security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1546.yaml - New Test - Persistence using STARTUP-PATH in MS-WORD (#2899)

Browse Source 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
abhijose09
2024-08-13 06:03:48 +05:30
committed by GitHub
parent 39ba130848
commit 32da9c87c1
1 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1546/T1546.yaml
+15 -1
View File
@@ -168,4 +168,18 @@ atomic_tests:
cleanup_command: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /f
name: command_prompt
elevation_required: true
elevation_required: true
- name: Persistence using STARTUP-PATH in MS-WORD
description: |-
When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH and if it exists,
it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
The registry key can be abused to load malware from the mentioned path. Reboot might be required.
supported_platforms:
- windows
executor:
command: |-
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH /t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent" /f
cleanup_command: |-
reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options /v STARTUP-PATH /f
name: command_prompt
elevation_required: true