From 32da9c87c17fcdcbc5662fe0c8376c642110d544 Mon Sep 17 00:00:00 2001 From: abhijose09 Date: Tue, 13 Aug 2024 06:03:48 +0530 Subject: [PATCH] Update T1546.yaml - New Test - Persistence using STARTUP-PATH in MS-WORD (#2899) Co-authored-by: Carrie Roberts --- atomics/T1546/T1546.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/atomics/T1546/T1546.yaml b/atomics/T1546/T1546.yaml index a805503111..4858b93d9e 100644 --- a/atomics/T1546/T1546.yaml +++ b/atomics/T1546/T1546.yaml @@ -168,4 +168,18 @@ atomic_tests: cleanup_command: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /f name: command_prompt - elevation_required: true \ No newline at end of file + elevation_required: true +- name: Persistence using STARTUP-PATH in MS-WORD + description: |- + When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\\Word\Options\STARTUP-PATH and if it exists, + it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx + The registry key can be abused to load malware from the mentioned path. Reboot might be required. + supported_platforms: + - windows + executor: + command: |- + reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH /t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent" /f + cleanup_command: |- + reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options /v STARTUP-PATH /f + name: command_prompt + elevation_required: true