security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1562.003.yaml (#2742)

Browse Source 
Tweaking my own tests to fix markdown formatting and simplify executions

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Badoodish
2024-04-24 10:26:01 +10:00
committed by GitHub
parent 1fed40dc7e
commit 95cc8e7ffc
1 changed files with 2 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.003/T1562.003.yaml
+2 -4
View File
@@ -211,6 +211,7 @@ atomic_tests:
In Windows operating systems, command line auditing is controlled through the following registry value:
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Registry Value: ProcessCreationIncludeCmdLine_Enabled
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
@@ -230,10 +231,8 @@ atomic_tests:
name: command_prompt
elevation_required: true
command: |
echo Commencing Attack - Disabling Registry Value
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
cleanup_command: |
echo Commencing Cleanup - Restoring Registry Value
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
- name: Disable Windows Command Line Auditing using Powershell Cmdlet
auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
@@ -241,6 +240,7 @@ atomic_tests:
In Windows operating systems, command line auditing is controlled through the following registry value:
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Registry Value: ProcessCreationIncludeCmdLine_Enabled
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
@@ -261,9 +261,7 @@ atomic_tests:
name: powershell
elevation_required: true
command: |
echo "Commencing Attack - Disabling Registry Value"
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
cleanup_command: |
echo "Commencing Cleanup - Restoring Registry Value"
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore