CircleCI Atomic Red Team doc generator
34 lines
1.5 KiB
Markdown
34 lines
1.5 KiB
Markdown
# T1035 - Service Execution
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1035)
|
|
<blockquote>Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Execute a Command as a Service](#atomic-test-1---execute-a-command-as-a-service)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Execute a Command as a Service
|
|
Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| service_name | Name of service to create | string | ARTService|
|
|
| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt|
|
|
|
|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
|
|
```
|
|
sc.exe create #{service_name} binPath= #{executable_command}
|
|
sc.exe start #{service_name}
|
|
sc.exe delete #{service_name}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|