From b8e521c714debded270ffe8efb4e257051354da5 Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Wed, 17 Jan 2024 15:44:54 -0600
Subject: [PATCH] Adding T1543.006 Test 6 - Modify Service to Run Arbitrary
 Binary (Powershell) (#2653)

* Adding T1543.006 Test 6

* Update T1543.003.yaml

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1543.003/T1543.003.yaml | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/atomics/T1543.003/T1543.003.yaml b/atomics/T1543.003/T1543.003.yaml
index 5e2612ba..99781b4b 100644
--- a/atomics/T1543.003/T1543.003.yaml
+++ b/atomics/T1543.003/T1543.003.yaml
@@ -173,4 +173,34 @@ atomic_tests:
       sc.exe \\#{remote_host} start #{service_name}
     cleanup_command: |
       sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
-      sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
\ No newline at end of file
+      sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
+- name: Modify Service to Run Arbitrary Binary (Powershell)
+  description: |
+     This test will use PowerShell to temporarily modify a service to run an arbitrary executable by changing its binary path and will then revert the binary path change, restoring the service to its original state.
+     This technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse function. 
+     [Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    service_name:
+      description: Name of the service to modify
+      type: string
+      default: fax
+    new_bin_path:
+      description: Path of the new service binary
+      type: String
+      default: '$env:windir\system32\notepad.exe'
+    original_bin_path:
+      description: Path of the original service binary
+      type: String
+      default: '$env:windir\system32\fxssvc.exe'
+  executor:
+    command: |-
+      Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+      set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
+      start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
+    cleanup_command: |-
+      Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+      set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null
+    name: powershell
+    elevation_required: true