Generated docs from job=generate-docs branch=master [ci skip]

2022-11-07 21:25:36 +00:00
parent ee954d215c
commit c55f3ecce0
12 changed files with 193 additions and 204 deletions
@@ -566,8 +566,6 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
-privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
-privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
@@ -575,6 +573,8 @@ privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a sys
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
+privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
@@ -809,8 +809,6 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
-persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
-persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
@@ -826,6 +824,8 @@ persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Servic
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
+persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
@@ -427,11 +427,11 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
-privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
-privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
+privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -607,12 +607,12 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
-persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
-persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
+persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
+persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
@@ -863,8 +863,6 @@
  - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
  - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
  - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
-  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
-  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
  - Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
 - T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -881,6 +879,8 @@
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
+  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1318,8 +1318,6 @@
  - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
  - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
  - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
-  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
-  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
@@ -1348,6 +1346,8 @@
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
+  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -654,8 +654,6 @@
  - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
  - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
  - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
-  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
-  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -665,6 +663,8 @@
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
+  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
@@ -981,8 +981,6 @@
  - Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
  - Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
  - Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value  [windows]
-  - Atomic Test #16: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
-  - Atomic Test #17: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
  - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -994,6 +992,8 @@
 - T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
+  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
+  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
  - Atomic Test #1: Authentication Package [windows]
 - T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2171,7 +2171,6 @@ defense-evasion:

          '
        name: powershell
-        elevation_required: true
    - name: Bypass UAC by Mocking Trusted Directories
      auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
      description: |
@@ -10125,13 +10124,12 @@ defense-evasion:

          '
        name: command_prompt
-        elevation_required: true
    - name: Modify Registry of Local Machine - cmd
      auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
      description: |
        Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup.  This should only be possible when
        CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
-        will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
+        will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
      supported_platforms:
      - windows
      input_arguments:
@@ -10701,7 +10699,6 @@ defense-evasion:
          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
        name: command_prompt
-        elevation_required: true
    - name: Windows Powershell Logging Disabled
      auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
      description: |
@@ -10851,7 +10848,6 @@ defense-evasion:
          reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
          reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
        name: command_prompt
-        elevation_required: true
    - name: Ursnif Malware Registry Key Creation
      auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
      description: |
@@ -10868,7 +10864,6 @@ defense-evasion:
          reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
          reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
        name: command_prompt
-        elevation_required: true
    - name: Terminal Server Client Connection History Cleared
      auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
      description: 'The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe)
@@ -28639,7 +28634,6 @@ privilege-escalation:

          '
        name: powershell
-        elevation_required: true
    - name: Bypass UAC by Mocking Trusted Directories
      auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
      description: |
@@ -36760,7 +36754,6 @@ privilege-escalation:
          Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
          Remove-Item "#{new_startup_folder}" -Recurse -Force
        name: powershell
-        elevation_required: true
    - name: HKCU - Policy Settings Explorer Run Key
      auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
      description: "This test will create a new value under HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
@@ -36861,48 +36854,6 @@ privilege-escalation:
          Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
        name: powershell
        elevation_required: true
-    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
-      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
-      description: |-
-        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-      supported_platforms:
-      - windows
-      input_arguments:
-        command:
-          description: Command to Execute
-          type: string
-          default: notepad.exe
-      executor:
-        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
-          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
-          Processor" -Name "AutoRun" -ErrorAction Ignore
-        name: powershell
-        elevation_required: true
-    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
-      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
-      description: |-
-        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-      supported_platforms:
-      - windows
-      input_arguments:
-        command:
-          description: Command to Execute
-          type: string
-          default: notepad.exe
-      executor:
-        command: |-
-          $path = "HKCU:\Software\Microsoft\Command Processor"
-          if (!(Test-Path -path $path)){
-            New-Item -ItemType Key -Path $path
-          }
-          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
-          Processor" -Name "AutoRun" -ErrorAction Ignore
-        name: powershell
-        elevation_required: true
  T1547.006:
    technique:
      x_mitre_platforms:
@@ -37890,6 +37841,47 @@ privilege-escalation:
          -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
        name: powershell
        elevation_required: true
+    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
+          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: |-
+          $path = "HKCU:\Software\Microsoft\Command Processor"
+          if (!(Test-Path -path $path)){
+            New-Item -ItemType Key -Path $path
+          }
+          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -45921,7 +45913,6 @@ execution:
          Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
          Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
        name: powershell
-        elevation_required: true
    - name: PowerShell Downgrade Attack
      auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
      description: |
@@ -58979,7 +58970,6 @@ persistence:
          Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
          Remove-Item "#{new_startup_folder}" -Recurse -Force
        name: powershell
-        elevation_required: true
    - name: HKCU - Policy Settings Explorer Run Key
      auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
      description: "This test will create a new value under HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
@@ -59080,48 +59070,6 @@ persistence:
          Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
        name: powershell
        elevation_required: true
-    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
-      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
-      description: |-
-        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-      supported_platforms:
-      - windows
-      input_arguments:
-        command:
-          description: Command to Execute
-          type: string
-          default: notepad.exe
-      executor:
-        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
-          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
-          Processor" -Name "AutoRun" -ErrorAction Ignore
-        name: powershell
-        elevation_required: true
-    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
-      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
-      description: |-
-        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-      supported_platforms:
-      - windows
-      input_arguments:
-        command:
-          description: Command to Execute
-          type: string
-          default: notepad.exe
-      executor:
-        command: |-
-          $path = "HKCU:\Software\Microsoft\Command Processor"
-          if (!(Test-Path -path $path)){
-            New-Item -ItemType Key -Path $path
-          }
-          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
-          Processor" -Name "AutoRun" -ErrorAction Ignore
-        name: powershell
-        elevation_required: true
  T1136.003:
    technique:
      x_mitre_platforms:
@@ -60842,6 +60790,47 @@ persistence:
          -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll
        name: powershell
        elevation_required: true
+    - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
+          -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+      auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+      description: |-
+        An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+        [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+      supported_platforms:
+      - windows
+      input_arguments:
+        command:
+          description: Command to Execute
+          type: string
+          default: notepad.exe
+      executor:
+        command: |-
+          $path = "HKCU:\Software\Microsoft\Command Processor"
+          if (!(Test-Path -path $path)){
+            New-Item -ItemType Key -Path $path
+          }
+          New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
+          Processor" -Name "AutoRun" -ErrorAction Ignore
+        name: powershell
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -412,7 +412,7 @@ art-marker.txt is in the folder.



-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`! 


 ```powershell
@@ -113,7 +113,7 @@ will be displayed. Additionally, open Registry Editor to view the new entry in H



-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `command_prompt`! 


 ```cmd
@@ -135,7 +135,7 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
 ## Atomic Test #2 - Modify Registry of Local Machine - cmd
 Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup.  This should only be possible when
 CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
-will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
+will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

 **Supported Platforms:** Windows

@@ -1165,7 +1165,7 @@ See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/se



-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `command_prompt`! 


 ```cmd
@@ -1441,7 +1441,7 @@ See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270



-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `command_prompt`! 


 ```cmd
@@ -1478,7 +1478,7 @@ More information - https://blog.trendmicro.com/trendlabs-security-intelligence/p



-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `command_prompt`! 


 ```cmd
@@ -10,6 +10,10 @@ Since the execution can be proxied by an account with higher permissions, such a

 - [Atomic Test #1 - Persistence with Custom AutodialDLL](#atomic-test-1---persistence-with-custom-autodialdll)

+- [Atomic Test #2 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-2---hklm---persistence-using-commandprocessor-autorun-key-with-elevation)
+
+- [Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-3---hkcu---persistence-using-commandprocessor-autorun-key-with-elevation)
+

 <br/>

@@ -58,4 +62,84 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato



+<br/>
+<br/>
+
+## Atomic Test #2 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
+An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a574dafe-a903-4cce-9701-14040f4f3532
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to Execute | string | notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
+An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
+[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to Execute | string | notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$path = "HKCU:\Software\Microsoft\Command Processor"
+if (!(Test-Path -path $path)){
+  New-Item -ItemType Key -Path $path
+}
+New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
@@ -72,10 +72,6 @@ Adversaries can use these configuration locations to execute malware, such as re

 - [Atomic Test #15 - HKLM - Modify default System Shell - Winlogon Shell KEY Value ](#atomic-test-15---hklm---modify-default-system-shell---winlogon-shell-key-value-)

- [Atomic Test #16 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-16---hklm---persistence-using-commandprocessor-autorun-key-with-elevation)
-
- [Atomic Test #17 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-17---hkcu---persistence-using-commandprocessor-autorun-key-with-elevation)
-

 <br/>

@@ -484,7 +480,7 @@ to point to a new startup folder where a payload could be stored to launch at bo
 | payload | executable to be placed in new startup location | String | C:&#92;Windows&#92;System32&#92;calc.exe|


-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`! 


 ```powershell
@@ -674,84 +670,4 @@ Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\W



-<br/>
-<br/>
-
-## Atomic Test #16 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
-An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** a574dafe-a903-4cce-9701-14040f4f3532
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| command | Command to Execute | string | notepad.exe|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #17 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
-An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
-[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| command | Command to Execute | string | notepad.exe|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$path = "HKCU:\Software\Microsoft\Command Processor"
-if (!(Test-Path -path $path)){
-  New-Item -ItemType Key -Path $path
-}
-New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
-```
-
-
-
-
-
 <br/>
@@ -238,7 +238,7 @@ Upon execution administrative command prompt should open
 | executable_binary | Binary to execute with UAC Bypass | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|


-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`! 


 ```powershell