Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -60,6 +60,8 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
@@ -627,6 +629,8 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
 privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -39,6 +39,8 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
+defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
@@ -428,6 +430,8 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
 privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
+privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -76,6 +76,8 @@
   - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
   - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
   - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
+  - Atomic Test #25: Disable UAC notification via registry keys [windows]
+  - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
 - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
   - Atomic Test #1: Sudo usage [macos, linux]
   - Atomic Test #2: Sudo usage (freebsd) [linux]
@@ -830,6 +832,8 @@
   - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
   - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
   - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
+  - Atomic Test #25: Disable UAC notification via registry keys [windows]
+  - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
 - [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
   - Atomic Test #1: Sudo usage [macos, linux]
   - Atomic Test #2: Sudo usage (freebsd) [linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -52,6 +52,8 @@
   - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
   - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
   - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
+  - Atomic Test #25: Disable UAC notification via registry keys [windows]
+  - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
   - Atomic Test #1: Service Registry Permissions Weakness [windows]
@@ -586,6 +588,8 @@
   - Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
   - Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
   - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
+  - Atomic Test #25: Disable UAC notification via registry keys [windows]
+  - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
   - Atomic Test #1: Service Registry Permissions Weakness [windows]
   - Atomic Test #2: Service ImagePath Change with reg.exe [windows]

atomics/Indexes/index.yaml

@@ -2801,6 +2801,51 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Disable UAC notification via registry keys
+      auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
+      description: 'This atomic regarding UACDisableNotify pertains to the notification
+        behavior of UAC. UAC is a critical security feature in Windows that prevents
+        unauthorized changes to the operating system. It prompts the user for permission
+        or an administrator password before allowing actions that could affect the
+        system''s operation or change settings that affect other users. The BlotchyQuasar
+        RAT defense evasion activities that the adversary to disable UAC notifications
+        makes it easier for malware and malicious software to execute with elevated
+        privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disable ConsentPromptBehaviorAdmin via registry keys
+      auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
+      description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
+        configures the UAC so that it does not prompt for consent or credentials when
+        actions requiring elevated privileges are performed by users in the administrators
+        group. This means that any operation that would normally trigger a UAC prompt
+        will proceed automatically without user interaction.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+
+          '
+        name: command_prompt
   T1548.003:
     technique:
       x_mitre_platforms:
@@ -32117,6 +32162,51 @@ privilege-escalation:
           '
         name: powershell
         elevation_required: true
+    - name: Disable UAC notification via registry keys
+      auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
+      description: 'This atomic regarding UACDisableNotify pertains to the notification
+        behavior of UAC. UAC is a critical security feature in Windows that prevents
+        unauthorized changes to the operating system. It prompts the user for permission
+        or an administrator password before allowing actions that could affect the
+        system''s operation or change settings that affect other users. The BlotchyQuasar
+        RAT defense evasion activities that the adversary to disable UAC notifications
+        makes it easier for malware and malicious software to execute with elevated
+        privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disable ConsentPromptBehaviorAdmin via registry keys
+      auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
+      description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
+        configures the UAC so that it does not prompt for consent or credentials when
+        actions requiring elevated privileges are performed by users in the administrators
+        group. This means that any operation that would normally trigger a UAC prompt
+        will proceed automatically without user interaction.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+
+          '
+        name: command_prompt
   T1548.003:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -2146,6 +2146,51 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Disable UAC notification via registry keys
+      auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
+      description: 'This atomic regarding UACDisableNotify pertains to the notification
+        behavior of UAC. UAC is a critical security feature in Windows that prevents
+        unauthorized changes to the operating system. It prompts the user for permission
+        or an administrator password before allowing actions that could affect the
+        system''s operation or change settings that affect other users. The BlotchyQuasar
+        RAT defense evasion activities that the adversary to disable UAC notifications
+        makes it easier for malware and malicious software to execute with elevated
+        privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disable ConsentPromptBehaviorAdmin via registry keys
+      auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
+      description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
+        configures the UAC so that it does not prompt for consent or credentials when
+        actions requiring elevated privileges are performed by users in the administrators
+        group. This means that any operation that would normally trigger a UAC prompt
+        will proceed automatically without user interaction.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+
+          '
+        name: command_prompt
   T1548.003:
     technique:
       x_mitre_platforms:
@@ -26657,6 +26702,51 @@ privilege-escalation:
           '
         name: powershell
         elevation_required: true
+    - name: Disable UAC notification via registry keys
+      auto_generated_guid: 160a7c77-b00e-4111-9e45-7c2a44eda3fd
+      description: 'This atomic regarding UACDisableNotify pertains to the notification
+        behavior of UAC. UAC is a critical security feature in Windows that prevents
+        unauthorized changes to the operating system. It prompts the user for permission
+        or an administrator password before allowing actions that could affect the
+        system''s operation or change settings that affect other users. The BlotchyQuasar
+        RAT defense evasion activities that the adversary to disable UAC notifications
+        makes it easier for malware and malicious software to execute with elevated
+        privileges. [Article](https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/)
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 1 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UACDisableNotify
+          /t REG_DWORD /d 0 /f
+
+          '
+        name: command_prompt
+    - name: Disable ConsentPromptBehaviorAdmin via registry keys
+      auto_generated_guid: a768aaa2-2442-475c-8990-69cf33af0f4e
+      description: 'This atomic regarding setting ConsentPromptBehaviorAdmin to 0
+        configures the UAC so that it does not prompt for consent or credentials when
+        actions requiring elevated privileges are performed by users in the administrators
+        group. This means that any operation that would normally trigger a UAC prompt
+        will proceed automatically without user interaction.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
+
+          '
+        name: command_prompt
   T1548.003:
     technique:
       x_mitre_platforms: