security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Shim References

Browse Source
This commit is contained in:
caseysmithrc
2017-12-07 09:03:07 -07:00
parent fbce4cfb2d
commit 1d57ef77e0
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Windows/Payloads/AppCompatShims/AtomicShimWin7.sdb → Windows/Payloads/AppCompatShims/AtomicShimx86.sdb
View File
Windows/Persistence/Application_Shimming.md
+6 -2
View File
@@ -11,7 +11,11 @@ MITRE ATT&CK Technique: [T1138](https://attack.mitre.org/wiki/Technique/T1138)
##### 3.) Registry Modification - This is completed either manually or by an installation tool.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
#### Detecting the shim execution is difficult. We suggest detection of Shim Installation.
## Test Script
[AppInitInject.reg](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AppCompatShims)