security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate GUIDs from job=generate-docs branch=master [skip ci]

Browse Source
This commit is contained in:
Atomic Red Team GUID generator
2023-11-08 00:28:55 +00:00
parent dfb25a02e3
commit 717f5941fd
2 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1053.005/T1053.005.yaml
+1
View File
@@ -231,6 +231,7 @@ atomic_tests:
cleanup_command: |
Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false >$null 2>&1
- name: Scheduled Task ("Ghost Task") via Registry Key Manipulation
auto_generated_guid: 704333ca-cc12-4bcf-9916-101844881f54
description: |
Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means.
This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command.