valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9b87010e92
atomic-threat-coverage/Atomic_Threat_Coverage/Triggers/T1050.md
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

2.6 KiB
Raw Blame History

T1050 - New Service

Description from ATT&CK

When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.

Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.

Atomic Tests


Atomic Test #1 - Service Installation

Installs A Local Service

Supported Platforms: Windows

Inputs

Name Description Type Default Value
binary_path Name of the service binary, include path. Path C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe
service_name Name of the Service String AtomicTestService

Run it with command_prompt!

sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
sc.exe stop #{service_name}
sc.exe delete #{service_name}


Atomic Test #2 - Service Installation PowerShell Installs A Local Service using PowerShell

Installs A Local Service via PowerShell

Supported Platforms: Windows

Inputs

Name Description Type Default Value
binary_path Name of the service binary, include path. Path C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe
service_name Name of the Service String AtomicTestService

Run it with powershell!

New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
Stop-Service -Name "#{service_name}"
(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()