Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1570-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1581-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -324,6 +324,17 @@ defense-evasion,T1112,Modify Registry,70,Enable RDP via Registry (fDenyTSConnect
 defense-evasion,T1112,Modify Registry,71,Disable Windows Prefetch Through Registry,7979dd41-2045-48b2-a54e-b1bc2415c9da,command_prompt
 defense-evasion,T1112,Modify Registry,72,Setting Shadow key in Registry for RDP Shadowing,ac494fe5-81a4-4897-af42-e774cf005ecb,powershell
 defense-evasion,T1112,Modify Registry,73,Flush Shimcache,ecbd533e-b45d-4239-aeff-b857c6f6d68b,command_prompt
+defense-evasion,T1112,Modify Registry,74,Disable Windows Remote Desktop Protocol,5f8e36de-37ca-455e-b054-a2584f043c06,command_prompt
+defense-evasion,T1112,Modify Registry,75,Enforce Smart Card Authentication Through Registry,4c4bf587-fe7f-448f-ba8d-1ecec9db88be,command_prompt
+defense-evasion,T1112,Modify Registry,76,Requires the BitLocker PIN for Pre-boot authentication,26fc7375-a551-4336-90d7-3f2817564304,command_prompt
+defense-evasion,T1112,Modify Registry,77,Modify EnableBDEWithNoTPM Registry entry,bacb3e73-8161-43a9-8204-a69fe0e4b482,command_prompt
+defense-evasion,T1112,Modify Registry,78,Modify UseTPM Registry entry,7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0,command_prompt
+defense-evasion,T1112,Modify Registry,79,Modify UseTPMPIN Registry entry,10b33fb0-c58b-44cd-8599-b6da5ad6384c,command_prompt
+defense-evasion,T1112,Modify Registry,80,Modify UseTPMKey Registry entry,c8480c83-a932-446e-a919-06a1fd1e512a,command_prompt
+defense-evasion,T1112,Modify Registry,81,Modify UseTPMKeyPIN Registry entry,02d8b9f7-1a51-4011-8901-2d55cca667f9,command_prompt
+defense-evasion,T1112,Modify Registry,82,Modify EnableNonTPM Registry entry,02d8b9f7-1a51-4011-8901-2d55cca667f9,command_prompt
+defense-evasion,T1112,Modify Registry,83,Modify UsePartialEncryptionKey Registry entry,b5169fd5-85c8-4b2c-a9b6-64cc0b9febef,command_prompt
+defense-evasion,T1112,Modify Registry,84,Modify UsePIN Registry entry,3ac0b30f-532f-43c6-8f01-fb657aaed7e4,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -226,6 +226,17 @@ defense-evasion,T1112,Modify Registry,70,Enable RDP via Registry (fDenyTSConnect
 defense-evasion,T1112,Modify Registry,71,Disable Windows Prefetch Through Registry,7979dd41-2045-48b2-a54e-b1bc2415c9da,command_prompt
 defense-evasion,T1112,Modify Registry,72,Setting Shadow key in Registry for RDP Shadowing,ac494fe5-81a4-4897-af42-e774cf005ecb,powershell
 defense-evasion,T1112,Modify Registry,73,Flush Shimcache,ecbd533e-b45d-4239-aeff-b857c6f6d68b,command_prompt
+defense-evasion,T1112,Modify Registry,74,Disable Windows Remote Desktop Protocol,5f8e36de-37ca-455e-b054-a2584f043c06,command_prompt
+defense-evasion,T1112,Modify Registry,75,Enforce Smart Card Authentication Through Registry,4c4bf587-fe7f-448f-ba8d-1ecec9db88be,command_prompt
+defense-evasion,T1112,Modify Registry,76,Requires the BitLocker PIN for Pre-boot authentication,26fc7375-a551-4336-90d7-3f2817564304,command_prompt
+defense-evasion,T1112,Modify Registry,77,Modify EnableBDEWithNoTPM Registry entry,bacb3e73-8161-43a9-8204-a69fe0e4b482,command_prompt
+defense-evasion,T1112,Modify Registry,78,Modify UseTPM Registry entry,7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0,command_prompt
+defense-evasion,T1112,Modify Registry,79,Modify UseTPMPIN Registry entry,10b33fb0-c58b-44cd-8599-b6da5ad6384c,command_prompt
+defense-evasion,T1112,Modify Registry,80,Modify UseTPMKey Registry entry,c8480c83-a932-446e-a919-06a1fd1e512a,command_prompt
+defense-evasion,T1112,Modify Registry,81,Modify UseTPMKeyPIN Registry entry,02d8b9f7-1a51-4011-8901-2d55cca667f9,command_prompt
+defense-evasion,T1112,Modify Registry,82,Modify EnableNonTPM Registry entry,02d8b9f7-1a51-4011-8901-2d55cca667f9,command_prompt
+defense-evasion,T1112,Modify Registry,83,Modify UsePartialEncryptionKey Registry entry,b5169fd5-85c8-4b2c-a9b6-64cc0b9febef,command_prompt
+defense-evasion,T1112,Modify Registry,84,Modify UsePIN Registry entry,3ac0b30f-532f-43c6-8f01-fb657aaed7e4,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -397,6 +397,17 @@
   - Atomic Test #71: Disable Windows Prefetch Through Registry [windows]
   - Atomic Test #72: Setting Shadow key in Registry for RDP Shadowing [windows]
   - Atomic Test #73: Flush Shimcache [windows]
+  - Atomic Test #74: Disable Windows Remote Desktop Protocol [windows]
+  - Atomic Test #75: Enforce Smart Card Authentication Through Registry [windows]
+  - Atomic Test #76: Requires the BitLocker PIN for Pre-boot authentication [windows]
+  - Atomic Test #77: Modify EnableBDEWithNoTPM Registry entry [windows]
+  - Atomic Test #78: Modify UseTPM Registry entry [windows]
+  - Atomic Test #79: Modify UseTPMPIN Registry entry [windows]
+  - Atomic Test #80: Modify UseTPMKey Registry entry [windows]
+  - Atomic Test #81: Modify UseTPMKeyPIN Registry entry [windows]
