Generated docs from job=generate-docs branch=master [ci skip]

jynychen · Jul 17, 2024 · 7512f4a · 7512f4a
1 parent ef6b035
commit 7512f4a
Show file tree

Hide file tree

Showing 12 changed files with 106 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1605-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1606-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
@@ -338,6 +338,7 @@ defense-evasion,T1112,Modify Registry,81,Modify UseTPMKeyPIN Registry entry,02d8
 defense-evasion,T1112,Modify Registry,82,Modify EnableNonTPM Registry entry,e672a340-a933-447c-954c-d68db38a09b1,command_prompt
 defense-evasion,T1112,Modify Registry,83,Modify UsePartialEncryptionKey Registry entry,b5169fd5-85c8-4b2c-a9b6-64cc0b9febef,command_prompt
 defense-evasion,T1112,Modify Registry,84,Modify UsePIN Registry entry,3ac0b30f-532f-43c6-8f01-fb657aaed7e4,command_prompt
+defense-evasion,T1112,Modify Registry,85,Abusing Windows TelemetryController Registry Key for Persistence,4469192c-2d2d-4a3a-9758-1f31d937a92b,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh

diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -240,6 +240,7 @@ defense-evasion,T1112,Modify Registry,81,Modify UseTPMKeyPIN Registry entry,02d8
 defense-evasion,T1112,Modify Registry,82,Modify EnableNonTPM Registry entry,e672a340-a933-447c-954c-d68db38a09b1,command_prompt
 defense-evasion,T1112,Modify Registry,83,Modify UsePartialEncryptionKey Registry entry,b5169fd5-85c8-4b2c-a9b6-64cc0b9febef,command_prompt
 defense-evasion,T1112,Modify Registry,84,Modify UsePIN Registry entry,3ac0b30f-532f-43c6-8f01-fb657aaed7e4,command_prompt
+defense-evasion,T1112,Modify Registry,85,Abusing Windows TelemetryController Registry Key for Persistence,4469192c-2d2d-4a3a-9758-1f31d937a92b,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell

diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
@@ -411,6 +411,7 @@
   - Atomic Test #82: Modify EnableNonTPM Registry entry [windows]
   - Atomic Test #83: Modify UsePartialEncryptionKey Registry entry [windows]
   - Atomic Test #84: Modify UsePIN Registry entry [windows]
+  - Atomic Test #85: Abusing Windows TelemetryController Registry Key for Persistence [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -299,6 +299,7 @@
   - Atomic Test #82: Modify EnableNonTPM Registry entry [windows]
   - Atomic Test #83: Modify UsePartialEncryptionKey Registry entry [windows]
   - Atomic Test #84: Modify UsePIN Registry entry [windows]
+  - Atomic Test #85: Abusing Windows TelemetryController Registry Key for Persistence [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -14226,6 +14226,34 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: Abusing Windows TelemetryController Registry Key for Persistence
+      auto_generated_guid: 4469192c-2d2d-4a3a-9758-1f31d937a92b
+      description: "The Windows Compatibility Telemetry system makes use of the CompatTelRunner.exe
+        binary to run a variety of telemetry tasks. It relies on the registry for
+        instructions on which commands to run. \nIt will run any arbitrary command
+        without restriction of location or type. Blog :https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        new_key:
+          description: New Registry Key Added
+          type: string
+          default: NewKey
+        new_executable:
+          description: Custom Executable to run
+          type: string
+          default: C:\Windows\System32\notepad.exe
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}"
+          /t REG_SZ /v Command /d #{new_executable} /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}"
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1574.008:
     technique:
       modified: '2023-05-09T14:00:00.188Z'

diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
@@ -11580,6 +11580,34 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: Abusing Windows TelemetryController Registry Key for Persistence
+      auto_generated_guid: 4469192c-2d2d-4a3a-9758-1f31d937a92b
+      description: "The Windows Compatibility Telemetry system makes use of the CompatTelRunner.exe
+        binary to run a variety of telemetry tasks. It relies on the registry for
+        instructions on which commands to run. \nIt will run any arbitrary command
+        without restriction of location or type. Blog :https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        new_key:
+          description: New Registry Key Added
+          type: string
+          default: NewKey
+        new_executable:
+          description: Custom Executable to run
+          type: string
+          default: C:\Windows\System32\notepad.exe
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}"
+          /t REG_SZ /v Command /d #{new_executable} /f
+
+          '
+        cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}"
+          /f
+
+          '
+        name: command_prompt
+        elevation_required: true
   T1574.008:
     technique:
       modified: '2023-05-09T14:00:00.188Z'

diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
@@ -178,6 +178,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #84 - Modify UsePIN Registry entry](#atomic-test-84---modify-usepin-registry-entry)
 
+- [Atomic Test #85 - Abusing Windows TelemetryController Registry Key for Persistence](#atomic-test-85---abusing-windows-telemetrycontroller-registry-key-for-persistence)
+
 
 <br/>
 
@@ -3065,4 +3067,43 @@ reg delete "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /f
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #85 - Abusing Windows TelemetryController Registry Key for Persistence
+The Windows Compatibility Telemetry system makes use of the CompatTelRunner.exe binary to run a variety of telemetry tasks. It relies on the registry for instructions on which commands to run. 
+It will run any arbitrary command without restriction of location or type. Blog :https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4469192c-2d2d-4a3a-9758-1f31d937a92b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| new_key | New Registry Key Added | string | NewKey|
+| new_executable | Custom Executable to run | string | C:&#92;Windows&#92;System32&#92;notepad.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}" /t REG_SZ /v Command /d #{new_executable} /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\#{new_key}" /f
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
@@ -1278,6 +1278,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: Abusing Windows TelemetryController Registry Key for Persistence
+  auto_generated_guid: 4469192c-2d2d-4a3a-9758-1f31d937a92b
   description: |
     The Windows Compatibility Telemetry system makes use of the CompatTelRunner.exe binary to run a variety of telemetry tasks. It relies on the registry for instructions on which commands to run. 
     It will run any arbitrary command without restriction of location or type. Blog :https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
@@ -1644,3 +1644,4 @@ ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5
 6e1666d5-3f2b-4b9a-80aa-f011322380d4
 b051b3c0-66e7-4a81-916d-e6383bd3a669
 91580da6-bc6e-431b-8b88-ac77180005f2
+4469192c-2d2d-4a3a-9758-1f31d937a92b