Generated docs from job=generate-docs branch=master [ci skip]

2023-12-04 18:56:01 +00:00
parent cc6a655d63
commit b2bc904f4c
9 changed files with 75 additions and 2 deletions
@@ -298,6 +298,7 @@ defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults
 defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
 defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
 defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
+defense-evasion,T1112,Modify Registry,62,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
@@ -203,6 +203,7 @@ defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults
 defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
 defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
 defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
+defense-evasion,T1112,Modify Registry,62,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -367,6 +367,7 @@
  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
  - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
  - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #62: Scarab Ransomware Defense Evasion Activities [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -258,6 +258,7 @@
  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
  - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
  - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #62: Scarab Ransomware Defense Evasion Activities [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -12960,6 +12960,23 @@ defense-evasion:
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
          /t REG_DWORD /d 1 /f

+          '
+        name: command_prompt
+    - name: Scarab Ransomware Defense Evasion Activities
+      auto_generated_guid: ca8ba39c-3c5a-459f-8e15-280aec65a910
+      description: |
+        Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues.
+        [Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/)
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters"
+          /v AllowEncryptionOracle /t REG_DWORD /d 2 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters"
+          /v AllowEncryptionOracle /t REG_DWORD /d 0 /f
+
          '
        name: command_prompt
  T1574.008:
@@ -10385,6 +10385,23 @@ defense-evasion:
        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
          /t REG_DWORD /d 1 /f

+          '
+        name: command_prompt
+    - name: Scarab Ransomware Defense Evasion Activities
+      auto_generated_guid: ca8ba39c-3c5a-459f-8e15-280aec65a910
+      description: |
+        Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues.
+        [Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/)
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters"
+          /v AllowEncryptionOracle /t REG_DWORD /d 2 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters"
+          /v AllowEncryptionOracle /t REG_DWORD /d 0 /f
+
          '
        name: command_prompt
  T1574.008:
@@ -132,6 +132,8 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #61 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.](#atomic-test-61---activities-to-disable-microsoft-fido-aka-fast-identity-online-authentication-detected-by-modified-registry-value)

+- [Atomic Test #62 - Scarab Ransomware Defense Evasion Activities](#atomic-test-62---scarab-ransomware-defense-evasion-activities)
+

 <br/>

@@ -2268,4 +2270,37 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /



+<br/>
+<br/>
+
+## Atomic Test #62 - Scarab Ransomware Defense Evasion Activities
+Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues.
+[Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ca8ba39c-3c5a-459f-8e15-280aec65a910
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 0 /f
+```
+
+
+
+
+
 <br/>