL](#atomic-test-47---event-viewer-registry-modification---redirection-url)
+
+- [Atomic Test #48 - Event Viewer Registry Modification - Redirection Program](#atomic-test-48---event-viewer-registry-modification---redirection-program)
+

 <br/>

@@ -1719,4 +1723,78 @@ reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSes



+<br/>
+<br/>
+
+## Atomic Test #47 - Event Viewer Registry Modification - Redirection URL
+Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will open the URL or execute the program defined in the redirection URL registry entry.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| redirection_url | URL to open or file URI to execute upon opening the event help | url | file://C:&#92;windows&#92;system32&#92;notepad.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "#{redirection_url}" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "http://go.microsoft.com/fwlink/events.asp" /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #48 - Event Viewer Registry Modification - Redirection Program
+Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in thed redirection program registry entry.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 81483501-b8a5-4225-8b32-52128e2f69db
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| redirection_program | Path of the program to execute upon opening the event help | path | C:&#92;windows&#92;system32&#92;notepad.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /d "#{redirection_program}" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
+```
+
+
+
+
+
 <br/>