+  - Atomic Test #82: Modify EnableNonTPM Registry entry [windows]
+  - Atomic Test #83: Modify UsePartialEncryptionKey Registry entry [windows]
+  - Atomic Test #84: Modify UsePIN Registry entry [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -285,6 +285,17 @@
   - Atomic Test #71: Disable Windows Prefetch Through Registry [windows]
   - Atomic Test #72: Setting Shadow key in Registry for RDP Shadowing [windows]
   - Atomic Test #73: Flush Shimcache [windows]
+  - Atomic Test #74: Disable Windows Remote Desktop Protocol [windows]
+  - Atomic Test #75: Enforce Smart Card Authentication Through Registry [windows]
+  - Atomic Test #76: Requires the BitLocker PIN for Pre-boot authentication [windows]
+  - Atomic Test #77: Modify EnableBDEWithNoTPM Registry entry [windows]
+  - Atomic Test #78: Modify UseTPM Registry entry [windows]
+  - Atomic Test #79: Modify UseTPMPIN Registry entry [windows]
+  - Atomic Test #80: Modify UseTPMKey Registry entry [windows]
+  - Atomic Test #81: Modify UseTPMKeyPIN Registry entry [windows]
+  - Atomic Test #82: Modify EnableNonTPM Registry entry [windows]
+  - Atomic Test #83: Modify UsePartialEncryptionKey Registry entry [windows]
+  - Atomic Test #84: Modify UsePIN Registry entry [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -13946,6 +13946,204 @@ defense-evasion:
         command: Rundll32.exe apphelp.dll,ShimFlushCache
         name: command_prompt
         elevation_required: true
+    - name: Disable Windows Remote Desktop Protocol
+      auto_generated_guid: 5f8e36de-37ca-455e-b054-a2584f043c06
+      description: 'Modify the registry of the machine to disable remote desktop protocol.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\System\CurrentControlSet\Control\Terminal Server"
+          /v fDenyTSConnections /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\System\CurrentControlSet\Control\Terminal
+          Server" /v fDenyTSConnections /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Enforce Smart Card Authentication Through Registry
+      auto_generated_guid: 4c4bf587-fe7f-448f-ba8d-1ecec9db88be
+      description: 'Enforce Smart Card Authentication Through Registry
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v scforceoption /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v scforceoption /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Requires the BitLocker PIN for Pre-boot authentication
+      auto_generated_guid: 26fc7375-a551-4336-90d7-3f2817564304
+      description: 'Requires the BitLocker PIN for Pre-boot authentication
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify EnableBDEWithNoTPM Registry entry
+      auto_generated_guid: bacb3e73-8161-43a9-8204-a69fe0e4b482
+      description: 'Allow BitLocker without a compatible TPM (requires a password)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v EnableBDEWithNoTPM
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UseTPM Registry entry
+      auto_generated_guid: 7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0
+      description: 'Use Trusted Platform Module (TPM) for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD
+          /d 2 /f
+
+          '
+        cleanup_command: 'reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v UseTPM
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UseTPMPIN Registry entry
+      auto_generated_guid: 10b33fb0-c58b-44cd-8599-b6da5ad6384c
+      description: 'Allow startup PIN with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD
+          /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UseTPMKey Registry entry
+      auto_generated_guid: c8480c83-a932-446e-a919-06a1fd1e512a
+      description: 'Allow startup key with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD
+          /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UseTPMKeyPIN Registry entry
+      auto_generated_guid: 02d8b9f7-1a51-4011-8901-2d55cca667f9
+      description: 'Allow startup key and PIN with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t
+          REG_DWORD /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify EnableNonTPM Registry entry
+      auto_generated_guid: 02d8b9f7-1a51-4011-8901-2d55cca667f9
+      description: 'Allow Bitlocker without TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM /t
+          REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UsePartialEncryptionKey Registry entry
+      auto_generated_guid: b5169fd5-85c8-4b2c-a9b6-64cc0b9febef
+      description: 'Allow startup key with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey
+          /t REG_DWORD /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UsePIN Registry entry
+      auto_generated_guid: 3ac0b30f-532f-43c6-8f01-fb657aaed7e4
+      description: 'Allow startup PIN with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD
+          /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1574.008:
     technique:
       modified: '2023-05-09T14:00:00.188Z'

