New test: T1542.001 - 'UEFI Persistence via Wpbbin.exe File Creation' (#2714)

* New test: T1542.001 - 'UEFI Persistence via Wpbbin.exe File Creation' * Update T1542.001.yaml --------- Co-authored-by: jandress <1542666+jandress@users.noreply.github.com>
2024-03-01 11:22:39 -08:00
parent de85398163
commit 498aecdb83
1 changed files with 20 additions and 0 deletions
@@ -0,0 +1,20 @@
+attack_technique: T1542.001
+display_name: "Pre-OS Boot: System Firmware"
+atomic_tests:
+- name: UEFI Persistence via Wpbbin.exe File Creation
+  description: |
+    Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+    - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+    - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+    - https://github.com/tandasat/WPBT-Builder
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    command: |
+      echo "Creating %systemroot%\wpbbin.exe"      
+      New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
+    cleanup_command: |
+      echo "Removing %systemroot%\wpbbin.exe" 
+      Remove-Item -Path "$env:SystemRoot\System32\wpbbin.exe"
+    elevation_required: true