Generated docs from job=generate-docs branch=master [ci skip]

2024-11-20 00:06:48 +00:00
parent c7d7cc8203
commit e1c3f63bf9
12 changed files with 160 additions and 8 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1667-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1669-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -367,6 +367,8 @@ defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,1,
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
 defense-evasion,T1222,File and Directory Permissions Modification,1,Enable Local and Remote Symbolic Links via fsutil,6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02,command_prompt
+defense-evasion,T1222,File and Directory Permissions Modification,2,Enable Local and Remote Symbolic Links via reg.exe,78bef0d4-57fb-417d-a67a-b75ae02ea3ab,command_prompt
+defense-evasion,T1222,File and Directory Permissions Modification,3,Enable Local and Remote Symbolic Links via Powershell,6cd715aa-20ac-4be1-a8f1-dda7bae160bd,powershell
 defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
 defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
@@ -261,6 +261,8 @@ defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,1,
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
 defense-evasion,T1222,File and Directory Permissions Modification,1,Enable Local and Remote Symbolic Links via fsutil,6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02,command_prompt
+defense-evasion,T1222,File and Directory Permissions Modification,2,Enable Local and Remote Symbolic Links via reg.exe,78bef0d4-57fb-417d-a67a-b75ae02ea3ab,command_prompt
+defense-evasion,T1222,File and Directory Permissions Modification,3,Enable Local and Remote Symbolic Links via Powershell,6cd715aa-20ac-4be1-a8f1-dda7bae160bd,powershell
 defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
 defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
 defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
@@ -448,6 +448,8 @@
  - Atomic Test #3: Clear Event Logs via VBA [windows]
 - [T1222 File and Directory Permissions Modification](../../T1222/T1222.md)
  - Atomic Test #1: Enable Local and Remote Symbolic Links via fsutil [windows]
+  - Atomic Test #2: Enable Local and Remote Symbolic Links via reg.exe [windows]
+  - Atomic Test #3: Enable Local and Remote Symbolic Links via Powershell [windows]
 - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
  - Atomic Test #1: Access Token Manipulation [windows]
@@ -326,6 +326,8 @@
  - Atomic Test #3: Clear Event Logs via VBA [windows]
 - [T1222 File and Directory Permissions Modification](../../T1222/T1222.md)
  - Atomic Test #1: Enable Local and Remote Symbolic Links via fsutil [windows]
+  - Atomic Test #2: Enable Local and Remote Symbolic Links via reg.exe [windows]
+  - Atomic Test #3: Enable Local and Remote Symbolic Links via Powershell [windows]
 - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
  - Atomic Test #1: Access Token Manipulation [windows]
@@ -15717,13 +15717,46 @@ defense-evasion:
      supported_platforms:
      - windows
      executor:
-        command: "fsutil behavior set SymlinkEvaluation R2L:1 \nfsutil behavior set
-          SymlinkEvaluation R2R:1\n"
+        command: |
+          fsutil behavior set SymlinkEvaluation R2L:1
+          fsutil behavior set SymlinkEvaluation R2R:1
        cleanup_command: |
          fsutil behavior set SymlinkEvaluation R2L:0
          fsutil behavior set SymlinkEvaluation R2R:0
        name: command_prompt
        elevation_required: true
+    - name: Enable Local and Remote Symbolic Links via reg.exe
+      auto_generated_guid: 78bef0d4-57fb-417d-a67a-b75ae02ea3ab
+      description: |
+        Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+        [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "1" /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "1" /f
+        cleanup_command: |
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "0" /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "0" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Enable Local and Remote Symbolic Links via Powershell
+      auto_generated_guid: 6cd715aa-20ac-4be1-a8f1-dda7bae160bd
+      description: |
+        Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+        [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+          New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+        cleanup_command: |
+          New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+          New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
  T1548:
    technique:
      modified: '2024-04-15T20:52:09.908Z'
@@ -12786,13 +12786,46 @@ defense-evasion:
      supported_platforms:
      - windows
      executor:
-        command: "fsutil behavior set SymlinkEvaluation R2L:1 \nfsutil behavior set
-          SymlinkEvaluation R2R:1\n"
+        command: |
+          fsutil behavior set SymlinkEvaluation R2L:1
+          fsutil behavior set SymlinkEvaluation R2R:1
        cleanup_command: |
          fsutil behavior set SymlinkEvaluation R2L:0
          fsutil behavior set SymlinkEvaluation R2R:0
        name: command_prompt
        elevation_required: true
+    - name: Enable Local and Remote Symbolic Links via reg.exe
+      auto_generated_guid: 78bef0d4-57fb-417d-a67a-b75ae02ea3ab
+      description: |
+        Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+        [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "1" /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "1" /f
+        cleanup_command: |
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "0" /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "0" /f
+        name: command_prompt
+        elevation_required: true
+    - name: Enable Local and Remote Symbolic Links via Powershell
+      auto_generated_guid: 6cd715aa-20ac-4be1-a8f1-dda7bae160bd
+      description: |
+        Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+        [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+          New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+        cleanup_command: |
+          New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+          New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
  T1548:
    technique:
      modified: '2024-04-15T20:52:09.908Z'
@@ -10,6 +10,10 @@ Adversaries may also change permissions of symbolic links. For example, malware

 - [Atomic Test #1 - Enable Local and Remote Symbolic Links via fsutil](#atomic-test-1---enable-local-and-remote-symbolic-links-via-fsutil)

+- [Atomic Test #2 - Enable Local and Remote Symbolic Links via reg.exe](#atomic-test-2---enable-local-and-remote-symbolic-links-via-regexe)
+
+- [Atomic Test #3 - Enable Local and Remote Symbolic Links via Powershell](#atomic-test-3---enable-local-and-remote-symbolic-links-via-powershell)
+

 <br/>

@@ -31,7 +35,7 @@ Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbo


 ```cmd
-fsutil behavior set SymlinkEvaluation R2L:1 
+fsutil behavior set SymlinkEvaluation R2L:1
 fsutil behavior set SymlinkEvaluation R2R:1
 ```

@@ -45,4 +49,74 @@ fsutil behavior set SymlinkEvaluation R2R:0



+<br/>
+<br/>
+
+## Atomic Test #2 - Enable Local and Remote Symbolic Links via reg.exe
+Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 78bef0d4-57fb-417d-a67a-b75ae02ea3ab
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "1" /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "1" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "0" /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "0" /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Enable Local and Remote Symbolic Links via Powershell
+Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6cd715aa-20ac-4be1-a8f1-dda7bae160bd
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+```
+
+#### Cleanup Commands:
+```powershell
+New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
@@ -18,6 +18,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Enable Local and Remote Symbolic Links via reg.exe
+  auto_generated_guid: 78bef0d4-57fb-417d-a67a-b75ae02ea3ab
  description: |
    Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
@@ -33,6 +34,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Enable Local and Remote Symbolic Links via Powershell
+  auto_generated_guid: 6cd715aa-20ac-4be1-a8f1-dda7bae160bd
  description: |
    Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
@@ -1696,3 +1696,5 @@ de323a93-2f18-4bd5-ba60-d6fca6aeff76
 401667dc-05a6-4da0-a2a7-acfe4819559c
 205e676e-0401-4bae-83a5-94b8c5daeb22
 3d25f1f2-55cb-4a41-a523-d17ad4cfba19
+78bef0d4-57fb-417d-a67a-b75ae02ea3ab
+6cd715aa-20ac-4be1-a8f1-dda7bae160bd