Update T1546.yaml (#2880)

* Update T1546.yaml New Test Added : Persistence using automatic execution of custom DLL during RDP session * Update T1546.yaml * Update T1546.yaml --------- Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Aug 3, 2024 · d27673e · d27673e
1 parent aa9410b
commit d27673e
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/atomics/T1546/T1546.yaml b/atomics/T1546/T1546.yaml
@@ -135,3 +135,16 @@ atomic_tests:
       reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs" /v Debugger /f
     name: command_prompt
     elevation_required: true
+- name: Persistence using automatic execution of custom DLL during RDP session
+  description: |-
+    When remote desktop session is accepted, the system queries the key it queries the Registry key:HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin. 
+    If such key exists, the OS will attempt to read the Path value underneath.Once the Path is read, the DLL that it points to will be loaded via LoadLibrary.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /v Path /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f
+    cleanup_command: |-
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /f
+    name: command_prompt
+    elevation_required: true