Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-12-23 19:00:45 +00:00
parent 73a44d8b8f
commit d39dc66fa1
6 changed files with 124 additions and 0 deletions
@@ -473,6 +473,8 @@ defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-
 defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
+defense-evasion,T1070.005,Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
@@ -308,6 +308,8 @@ defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-
 defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
 defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
+defense-evasion,T1070.005,Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
@@ -756,6 +756,8 @@
  - Atomic Test #1: Add Network Share [windows]
  - Atomic Test #2: Remove Network Share [windows]
  - Atomic Test #3: Remove Network Share PowerShell [windows]
+  - Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
+  - Atomic Test #5: Remove Administrative Shares [windows]
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
  - Atomic Test #1: Decode base64 Data into Script [macos, linux]
  - Atomic Test #2: Execute base64-encoded PowerShell [windows]
@@ -524,6 +524,8 @@
  - Atomic Test #1: Add Network Share [windows]
  - Atomic Test #2: Remove Network Share [windows]
  - Atomic Test #3: Remove Network Share PowerShell [windows]
+  - Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
+  - Atomic Test #5: Remove Administrative Shares [windows]
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
  - Atomic Test #2: Execute base64-encoded PowerShell [windows]
  - Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
@@ -31945,6 +31945,43 @@ defense-evasion:
          Remove-SmbShare -Name #{share_name}
          Remove-FileShare -Name #{share_name}
        name: powershell
+    - name: Disable Administrative Share Creation at Startup
+      auto_generated_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
+      description: "Administrative shares are hidden network shares created by Microsoft’s
+        Windows NT operating systems that grant system administrators \nremote access
+        to every disk volume on a network-connected system. These shares are automatically
+        created at started unless they have been\npurposefully disabled and is done
+        in this Atomic test. As Microsoft puts it, \"Missing administrative shares
+        typically \nindicate that the computer in question has been compromised by
+        malicious software.\"\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
+          reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
+          reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
+        name: command_prompt
+        elevation_required: true
+    - name: Remove Administrative Shares
+      auto_generated_guid: 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
+      description: "Administrative shares are hidden network shares created by Microsoft’s
+        Windows NT operating systems that grant system administrators \nremote access
+        to every disk volume on a network-connected system. As Microsoft puts it,
+        “Missing administrative shares typically \nindicate that the computer in question
+        has been compromised by malicious software.\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: for %i in (C$ IPC$ ADMIN$) do net share %i /delete
+        cleanup_command: |
+          net share ADMIN$ /UNLIMITED >nul 2>&1
+          net share C$=C:\ >nul 2>&1
+          net share IPC$ >nul 2>&1
+        name: command_prompt
+        elevation_required: true
  T1027:
    technique:
      object_marking_refs:
@@ -10,6 +10,10 @@

 - [Atomic Test #3 - Remove Network Share PowerShell](#atomic-test-3---remove-network-share-powershell)

+- [Atomic Test #4 - Disable Administrative Share Creation at Startup](#atomic-test-4---disable-administrative-share-creation-at-startup)
+
+- [Atomic Test #5 - Remove Administrative Shares](#atomic-test-5---remove-administrative-shares)
+

 <br/>

@@ -111,4 +115,79 @@ Remove-FileShare -Name #{share_name}



+<br/>
+<br/>
+
+## Atomic Test #4 - Disable Administrative Share Creation at Startup
+Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators 
+remote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been
+purposefully disabled and is done in this Atomic test. As Microsoft puts it, "Missing administrative shares typically 
+indicate that the computer in question has been compromised by malicious software."
+https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 99c657aa-ebeb-4179-a665-69288fdd12b8
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
+reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Remove Administrative Shares
+Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators 
+remote access to every disk volume on a network-connected system. As Microsoft puts it, “Missing administrative shares typically 
+indicate that the computer in question has been compromised by malicious software.
+https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+for %i in (C$ IPC$ ADMIN$) do net share %i /delete
+```
+
+#### Cleanup Commands:
+```cmd
+net share ADMIN$ /UNLIMITED >nul 2>&1
+net share C$=C:\ >nul 2>&1
+net share IPC$ >nul 2>&1
+```
+
+
+
+
+
 <br/>