From c7d7cc8203f160a7864284c0664e17f1ff875ad5 Mon Sep 17 00:00:00 2001
From: Matt Anderson <75185144+MATTANDERS0N@users.noreply.github.com>
Date: Tue, 19 Nov 2024 18:05:49 -0600
Subject: [PATCH] Add tests to T1222 (#2980)

* Add tests to T1222

* Update T1222.yaml

Remove Auto-gen GUIDs

* Update T1222.yaml

Fixed executor name for test 3 and removed colons in reg path causing errors in test 2.

---------

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
---
 atomics/T1222/T1222.yaml | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/atomics/T1222/T1222.yaml b/atomics/T1222/T1222.yaml
index 265a04a842..b83865b562 100644
--- a/atomics/T1222/T1222.yaml
+++ b/atomics/T1222/T1222.yaml
@@ -10,10 +10,40 @@ atomic_tests:
   - windows
   executor:
     command: |
-      fsutil behavior set SymlinkEvaluation R2L:1 
+      fsutil behavior set SymlinkEvaluation R2L:1
       fsutil behavior set SymlinkEvaluation R2R:1
     cleanup_command: |
       fsutil behavior set SymlinkEvaluation R2L:0
       fsutil behavior set SymlinkEvaluation R2R:0
     name: command_prompt
     elevation_required: true
+- name: Enable Local and Remote Symbolic Links via reg.exe
+  description: |
+    Use reg.exe to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "1" /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "1" /f
+    cleanup_command: |
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToLocalEvaluation /t REG_DWORD /d "0" /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v SymlinkRemoteToRemoteEvaluation /t REG_DWORD /d "0" /f
+    name: command_prompt
+    elevation_required: true
+- name: Enable Local and Remote Symbolic Links via Powershell
+  description: |
+    Use Powershell to enable both ‘remote to local’ and ‘remote to remote’ symbolic links. This allows access to files from local shortcuts with local or remote paths.
+    [reference](https://symantec-enterprise-blogs.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware/)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 1 -Force -ErrorAction Ignore
+    cleanup_command: |
+      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToLocalEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+      New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Filesystems\NTFS -Name SymlinkRemoteToRemoteEvaluation -PropertyType DWORD -Value 0 -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true