atomics/Indexes/windows-index.yaml

@@ -11292,6 +11292,204 @@ defense-evasion:
         command: Rundll32.exe apphelp.dll,ShimFlushCache
         name: command_prompt
         elevation_required: true
+    - name: Disable Windows Remote Desktop Protocol
+      auto_generated_guid: 5f8e36de-37ca-455e-b054-a2584f043c06
+      description: 'Modify the registry of the machine to disable remote desktop protocol.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\System\CurrentControlSet\Control\Terminal Server"
+          /v fDenyTSConnections /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\System\CurrentControlSet\Control\Terminal
+          Server" /v fDenyTSConnections /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Enforce Smart Card Authentication Through Registry
+      auto_generated_guid: 4c4bf587-fe7f-448f-ba8d-1ecec9db88be
+      description: 'Enforce Smart Card Authentication Through Registry
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v scforceoption /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v scforceoption /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Requires the BitLocker PIN for Pre-boot authentication
+      auto_generated_guid: 26fc7375-a551-4336-90d7-3f2817564304
+      description: 'Requires the BitLocker PIN for Pre-boot authentication
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify EnableBDEWithNoTPM Registry entry
+      auto_generated_guid: bacb3e73-8161-43a9-8204-a69fe0e4b482
+      description: 'Allow BitLocker without a compatible TPM (requires a password)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v EnableBDEWithNoTPM
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UseTPM Registry entry
+      auto_generated_guid: 7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0
+      description: 'Use Trusted Platform Module (TPM) for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD
+          /d 2 /f
+
+          '
+        cleanup_command: 'reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v UseTPM
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UseTPMPIN Registry entry
+      auto_generated_guid: 10b33fb0-c58b-44cd-8599-b6da5ad6384c
+      description: 'Allow startup PIN with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD
+          /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UseTPMKey Registry entry
+      auto_generated_guid: c8480c83-a932-446e-a919-06a1fd1e512a
+      description: 'Allow startup key with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD
+          /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UseTPMKeyPIN Registry entry
+      auto_generated_guid: 02d8b9f7-1a51-4011-8901-2d55cca667f9
+      description: 'Allow startup key and PIN with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t
+          REG_DWORD /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify EnableNonTPM Registry entry
+      auto_generated_guid: 02d8b9f7-1a51-4011-8901-2d55cca667f9
+      description: 'Allow Bitlocker without TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM /t
+          REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UsePartialEncryptionKey Registry entry
+      auto_generated_guid: b5169fd5-85c8-4b2c-a9b6-64cc0b9febef
+      description: 'Allow startup key with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey
+          /t REG_DWORD /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Modify UsePIN Registry entry
+      auto_generated_guid: 3ac0b30f-532f-43c6-8f01-fb657aaed7e4
+      description: 'Allow startup PIN with TPM for Bitlocker tool
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD
+          /d 2 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1574.008:
     technique:
       modified: '2023-05-09T14:00:00.188Z'

atomics/T1112/T1112.md

@@ -156,6 +156,28 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #73 - Flush Shimcache](#atomic-test-73---flush-shimcache)
 
+- [Atomic Test #74 - Disable Windows Remote Desktop Protocol](#atomic-test-74---disable-windows-remote-desktop-protocol)
+
+- [Atomic Test #75 - Enforce Smart Card Authentication Through Registry](#atomic-test-75---enforce-smart-card-authentication-through-registry)
+
+- [Atomic Test #76 - Requires the BitLocker PIN for Pre-boot authentication](#atomic-test-76---requires-the-bitlocker-pin-for-pre-boot-authentication)
+
+- [Atomic Test #77 - Modify EnableBDEWithNoTPM Registry entry](#atomic-test-77---modify-enablebdewithnotpm-registry-entry)
+
+- [Atomic Test #78 - Modify UseTPM Registry entry](#atomic-test-78---modify-usetpm-registry-entry)
+
+- [Atomic Test #79 - Modify UseTPMPIN Registry entry](#atomic-test-79---modify-usetpmpin-registry-entry)
+
+- [Atomic Test #80 - Modify UseTPMKey Registry entry](#atomic-test-80---modify-usetpmkey-registry-entry)
+
+- [Atomic Test #81 - Modify UseTPMKeyPIN Registry entry](#atomic-test-81---modify-usetpmkeypin-registry-entry)
+
+- [Atomic Test #82 - Modify EnableNonTPM Registry entry](#atomic-test-82---modify-enablenontpm-registry-entry)
+
+- [Atomic Test #83 - Modify UsePartialEncryptionKey Registry entry](#atomic-test-83---modify-usepartialencryptionkey-registry-entry)
+
+- [Atomic Test #84 - Modify UsePIN Registry entry](#atomic-test-84---modify-usepin-registry-entry)
+
 
 <br/>
 
@@ -2691,4 +2713,356 @@ Rundll32.exe apphelp.dll,ShimFlushCache
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #74 - Disable Windows Remote Desktop Protocol
+Modify the registry of the machine to disable remote desktop protocol.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5f8e36de-37ca-455e-b054-a2584f043c06
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #75 - Enforce Smart Card Authentication Through Registry
+Enforce Smart Card Authentication Through Registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4c4bf587-fe7f-448f-ba8d-1ecec9db88be
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v scforceoption /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v scforceoption /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #76 - Requires the BitLocker PIN for Pre-boot authentication
+Requires the BitLocker PIN for Pre-boot authentication
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 26fc7375-a551-4336-90d7-3f2817564304
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #77 - Modify EnableBDEWithNoTPM Registry entry
+Allow BitLocker without a compatible TPM (requires a password)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bacb3e73-8161-43a9-8204-a69fe0e4b482
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v EnableBDEWithNoTPM /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #78 - Modify UseTPM Registry entry
+Use Trusted Platform Module (TPM) for Bitlocker tool
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v UseTPM /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #79 - Modify UseTPMPIN Registry entry
+Allow startup PIN with TPM for Bitlocker tool
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 10b33fb0-c58b-44cd-8599-b6da5ad6384c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #80 - Modify UseTPMKey Registry entry
+Allow startup key with TPM for Bitlocker tool
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c8480c83-a932-446e-a919-06a1fd1e512a
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #81 - Modify UseTPMKeyPIN Registry entry
+Allow startup key and PIN with TPM for Bitlocker tool
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 02d8b9f7-1a51-4011-8901-2d55cca667f9
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #82 - Modify EnableNonTPM Registry entry
+Allow Bitlocker without TPM for Bitlocker tool
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 02d8b9f7-1a51-4011-8901-2d55cca667f9
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #83 - Modify UsePartialEncryptionKey Registry entry
+Allow startup key with TPM for Bitlocker tool
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b5169fd5-85c8-4b2c-a9b6-64cc0b9febef
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey /t REG_DWORD /d 2 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #84 - Modify UsePIN Registry entry
+Allow startup PIN with TPM for Bitlocker tool
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3ac0b30f-532f-43c6-8f01-fb657aaed7e4
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /f
+```
+
+
+
+
+
 <br/>