attack_technique: T1222
display_name: 'File and Directory Permissions Modification'
atomic_tests:
- name: Enable Local and Remote Symbolic Links via fsutil
  auto_generated_guid: 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02
  description: |
    Use fsutil to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
  supported_platforms:
  - windows
  executor:
    command: |
      fsutil behavior set SymlinkEvaluation R2L:1
      fsutil behavior set SymlinkEvaluation R2R:1
    cleanup_command: |
      fsutil behavior set SymlinkEvaluation R2L:0
      fsutil behavior set SymlinkEvaluation R2R:0
    name: command_prompt
    elevation_required: true
- name: Enable Local and Remote Symbolic Links via reg.exe
  auto_generated_guid: 78bef0d4-57fb-417d-a67a-b75ae02ea3ab
  description: |
    Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "1" /f
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "1" /f
    cleanup_command: |
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "0" /f
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "0" /f
    name: command_prompt
    elevation_required: true
- name: Enable Local and Remote Symbolic Links via Powershell
  auto_generated_guid: 6cd715aa-20ac-4be1-a8f1-dda7bae160bd
  description: |
    Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
  supported_platforms:
  - windows
  executor:
    command: |
      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
    cleanup_command: |
      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
    name: powershell
    elevation_required: true