Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
42 lines
958 B
YAML
42 lines
958 B
YAML
---
|
|
attack_technique: T1191
|
|
display_name: CMSTP
|
|
|
|
atomic_tests:
|
|
- name: CMSTP Executing Remote Scriptlet
|
|
description: |
|
|
Adversaries may supply CMSTP.exe with INF files infected with malicious commands
|
|
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
inf_file_path:
|
|
description: Path to the INF file
|
|
type: path
|
|
default: T1191.inf
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
cmstp.exe /s #{inf_file_path}
|
|
|
|
- name: CMSTP Executing UAC Bypass
|
|
description: |
|
|
Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
inf_file_uac:
|
|
description: Path to the INF file
|
|
type: path
|
|
default: T1191_uacbypass.inf
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
cmstp.exe /s #{inf_file_uac} /au
|