security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate GUIDs from job=generate-docs branch=master [skip ci]

Browse Source
This commit is contained in:
Atomic Red Team GUID generator
2023-11-08 00:28:55 +00:00
parent dfb25a02e3
commit 717f5941fd
2 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1053.005/T1053.005.yaml
+1
View File
@@ -231,6 +231,7 @@ atomic_tests:
cleanup_command: |
Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false >$null 2>&1
- name: Scheduled Task ("Ghost Task") via Registry Key Manipulation
auto_generated_guid: 704333ca-cc12-4bcf-9916-101844881f54
description: |
Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means.
This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command.
atomics/used_guids.txt
+1
View File
@@ -1495,3 +1495,4 @@ f7308845-6da8-468e-99f2-4271f2f5bb67
cedaf7e7-28ee-42ab-ba13-456abd35d1bd
6b8ca3ab-5980-4321-80c3-bcd77c8daed8
a9030b20-dd4b-4405-875e-3462c6078fdc
704333ca-cc12-4bcf-9916-101844881f54