Generated docs from job=generate-docs branch=master [ci skip]

2024-07-24 02:21:57 +00:00
parent bd13bcbaec
commit e1feb2c7a5
12 changed files with 120 additions and 3 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1611-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1612-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -845,6 +845,7 @@ privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom A
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
+privilege-escalation,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
@@ -1199,6 +1200,7 @@ persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDL
 persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
+persistence,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
@@ -587,6 +587,7 @@ privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom A
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
+privilege-escalation,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -817,6 +818,7 @@ persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDL
 persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
 persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
+persistence,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
@@ -1118,6 +1118,7 @@
  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
+  - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1629,6 +1630,7 @@
  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
+  - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -795,6 +795,7 @@
  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
+  - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
@@ -1134,6 +1135,7 @@
  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
+  - Atomic Test #5: Adding custom debugger for Windows Error Reporting [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
  - Atomic Test #1: Authentication Package [windows]
 - [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
@@ -45108,6 +45108,24 @@ privilege-escalation:
          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
          \n"
+    - name: Adding custom debugger for Windows Error Reporting
+      auto_generated_guid: 17d1a3cc-3373-495a-857a-e5dd005fb302
+      description: |
+        When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry.
+        Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs"
+          /v Debugger /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows\Windows Error
+          Reporting\Hangs" /v Debugger /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -68696,6 +68714,24 @@ persistence:
          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
          \n"
+    - name: Adding custom debugger for Windows Error Reporting
+      auto_generated_guid: 17d1a3cc-3373-495a-857a-e5dd005fb302
+      description: |
+        When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry.
+        Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs"
+          /v Debugger /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows\Windows Error
+          Reporting\Hangs" /v Debugger /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -37514,6 +37514,24 @@ privilege-escalation:
          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
          \n"
+    - name: Adding custom debugger for Windows Error Reporting
+      auto_generated_guid: 17d1a3cc-3373-495a-857a-e5dd005fb302
+      description: |
+        When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry.
+        Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs"
+          /v Debugger /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows\Windows Error
+          Reporting\Hangs" /v Debugger /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -56825,6 +56843,24 @@ persistence:
          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
          \n"
+    - name: Adding custom debugger for Windows Error Reporting
+      auto_generated_guid: 17d1a3cc-3373-495a-857a-e5dd005fb302
+      description: |
+        When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry.
+        Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs"
+          /v Debugger /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\Software\Microsoft\Windows\Windows Error
+          Reporting\Hangs" /v Debugger /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -16,6 +16,8 @@ Since the execution can be proxied by an account with higher permissions, such a

 - [Atomic Test #4 - WMI Invoke-CimMethod Start Process](#atomic-test-4---wmi-invoke-cimmethod-start-process)

+- [Atomic Test #5 - Adding custom debugger for Windows Error Reporting](#atomic-test-5---adding-custom-debugger-for-windows-error-reporting)
+

 <br/>

@@ -205,4 +207,37 @@ A successful execution will stdout that the process started. On the remote endpo



+<br/>
+<br/>
+
+## Atomic Test #5 - Adding custom debugger for Windows Error Reporting
+When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry.
+Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 17d1a3cc-3373-495a-857a-e5dd005fb302
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs" /v Debugger /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs" /v Debugger /f
+```
+
+
+
+
+
 <br/>
@@ -122,6 +122,7 @@ atomic_tests:
        # Clean up the CIM session
        Remove-CimSession -CimSession $CimSession 
 - name: Adding custom debugger for Windows Error Reporting
+  auto_generated_guid: 17d1a3cc-3373-495a-857a-e5dd005fb302
  description: |
    When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry.
    Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework
@@ -1650,3 +1650,4 @@ c691cee2-8d17-4395-b22f-00644c7f1c2d
 f2915249-4485-42e2-96b7-9bf34328d497
 3235aafe-b49d-451b-a1f1-d979fa65ddaf
 599f3b5c-0323-44ed-bb63-4551623bf675
+17d1a3cc-3373-495a-857a-e5dd005fb302