security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding SSP mod simulation (#438)

Browse Source 
* adding SSP mod simulation

* Update T1101.md
This commit is contained in:
Keep Watcher
2019-01-21 14:49:01 -05:00
committed by Zac Brown
parent da88f2baa2
commit baba01109e
1 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1101/T1101.md
+27
View File
@@ -0,0 +1,27 @@
---
attack_technique: T1101
display_name: Security Support Provider
atomic_tests:
- name: Modify SSP configuration in registry
description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
supported_platforms:
- windows
input_arguments:
fake_ssp_dll:
description: Value added to registry key. Normally refers to a DLL name in C:\Windows\System32.
type: String
default: not-a-ssp
executor:
name: powershell
command: |
# run these in sequence
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$SecurityPackagesUpdated = $SecurityPackages
$SecurityPackagesUpdated += "#{fake_ssp_dll}"
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
# revert (before reboot)
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages