From baba01109e8185fe4e58ec77ad862865d014a969 Mon Sep 17 00:00:00 2001
From: Keep Watcher <keepwatch@users.noreply.github.com>
Date: Mon, 21 Jan 2019 14:49:01 -0500
Subject: [PATCH] adding SSP mod simulation (#438)

* adding SSP mod simulation

* Update T1101.md
---
 atomics/T1101/T1101.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 atomics/T1101/T1101.md

diff --git a/atomics/T1101/T1101.md b/atomics/T1101/T1101.md
new file mode 100644
index 00000000..24f3ce86
--- /dev/null
+++ b/atomics/T1101/T1101.md
@@ -0,0 +1,27 @@
+---
+attack_technique: T1101
+display_name: Security Support Provider
+
+atomic_tests:
+- name: Modify SSP configuration in registry 
+  description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys. 
+  supported_platforms:
+    - windows
+  input_arguments:
+    fake_ssp_dll:
+      description: Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. 
+      type: String
+      default: not-a-ssp
+
+  executor:
+    name: powershell
+    command: |
+      # run these in sequence
+      $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
+      $SecurityPackagesUpdated = $SecurityPackages
+      $SecurityPackagesUpdated += "#{fake_ssp_dll}"
+      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
+
+      # revert (before reboot)
+      Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
+