Update T1546.yaml (#2897)

* Update T1546.yaml New Test - Persistence via ErrorHandler.cmd script execution * Update T1546.yaml made the required changes --------- Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Sep 14, 2024 · 6f59583 · 6f59583
1 parent a107a02
commit 6f59583
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/atomics/T1546/T1546.yaml b/atomics/T1546/T1546.yaml
@@ -169,6 +169,28 @@ atomic_tests:
       reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /f
     name: command_prompt
     elevation_required: true
+- name: Persistence via ErrorHandler.cmd script execution
+  description: |
+    Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
+    Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.
+  supported_platforms:
+  - windows
+  dependencies:
+  - description: |
+      ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd
+    prereq_command: |
+      if (Test-Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd) { exit 0} else { exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\T1546\src\" -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/src/ErrorHandler.cmd" -OutFile "PathToAtomicsFolder\T1546\src\ErrorHandler.cmd"      
+  executor:
+    command: |
+      Copy-Item -Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd -Destination C:\Windows\Setup\Scripts\ErrorHandler.cmd
+      C:\windows\System32\oobe\Setup
+    cleanup_command: |-
+      Remove-Item C:\Windows\Setup\Scripts\ErrorHandler.cmd      
+    name: powershell
+    elevation_required: true
 - name: Persistence using STARTUP-PATH in MS-WORD
   auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
   description: |-
@@ -183,4 +205,4 @@ atomic_tests:
     cleanup_command: |-
       reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options /v STARTUP-PATH /f
     name: command_prompt
-    elevation_required: true    
+    elevation_required: true