security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1547.010/T1547.010.yaml
T
frack113 a7e5260a93 Add reg.exe force swith (#2477) 
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
2023-07-11 20:36:53 -06:00

21 lines
1.0 KiB
YAML
Raw Permalink Blame History

attack_technique: T1547.010
display_name: 'Boot or Logon Autostart Execution: Port Monitors'
atomic_tests:
- name: Add Port Monitor persistence in Registry
auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
description: Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot DLL will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
supported_platforms:
- windows
input_arguments:
monitor_dll:
description: Addition to port monitor registry key. Normally refers to a DLL name in C:\Windows\System32 but an arbitrary DLL can be specified with the absolute path.
type: path
default: $PathToAtomicsFolder\T1547.010\bin\PortMonitor.dll
executor:
command: |
reg add "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /v "Driver" /d "#{monitor_dll}" /t REG_SZ /f
cleanup_command: |
reg delete "hklm\system\currentcontrolset\control\print\monitors\AtomicRedTeam" /f >nul 2>&1
name: command_prompt
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink