Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -297,6 +297,7 @@ defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37
 defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
 defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
 defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
+defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -202,6 +202,7 @@ defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37
 defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
 defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
 defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
+defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -366,6 +366,7 @@
   - Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
   - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
   - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -257,6 +257,7 @@
   - Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
   - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
   - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -12942,6 +12942,24 @@ defense-evasion:
         cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor"
           /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
 
+          '
+        name: command_prompt
+    - name: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication
+        Detected By Modified Registry Value.
+      auto_generated_guid: ffeddced-bb9f-49c6-97f0-3d07a509bf94
+      description: |
+        Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
+        See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
+          /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
+          /t REG_DWORD /d 1 /f
+
           '
         name: command_prompt
   T1574.008:

atomics/Indexes/windows-index.yaml

@@ -10367,6 +10367,24 @@ defense-evasion:
         cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor"
           /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
 
+          '
+        name: command_prompt
+    - name: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication
+        Detected By Modified Registry Value.
+      auto_generated_guid: ffeddced-bb9f-49c6-97f0-3d07a509bf94
+      description: |
+        Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
+        See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
+          /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon"
+          /t REG_DWORD /d 1 /f
+
           '
         name: command_prompt
   T1574.008:

atomics/T1112/T1112.md

@@ -130,6 +130,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #60 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.](#atomic-test-60---activities-to-disable-secondary-authentication-detected-by-modified-registry-value)
 
+- [Atomic Test #61 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.](#atomic-test-61---activities-to-disable-microsoft-fido-aka-fast-identity-online-authentication-detected-by-modified-registry-value)
+
 
 <br/>
 
@@ -2233,4 +2235,37 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "All
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #61 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
+Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
+See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ffeddced-bb9f-49c6-97f0-3d07a509bf94
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /t REG_DWORD /d 1 /f
+```
+
+
+
+
+
 <br/>