From cc251318dc3beca74a703b99488c8cc971ed7f98 Mon Sep 17 00:00:00 2001 From: hg8064 Date: Wed, 15 Mar 2023 20:10:31 +0100 Subject: [PATCH 1/2] update T1012 with more commands --- atomics/T1012/T1012.yaml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/atomics/T1012/T1012.yaml b/atomics/T1012/T1012.yaml index 81c0ae695f..5800f09cd9 100644 --- a/atomics/T1012/T1012.yaml +++ b/atomics/T1012/T1012.yaml @@ -34,8 +34,45 @@ atomic_tests: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$" reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run + reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot + reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" + reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup" name: command_prompt elevation_required: true +- name: Query Registry with Powershell cmdlets + auto_generated_guid: + description: | + Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem. + Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation. + supported_platforms: + - windows + executor: + command: | + Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" + Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\" | findstr Windows + Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" + Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" + Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServices" + Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServices" + Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" + Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" + Get-Item -Path "HKCU:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" + Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell" + Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" + Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce" + Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnceEx" + Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run" + Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Run" + Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce" + Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" + Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" + Get-ChildItem -Path "HKLM:system\currentcontrolset\services" + Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run" + Get-Item -Path "HKLM:SYSTEM\CurrentControlSet\Control\SafeBoot" + Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components" + Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup" + name: powershell + elevation_required: true - name: Enumerate COM Objects in Registry with Powershell auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564 description: |- From 26aa690d68e4d271fea15e2841dda715f6621f22 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Fri, 17 Mar 2023 13:53:52 -0600 Subject: [PATCH 2/2] Update T1012.yaml fix guid --- atomics/T1012/T1012.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/atomics/T1012/T1012.yaml b/atomics/T1012/T1012.yaml index 5800f09cd9..ac9a806988 100644 --- a/atomics/T1012/T1012.yaml +++ b/atomics/T1012/T1012.yaml @@ -40,7 +40,6 @@ atomic_tests: name: command_prompt elevation_required: true - name: Query Registry with Powershell cmdlets - auto_generated_guid: description: | Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem. Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation.