Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
29 lines
1.1 KiB
YAML
29 lines
1.1 KiB
YAML
---
|
|
attack_technique: T1101
|
|
display_name: Security Support Provider
|
|
|
|
atomic_tests:
|
|
- name: Modify SSP configuration in registry
|
|
description: Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
fake_ssp_dll:
|
|
description: Value added to registry key. Normally refers to a DLL name in C:\Windows\System32.
|
|
type: String
|
|
default: not-a-ssp
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
# run these in sequence
|
|
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
|
|
$SecurityPackagesUpdated = $SecurityPackages
|
|
$SecurityPackagesUpdated += "#{fake_ssp_dll}"
|
|
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated
|
|
|
|
# revert (before reboot)
|
|
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages
|
|
|