From a7e5260a93b496ea374b0f746136d168d8f294b4 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Wed, 12 Jul 2023 04:36:53 +0200
Subject: [PATCH] Add reg.exe force swith (#2477)

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 atomics/T1021.001/T1021.001.yaml |  4 ++--
 atomics/T1059.001/T1059.001.yaml |  2 +-
 atomics/T1112/T1112.yaml         | 26 +++++++++++++-------------
 atomics/T1547.010/T1547.010.yaml |  2 +-
 atomics/T1574.011/T1574.011.yaml |  2 +-
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/atomics/T1021.001/T1021.001.yaml b/atomics/T1021.001/T1021.001.yaml
index c5409d2f..5aebfc5f 100644
--- a/atomics/T1021.001/T1021.001.yaml
+++ b/atomics/T1021.001/T1021.001.yaml
@@ -85,10 +85,10 @@ atomic_tests:
       default: "4489"
   executor:
     command: |
-      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} -f
+      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
       netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
     cleanup_command: |
-      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1
+      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
       netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
       net stop TermService >nul 2>&1
       net start TermService >nul 2>&1
diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml
index 90427407..87a465a2 100644
--- a/atomics/T1059.001/T1059.001.yaml
+++ b/atomics/T1059.001/T1059.001.yaml
@@ -167,7 +167,7 @@ atomic_tests:
   executor:
     command: |
       # Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
-      reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
+      reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
       iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
     cleanup_command: |
       Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 0397a04e..a893c4ec 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -399,7 +399,7 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 /f
     cleanup_command: |
       reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
     name: command_prompt
@@ -786,9 +786,9 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
     cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 0 /f
     name: command_prompt
     elevation_required: true
 - name: Disable Windows OS Auto Update
@@ -799,9 +799,9 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1 /f
     cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 0 /f
     name: command_prompt
     elevation_required: true
 - name: Disable Windows Auto Reboot for current logon user
@@ -812,9 +812,9 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f
     cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0 /f
     name: command_prompt
     elevation_required: true
 - name: Windows Auto Update Option to Notify before download
@@ -825,9 +825,9 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2 /f
     cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 3
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 3 /f
     name: command_prompt
     elevation_required: true
 - name: Do Not Connect To Win Update
@@ -838,9 +838,9 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1 /f
     cleanup_command: |
-      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0 /f
     name: command_prompt
     elevation_required: true
 - name: Tamper Win Defender Protection
@@ -853,9 +853,9 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0
+      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0 /f
     cleanup_command: |
-      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5
+      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5 /f
     name: command_prompt
     elevation_required: true
 - name: Snake Malware Registry Blob
diff --git a/atomics/T1547.010/T1547.010.yaml b/atomics/T1547.010/T1547.010.yaml
index e4421f88..2f7b4ed5 100644
--- a/atomics/T1547.010/T1547.010.yaml
+++ b/atomics/T1547.010/T1547.010.yaml
@@ -13,7 +13,7 @@ atomic_tests:
       default: $PathToAtomicsFolder\T1547.010\bin\PortMonitor.dll
   executor:
     command: |
-      reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ
+      reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f
     cleanup_command: |
       reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /f >nul 2>&1
     name: command_prompt
diff --git a/atomics/T1574.011/T1574.011.yaml b/atomics/T1574.011/T1574.011.yaml
index 24c3eee6..18cb5f53 100644
--- a/atomics/T1574.011/T1574.011.yaml
+++ b/atomics/T1574.011/T1574.011.yaml
@@ -5,7 +5,7 @@ atomic_tests:
   auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
   description: |
     Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
-    reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
+    reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
   supported_platforms:
   - windows
   input_arguments: