Generated docs from job=generate-docs branch=master [ci skip]

2023-01-31 14:48:55 +00:00
parent b12b28bf52
commit cd3690b100
8 changed files with 116 additions and 2 deletions
@@ -223,6 +223,8 @@ defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection Histo
 defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
 defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
 defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
+defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
+defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
@@ -168,6 +168,8 @@ defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection Histo
 defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
 defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
 defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
+defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
+defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -298,6 +298,8 @@
  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
+  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
+  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -226,6 +226,8 @@
  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
+  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
+  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -11116,6 +11116,42 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: Mimic Ransomware - Enable Multiple User Sessions
+      auto_generated_guid: 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3
+      description: "This test emulates Mimic ransomware's ability to enable multiple
+        user sessions by modifying the AllowMultipleTSSessions value within the Winlogon
+        registry key. \nSee [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon
+          /t REG_DWORD /v AllowMultipleTSSessions /d 1 /f
+
+          '
+        cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon
+          /v AllowMultipleTSSessions /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Mimic Ransomware - Allow Multiple RDP Sessions per User
+      auto_generated_guid: 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
+      description: "This test emulates Mimic ransomware's ability to enable multiple
+        RDP sessions per user by modifying the fSingleSessionPerUser value within
+        the Terminal Server registry key. \nSee [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\System\CurrentControlSet\Control\Terminal Server"
+          /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\System\CurrentControlSet\Control\Terminal
+          Server" /v fSingleSessionPerUser /f >nul 2>&1
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      x_mitre_platforms:
@@ -98,6 +98,10 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #44 - Enabling Restricted Admin Mode via Command_Prompt](#atomic-test-44---enabling-restricted-admin-mode-via-command_prompt)

+- [Atomic Test #45 - Mimic Ransomware - Enable Multiple User Sessions](#atomic-test-45---mimic-ransomware---enable-multiple-user-sessions)
+
+- [Atomic Test #46 - Mimic Ransomware - Allow Multiple RDP Sessions per User](#atomic-test-46---mimic-ransomware---allow-multiple-rdp-sessions-per-user)
+

 <br/>

@@ -1649,4 +1653,70 @@ reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAd



+<br/>
+<br/>
+
+## Atomic Test #45 - Mimic Ransomware - Enable Multiple User Sessions
+This test emulates Mimic ransomware's ability to enable multiple user sessions by modifying the AllowMultipleTSSessions value within the Winlogon registry key. 
+See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /t REG_DWORD /v AllowMultipleTSSessions /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /v AllowMultipleTSSessions /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #46 - Mimic Ransomware - Allow Multiple RDP Sessions per User
+This test emulates Mimic ransomware's ability to enable multiple RDP sessions per user by modifying the fSingleSessionPerUser value within the Terminal Server registry key. 
+See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /f >nul 2>&1
+```
+
+
+
+
+
 <br/>