security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #298 from vector-sec/t1031-modifying-a-service

Browse Source 
T1031 modifying a service
This commit is contained in:
Michael Haag
2018-07-16 13:56:03 -04:00
committed by GitHub
parent 6f86b3ef5d 0f76c98adb
commit 5f734f7dda
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1031/T1031.yaml
+19
View File
@@ -0,0 +1,19 @@
---
attack_technique: T1031
display_name: Modify Existing Service
atomic_tests:
- name: Modify Fax service to run PowerShell
description: |
This test will temporarily modify the service Fax by changing the binPath to PowerShell
and will then revert the binPath change, restoring Fax to its original state.
supported_platforms:
- windows
executor:
name: command_prompt
command: |
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
sc start Fax
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"