CircleCI Atomic Red Team doc generator
33 lines
1.7 KiB
Markdown
33 lines
1.7 KiB
Markdown
# T1031 - Modify Existing Service
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1031)
|
|
<blockquote>Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).
|
|
|
|
Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.
|
|
|
|
Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Modify Fax service to run PowerShell](#atomic-test-1---modify-fax-service-to-run-powershell)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Modify Fax service to run PowerShell
|
|
This test will temporarily modify the service Fax by changing the binPath to PowerShell
|
|
and will then revert the binPath change, restoring Fax to its original state.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
```
|
|
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
|
|
sc start Fax
|
|
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
|
|
```
|
|
|
|
|
|
|
|
<br/>
|