Skip to content

Commit

Permalink
Update T1546.yaml (#2883)
Browse files Browse the repository at this point in the history
New Test Added : Load custom DLL on mstsc execution

Co-authored-by: Carrie Roberts <[email protected]>
  • Loading branch information
abhijose09 and clr2of8 authored Aug 3, 2024
1 parent e580d44 commit a1d2de5
Showing 1 changed file with 20 additions and 1 deletion.
21 changes: 20 additions & 1 deletion atomics/T1546/T1546.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ atomic_tests:
# Clean up the CIM session
Remove-CimSession -CimSession $CimSession
- name: Adding custom debugger for Windows Error Reporting
auto_generated_guid: 17d1a3cc-3373-495a-857a-e5dd005fb302
description: |
Expand All @@ -135,6 +136,24 @@ atomic_tests:
reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs" /v Debugger /f
name: command_prompt
elevation_required: true
- name: Load custom DLL on mstsc execution
description: |
Adding ClxDllPath under Terminal Server Client subkey of HKLM hive with a path to custom DLL allows for DLL loading during execution of mstsc.exe
supported_platforms:
- windows
input_arguments:
dll_inf:
description: custom DLL to be executed
type: Path
default: 'C:\Windows\System32\amsi.dll'
executor:
command: |
reg add "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v ClxDllPath /t REG_SZ /d "#{dll_inf}" /f
cleanup_command: |-
reg delete "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v ClxDllPath /f
name: command_prompt
elevation_required: true

- name: Persistence using automatic execution of custom DLL during RDP session
auto_generated_guid: b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
description: |-
Expand All @@ -148,4 +167,4 @@ atomic_tests:
cleanup_command: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /f
name: command_prompt
elevation_required: true
elevation_required: true

0 comments on commit a1d2de5

Please sign in to comment.