Update T1574.001.yaml (#2898)
Phantom Dll Hijacking - ualapi.dll Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
abhijose09
@@ -42,3 +42,23 @@ atomic_tests:
|
||||
del %APPDATA%\WinAppXRT.dll
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Phantom Dll Hijacking - ualapi.dll
|
||||
description: |
|
||||
Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
|
||||
A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
|
||||
|
||||
Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
|
||||
Print Spooler service is also configured to auto start. Reboot of system is required
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
|
||||
ren %APPDATA%\amsi.dll ualapi.dll
|
||||
copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
|
||||
sc config Spooler start=auto
|
||||
cleanup_command: |
|
||||
del %windir%\System32\ualapi.dll
|
||||
del %APPDATA%\ualapi.dll
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
|
||||
Reference in New Issue
Block a user