harshalcoep
17b0ff7915
We have added a new atomic test with guid ffcbfaab-c9ff-470b-928c-f086b326089b that sets two registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText to display a ransom message. While executing this atomic test, the value for these registries can be configured using the switch -PromptForInputArgs. This technique has been used by many ransomwares in the past including SynAck, Grief, Maze, Pysa, Spook, DopplePaymer, Reedemer and Kangaroo. After encrypting files, ransomwares modify the Windows LegalNoticeCaption and LegalNoticeText registry keys to display a ransom message to victim at logon.
Atomic Red Team
Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
Get started
You can execute atomic tests directly from the command line, no installation required. See the Getting started page of our wiki.
For a more robust testing experience, consider using an execution framework like Invoke-Atomic.
Learn more
The Atomic Red Team documentation is available as a wiki.
For information about the philosophy and development of Atomic Red Team, visit our website at https://atomicredteam.io.
Contribute to Atomic Red Team
Atomic Red Team is open source and community developed. If you're interested in becoming a contributor, check out these resources:
- Join our Slack workspace and get involved with the community. Don't forget to review the code of conduct before you join.
- Report bugs and request new features by submitting an issue.
- Read our contribution guide for more information about contributing directly to this repository.
- Check the license for information regarding the distribution and modification of Atomic Red Team.