Skip to content

Commit

Permalink
adding test for t1505.005, fixing issue with existing test to simulat…
Browse files Browse the repository at this point in the history 
…e termsrv.dll patching
  • Loading branch information
@traceflow
traceflow committed Oct 18, 2023
1 parent c1279d8 commit ded6555
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions atomics/T1505.005/T1505.005.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ attack_technique: T1505.005
display_name: 'Server Software Component: Terminal Services DLL'
atomic_tests:
- name: Simulate Patching termsrv.dll
auto_generated_guid:
description: |
Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards.
Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions.
Expand All @@ -26,6 +27,7 @@ atomic_tests:
name: powershell

- name: Modify Terminal Services DLL Path
auto_generated_guid:
description: This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish persistence by loading a patched version of the DLL containing malicious code.
supported_platforms:
- windows
Expand Down

0 comments on commit ded6555

Please sign in to comment.