security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1112.yaml (Scarab Ransomware Defense Evasion Activities & Me… (#2625)

Browse Source 
* Update T1112.yaml (Scarab Ransomware Defense Evasion Activities  & Merdoor Backdoor Persistence Activities)

Scarab Ransomware Defense Evasion Activities 
Merdoor Backdoor Persistence Activities

* Update T1112.yaml (Update Merdoor Backdoor article)

* Update T1112.yaml (Update Syntax Error)

* Update T1112.yaml (Update Syntax Error)

* Update T1112.yaml

---------

Co-authored-by: PhyoPaingHtun ChiLai <83696447+PhyoPaing777@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
PhyoPaingHtun ChiLai
2023-12-05 01:55:07 +07:00
committed by GitHub
parent 6607ee34b6
commit bb601df2f8
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1112/T1112.yaml
+15
View File
@@ -933,6 +933,7 @@ atomic_tests:
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3
name: powershell
- name: Activities To Disable Secondary Authentication Detected By Modified Registry Value.
auto_generated_guid: c26fb85a-fa50-4fab-a64a-c51f5dc538d5
description: |
@@ -946,6 +947,7 @@ atomic_tests:
cleanup_command: |
reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
name: command_prompt
- name: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
auto_generated_guid: ffeddced-bb9f-49c6-97f0-3d07a509bf94
description: |
@@ -959,3 +961,16 @@ atomic_tests:
cleanup_command: |
reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 1 /f
name: command_prompt
- name: Scarab Ransomware Defense Evasion Activities
description: |
Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues.
[Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/)
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f
cleanup_command: |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 0 /f
name: command_prompt