Created
September 6, 2023 03:08
-
-
Save MHaggis/61494fa274259bbc0ca3dd701887fdbf to your computer and use it in GitHub Desktop.
Atomic Red Team Test - https://twitter.com/M_haggis/status/1699056847154725107?s=20. Grab one, submit a PR! Be quick, whoever submits first gets a shirt + sticker :)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: Modify Internet Zone Protocol Defaults in Current User Registry - cmd | |
| description: | | |
| This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed. | |
| To verify the effects of the test: | |
| 1. Open the Registry Editor (regedit.exe). | |
| 2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults". | |
| 3. Check for the presence of the "http" and "https" DWORD values set to `0`. | |
| Or run: | |
| ```batch | |
| reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" | |
| ``` | |
| supported_platforms: | |
| - windows | |
| executor: | |
| command: | | |
| reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 0 /F | |
| reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 0 /F | |
| cleanup_command: | | |
| reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v http /t REG_DWORD /d 3 /F | |
| reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" /v https /t REG_DWORD /d 3 /F | |
| name: command_prompt | |
| - name: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell | |
| description: | | |
| This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using PowerShell. Such modifications can be indicative of an adversary attempting to weaken browser security settings. | |
| To verify the effects of the test: | |
| 1. Open the Registry Editor (regedit.exe). | |
| 2. Navigate to "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults". | |
| 3. Check for the presence of the "http" and "https" DWORD values set to `0`. | |
| Or run: | |
| ```powershell | |
| Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' | Select-Object http,https | |
| ``` | |
| supported_platforms: | |
| - windows | |
| executor: | |
| command: | | |
| # Set the registry values for http and https to 0 | |
| Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 0 | |
| Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 0 | |
| cleanup_command: | | |
| # Restore the registry values for http and https to 3 | |
| Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3 | |
| Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3 | |
| name: powershell | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment