From 95cc8e7ffca2ff1f359495fcf5a21019be7201a7 Mon Sep 17 00:00:00 2001 From: Badoodish <88710522+Badoodish@users.noreply.github.com> Date: Wed, 24 Apr 2024 10:26:01 +1000 Subject: [PATCH] Update T1562.003.yaml (#2742) Tweaking my own tests to fix markdown formatting and simplify executions Co-authored-by: Carrie Roberts --- atomics/T1562.003/T1562.003.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/atomics/T1562.003/T1562.003.yaml b/atomics/T1562.003/T1562.003.yaml index 7420eb93..dc55c053 100644 --- a/atomics/T1562.003/T1562.003.yaml +++ b/atomics/T1562.003/T1562.003.yaml @@ -211,6 +211,7 @@ atomic_tests: In Windows operating systems, command line auditing is controlled through the following registry value: Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit + Registry Value: ProcessCreationIncludeCmdLine_Enabled When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution. @@ -230,10 +231,8 @@ atomic_tests: name: command_prompt elevation_required: true command: | - echo Commencing Attack - Disabling Registry Value reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f cleanup_command: | - echo Commencing Cleanup - Restoring Registry Value reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f - name: Disable Windows Command Line Auditing using Powershell Cmdlet auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa @@ -241,6 +240,7 @@ atomic_tests: In Windows operating systems, command line auditing is controlled through the following registry value: Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit + Registry Value: ProcessCreationIncludeCmdLine_Enabled When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution. @@ -261,9 +261,7 @@ atomic_tests: name: powershell elevation_required: true command: | - echo "Commencing Attack - Disabling Registry Value" New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore cleanup_command: | - echo "Commencing Cleanup - Restoring Registry Value" New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore