Update T1547.yaml (#2875)

adding new atomic realted to pnputil to cover different set of command line arguments for pnputil. pnputil can be abused to install drivers in windows Test Name: Driver Installation Using pnputil.exe Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Jul 24, 2024 · 1c0f195 · 1c0f195
1 parent 9418990
commit 1c0f195
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/atomics/T1547/T1547.yaml b/atomics/T1547/T1547.yaml
@@ -16,3 +16,18 @@ atomic_tests:
     command: |
       pnputil.exe /add-driver "#{driver_inf}"
     name: command_prompt
+
+- name: Driver Installation Using pnputil.exe
+  description: |
+    pnputil.exe is a native command-line utility in Windows to install drivers, this can be abused by to install malicious drivers. Ref: https://lolbas-project.github.io/lolbas/Binaries/Pnputil/
+  supported_platforms:
+  - windows
+  input_arguments:
+    driver_path:
+      description: Enter the driver file path to install (Default is used built-in windows driver - acpipmi.inf)
+      type: path
+      default: C:\Windows\INF\acpipmi.inf
+  executor:
+    command: |
+      pnputil.exe -i -a #{driver_path}
+    name: powershell