Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
29 lines
1.1 KiB
YAML
29 lines
1.1 KiB
YAML
attack_technique: T1037.001
|
|
display_name: "Boot or Logon Initialization Scripts: Logon Script (Windows)"
|
|
atomic_tests:
|
|
- name: Logon Scripts
|
|
auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231
|
|
description: |
|
|
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
|
|
that can be viewed in the Registry Editor.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
script_path:
|
|
description: Path to .bat file
|
|
type: string
|
|
default: '%temp%\art.bat'
|
|
script_command:
|
|
description: Command To Execute
|
|
type: string
|
|
default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt
|
|
executor:
|
|
command: |
|
|
echo "#{script_command}" > #{script_path}
|
|
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
|
|
cleanup_command: |
|
|
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
|
|
del #{script_path} >nul 2>&1
|
|
del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1
|
|
name: command_prompt
|