Add tests to T1222 (#2980)

* Add tests to T1222 * Update T1222.yaml Remove Auto-gen GUIDs * Update T1222.yaml Fixed executor name for test 3 and removed colons in reg path causing errors in test 2. --------- Co-authored-by: Bhavin Patel <[email protected]>
redcanaryco · Nov 20, 2024 · c7d7cc8 · c7d7cc8
1 parent f30d605
commit c7d7cc8
Showing 1 changed file with 31 additions and 1 deletion.
diff --git a/atomics/T1222/T1222.yaml b/atomics/T1222/T1222.yaml
@@ -10,10 +10,40 @@ atomic_tests:
   - windows
   executor:
     command: |
-      fsutil behavior set SymlinkEvaluation R2L:1 
+      fsutil behavior set SymlinkEvaluation R2L:1
       fsutil behavior set SymlinkEvaluation R2R:1
     cleanup_command: |
       fsutil behavior set SymlinkEvaluation R2L:0
       fsutil behavior set SymlinkEvaluation R2R:0
     name: command_prompt
     elevation_required: true
+- name: Enable Local and Remote Symbolic Links via reg.exe
+  description: |
+    Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "1" /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "1" /f
+    cleanup_command: |
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "0" /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "0" /f
+    name: command_prompt
+    elevation_required: true
+- name: Enable Local and Remote Symbolic Links via Powershell
+  description: |
+    Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+    cleanup_command: |
+      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true