security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added T1505.005 technique (#2426)

Browse Source 
* added T1505.005 technique

* include full technique name

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Nour Saffour
2023-05-19 19:12:19 +02:00
committed by GitHub
parent b1f3c968f2
commit 528c540e94
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1505.005/T1505.005.yaml
+24
View File
@@ -0,0 +1,24 @@
attack_technique: T1505.005
display_name: 'Server Software Component: Terminal Services DLL'
atomic_tests:
- name: Simulate Patching termsrv.dll
description: |
Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards.
Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions.
supported_platforms:
- windows
executor:
elevation_required: true
command: |
$ACL = Get-Acl $fileName
$permission = "Administrators","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$ACL.SetAccessRule($accessRule)
Set-Acl -Path $fileName -AclObject $ACL
Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
cleanup_command: |
Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
name: powershell