Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -54,6 +54,7 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -560,6 +561,7 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -833,6 +835,7 @@ execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,W
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,5,Command Prompt read contents from CMD file and execute,df81db1b-066c-4802-9bc8-b6d030c3ba8e,command_prompt
+execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,6,Command prompt writing script to file then executes it,00682c9f-7df4-4df8-950b-6dcaaa3ad9af,command_prompt
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -37,6 +37,7 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
@@ -395,6 +396,7 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
@@ -576,6 +578,7 @@ execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,W
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,5,Command Prompt read contents from CMD file and execute,df81db1b-066c-4802-9bc8-b6d030c3ba8e,command_prompt
+execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,6,Command prompt writing script to file then executes it,00682c9f-7df4-4df8-950b-6dcaaa3ad9af,command_prompt
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
 execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -75,6 +75,7 @@
   - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
   - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
   - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
+  - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
 - T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
   - Atomic Test #1: Sudo usage [macos, linux]
@@ -805,6 +806,7 @@
   - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
   - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
   - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
+  - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
 - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
   - Atomic Test #1: Sudo usage [macos, linux]
   - Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
@@ -1242,6 +1244,7 @@
   - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
   - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
   - Atomic Test #5: Command Prompt read contents from CMD file and execute [windows]
+  - Atomic Test #6: Command prompt writing script to file then executes it [windows]
 - T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1651 Cloud Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1059.005 Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -53,6 +53,7 @@
   - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
   - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
   - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
+  - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
 - T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
@@ -586,6 +587,7 @@
   - Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
   - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
   - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
+  - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
   - Atomic Test #1: Service Registry Permissions Weakness [windows]
   - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -878,6 +880,7 @@
   - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
   - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
   - Atomic Test #5: Command Prompt read contents from CMD file and execute [windows]
+  - Atomic Test #6: Command prompt writing script to file then executes it [windows]
 - T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1059.005 Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md)
   - Atomic Test #1: Visual Basic script execution to gather local computer information [windows]

atomics/Indexes/index.yaml

@@ -2858,6 +2858,26 @@ defense-evasion:
 
           '
         name: powershell
+    - name: Disable UAC - Switch to the secure desktop when prompting for elevation
+        via registry key
+      auto_generated_guid: 85f3a526-4cfa-4fe7-98c1-dea99be025c7
+      description: "User Account Control (UAC) is a security mechanism for limiting
+        the elevation of privileges, including administrative accounts, unless authorized.
+        \nThis setting ensures that the elevation prompt is only used in secure desktop
+        mode.\nDisable User Account Conrol (UAC) for secure desktop by setting the
+        registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop
+        to 0.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name PromptOnSecureDesktop -Value 0 -Type Dword -Force
+        cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name PromptOnSecureDesktop -Value 1 -Type Dword -Force
+
+          '
+        name: powershell
+        elevation_required: true
   T1099:
     technique:
       x_mitre_platforms:
@@ -32744,6 +32764,26 @@ privilege-escalation:
 
           '
         name: powershell
+    - name: Disable UAC - Switch to the secure desktop when prompting for elevation
+        via registry key
+      auto_generated_guid: 85f3a526-4cfa-4fe7-98c1-dea99be025c7
+      description: "User Account Control (UAC) is a security mechanism for limiting
+        the elevation of privileges, including administrative accounts, unless authorized.
+        \nThis setting ensures that the elevation prompt is only used in secure desktop
+        mode.\nDisable User Account Conrol (UAC) for secure desktop by setting the
+        registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop
+        to 0.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name PromptOnSecureDesktop -Value 0 -Type Dword -Force
+        cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name PromptOnSecureDesktop -Value 1 -Type Dword -Force
+
+          '
+        name: powershell
+        elevation_required: true
   T1548.003:
     technique:
       x_mitre_platforms:
@@ -52863,6 +52903,29 @@ execution:
           '
         name: command_prompt
         elevation_required: false
+    - name: Command prompt writing script to file then executes it
+      auto_generated_guid: '00682c9f-7df4-4df8-950b-6dcaaa3ad9af'
+      description: |2-
+            Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it.
+            The script will execute 'whoami' then exit.
+      supported_platforms:
+      - windows
+      input_arguments:
+        script_path:
+          description: Path in which the script will be written.
+          type: path
+          default: "%TEMP%\\"
+        script_name:
+          description: Script name (without the extension)
+          type: string
+          default: AtomicTest
+      executor:
+        command: ' c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set
+          objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set
+          objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs'
+        cleanup_command: del "#{script_name}.vbs" >nul 2>&1
+        name: command_prompt
+        elevation_required: true
   T1223:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -2312,6 +2312,26 @@ defense-evasion:
 
           '
         name: powershell
+    - name: Disable UAC - Switch to the secure desktop when prompting for elevation
+        via registry key
+      auto_generated_guid: 85f3a526-4cfa-4fe7-98c1-dea99be025c7
+      description: "User Account Control (UAC) is a security mechanism for limiting
+        the elevation of privileges, including administrative accounts, unless authorized.
+        \nThis setting ensures that the elevation prompt is only used in secure desktop
+        mode.\nDisable User Account Conrol (UAC) for secure desktop by setting the
+        registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop
+        to 0.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name PromptOnSecureDesktop -Value 0 -Type Dword -Force
+        cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name PromptOnSecureDesktop -Value 1 -Type Dword -Force
+
+          '
+        name: powershell
+        elevation_required: true
   T1099:
     technique:
       x_mitre_platforms:
@@ -28146,6 +28166,26 @@ privilege-escalation:
 
           '
         name: powershell
+    - name: Disable UAC - Switch to the secure desktop when prompting for elevation
+        via registry key
+      auto_generated_guid: 85f3a526-4cfa-4fe7-98c1-dea99be025c7
+      description: "User Account Control (UAC) is a security mechanism for limiting
+        the elevation of privileges, including administrative accounts, unless authorized.
+        \nThis setting ensures that the elevation prompt is only used in secure desktop
+        mode.\nDisable User Account Conrol (UAC) for secure desktop by setting the
+        registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop
+        to 0.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name PromptOnSecureDesktop -Value 0 -Type Dword -Force
+        cleanup_command: 'Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
+          -Name PromptOnSecureDesktop -Value 1 -Type Dword -Force
+
+          '
+        name: powershell
+        elevation_required: true
   T1548.003:
     technique:
       x_mitre_platforms:
@@ -45519,6 +45559,29 @@ execution:
           '
         name: command_prompt
         elevation_required: false
+    - name: Command prompt writing script to file then executes it
+      auto_generated_guid: '00682c9f-7df4-4df8-950b-6dcaaa3ad9af'
+      description: |2-
+            Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it.
+            The script will execute 'whoami' then exit.
+      supported_platforms:
+      - windows
+      input_arguments:
+        script_path:
+          description: Path in which the script will be written.
+          type: path
+          default: "%TEMP%\\"
+        script_name:
+          description: Script name (without the extension)
+          type: string
+          default: AtomicTest
+      executor:
+        command: ' c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set
+          objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set
+          objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs'
+        cleanup_command: del "#{script_name}.vbs" >nul 2>&1
+        name: command_prompt
+        elevation_required: true
   T1223:
     technique:
       x_mitre_platforms: