security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1547.001 Fix test a70faea1-e206-4f6f-8d9a-67379be8f6f1 (#2171)

Browse Source 
* Fix test a70faea1-e206-4f6f-8d9a-67379be8f6f1

* Restore b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
frack113
2022-10-04 00:32:48 +02:00
committed by GitHub
parent 7e1529fbca
commit f41e92b834
1 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1547.001/T1547.001.yaml
+11 -3
View File
@@ -247,7 +247,11 @@ atomic_tests:
type: String
default: C:\Windows\System32\calc.exe
executor:
command: try {if($(get-item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run").PSChildName -eq "Run"){Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}
command: |
if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
name: powershell
elevation_required: true
@@ -269,11 +273,15 @@ atomic_tests:
type: String
default: C:\Windows\System32\calc.exe
executor:
command: try {if($(get-item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -ErrorAction Stop).PSChildName -eq "Run"){Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}
command: |
if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
name: powershell
elevation_required: true
- name: HKLM - Append Command to Winlogon Userinit KEY Value
auto_generated_guid: f7fab6cc-8ece-4ca7-a0f1-30a22fccd374
description: |