From bb601df2f89c40c9788264edb100b06c9e6bcd53 Mon Sep 17 00:00:00 2001 From: PhyoPaingHtun ChiLai <83696447+PhyoPaingHtun@users.noreply.github.com> Date: Tue, 5 Dec 2023 01:55:07 +0700 Subject: [PATCH] =?UTF-8?q?Update=20T1112.yaml=20(Scarab=20Ransomware=20De?= =?UTF-8?q?fense=20Evasion=20Activities=20=20&=20Me=E2=80=A6=20(#2625)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update T1112.yaml (Scarab Ransomware Defense Evasion Activities & Merdoor Backdoor Persistence Activities) Scarab Ransomware Defense Evasion Activities Merdoor Backdoor Persistence Activities * Update T1112.yaml (Update Merdoor Backdoor article) * Update T1112.yaml (Update Syntax Error) * Update T1112.yaml (Update Syntax Error) * Update T1112.yaml --------- Co-authored-by: PhyoPaingHtun ChiLai <83696447+PhyoPaing777@users.noreply.github.com> Co-authored-by: Carrie Roberts --- atomics/T1112/T1112.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml index bd66a7c7..be29633f 100644 --- a/atomics/T1112/T1112.yaml +++ b/atomics/T1112/T1112.yaml @@ -933,6 +933,7 @@ atomic_tests: Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3 Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3 name: powershell + - name: Activities To Disable Secondary Authentication Detected By Modified Registry Value. auto_generated_guid: c26fb85a-fa50-4fab-a64a-c51f5dc538d5 description: | @@ -946,6 +947,7 @@ atomic_tests: cleanup_command: | reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f name: command_prompt + - name: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. auto_generated_guid: ffeddced-bb9f-49c6-97f0-3d07a509bf94 description: | @@ -959,3 +961,16 @@ atomic_tests: cleanup_command: | reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 1 /f name: command_prompt + +- name: Scarab Ransomware Defense Evasion Activities + description: | + Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues. + [Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/) + supported_platforms: + - windows + executor: + command: | + reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f + cleanup_command: | + reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 0 /f + name: command_prompt