Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
21 lines
646 B
YAML
21 lines
646 B
YAML
---
|
|
attack_technique: T1031
|
|
display_name: Modify Existing Service
|
|
|
|
atomic_tests:
|
|
- name: Modify Fax service to run PowerShell
|
|
description: |
|
|
This test will temporarily modify the service Fax by changing the binPath to PowerShell
|
|
and will then revert the binPath change, restoring Fax to its original state.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
|
|
sc start Fax
|
|
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
|