security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1222/T1222.yaml
T
Atomic Red Team doc generator e1c3f63bf9 Generated docs from job=generate-docs branch=master [ci skip]
2024-11-20 00:06:48 +00:00

52 lines
3.2 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
attack_technique: T1222
display_name: 'File and Directory Permissions Modification'
atomic_tests:
- name: Enable Local and Remote Symbolic Links via fsutil
auto_generated_guid: 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02
description: |
Use fsutil to enable both remote to local and remote to remote symbolic links. This allows access to files from local shortcuts with local or remote paths.
[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
supported_platforms:
- windows
executor:
command: |
fsutil behavior set SymlinkEvaluation R2L:1
fsutil behavior set SymlinkEvaluation R2R:1
cleanup_command: |
fsutil behavior set SymlinkEvaluation R2L:0
fsutil behavior set SymlinkEvaluation R2R:0
name: command_prompt
elevation_required: true
- name: Enable Local and Remote Symbolic Links via reg.exe
auto_generated_guid: 78bef0d4-57fb-417d-a67a-b75ae02ea3ab
description: |
Use reg.exe to enable both remote to local and remote to remote symbolic links. This allows access to files from local shortcuts with local or remote paths.
[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "1" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "1" /f
cleanup_command: |
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "0" /f
name: command_prompt
elevation_required: true
- name: Enable Local and Remote Symbolic Links via Powershell
auto_generated_guid: 6cd715aa-20ac-4be1-a8f1-dda7bae160bd
description: |
Use Powershell to enable both remote to local and remote to remote symbolic links. This allows access to files from local shortcuts with local or remote paths.
[reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
supported_platforms:
- windows
executor:
command: |
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
cleanup_command: |
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink