From 9488f53dc5f357065770d9d1310cd44f89aac617 Mon Sep 17 00:00:00 2001 From: Eric Turpin Date: Thu, 12 Jul 2018 16:40:46 -0400 Subject: [PATCH 1/2] Added T1031 Modify Existing Service Test --- atomics/T1031/T1031.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 atomics/T1031/T1031.yaml diff --git a/atomics/T1031/T1031.yaml b/atomics/T1031/T1031.yaml new file mode 100644 index 00000000..0acedf10 --- /dev/null +++ b/atomics/T1031/T1031.yaml @@ -0,0 +1,19 @@ +--- +attack_technique: T1031 +display_name: Modify Existing Service + +atomic_tests: +- name: Modify PhoneSvc service to run PowerShell + description: | + This test will temporarily modify the service PhoneSvc by changing the binPath to PowerShell + and will then revert the binPath change, restoring PhoneSvc to its original state. + + supported_platforms: + - windows + + executor: + name: command_prompt + command: | + sc config PhoneSvc binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\"" + sc start PhoneSvc + sc config PhoneSvc binPath= "C:\WINDOWS\system32\svchost.exe -k LocalService -p" From 0f76c98adb06873176cfe52bb3d1f0d6c5a8484c Mon Sep 17 00:00:00 2001 From: Eric Turpin Date: Thu, 12 Jul 2018 16:53:35 -0400 Subject: [PATCH 2/2] Updated T1031 Modify Existing Service Test --- atomics/T1031/T1031.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/atomics/T1031/T1031.yaml b/atomics/T1031/T1031.yaml index 0acedf10..c2b61952 100644 --- a/atomics/T1031/T1031.yaml +++ b/atomics/T1031/T1031.yaml @@ -3,10 +3,10 @@ attack_technique: T1031 display_name: Modify Existing Service atomic_tests: -- name: Modify PhoneSvc service to run PowerShell +- name: Modify Fax service to run PowerShell description: | - This test will temporarily modify the service PhoneSvc by changing the binPath to PowerShell - and will then revert the binPath change, restoring PhoneSvc to its original state. + This test will temporarily modify the service Fax by changing the binPath to PowerShell + and will then revert the binPath change, restoring Fax to its original state. supported_platforms: - windows @@ -14,6 +14,6 @@ atomic_tests: executor: name: command_prompt command: | - sc config PhoneSvc binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\"" - sc start PhoneSvc - sc config PhoneSvc binPath= "C:\WINDOWS\system32\svchost.exe -k LocalService -p" + sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\"" + sc start Fax + sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"