Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -645,6 +645,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
+privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,6,Modify Service to Run Arbitrary Binary (Powershell),1f896ce4-8070-4959-8a25-2658856a70c9,powershell
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
@@ -995,6 +996,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service
 persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
+persistence,T1543.003,Create or Modify System Process: Windows Service,6,Modify Service to Run Arbitrary Binary (Powershell),1f896ce4-8070-4959-8a25-2658856a70c9,powershell
 persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
 persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -439,6 +439,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
+privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,6,Modify Service to Run Arbitrary Binary (Powershell),1f896ce4-8070-4959-8a25-2658856a70c9,powershell
 privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
@@ -668,6 +669,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service
 persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
+persistence,T1543.003,Create or Modify System Process: Windows Service,6,Modify Service to Run Arbitrary Binary (Powershell),1f896ce4-8070-4959-8a25-2658856a70c9,powershell
 persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
 persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -854,6 +854,7 @@
   - Atomic Test #3: Service Installation PowerShell [windows]
   - Atomic Test #4: TinyTurla backdoor service w64time [windows]
   - Atomic Test #5: Remote Service Installation CMD [windows]
+  - Atomic Test #6: Modify Service to Run Arbitrary Binary (Powershell) [windows]
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
   - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
   - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
@@ -1350,6 +1351,7 @@
   - Atomic Test #3: Service Installation PowerShell [windows]
   - Atomic Test #4: TinyTurla backdoor service w64time [windows]
   - Atomic Test #5: Remote Service Installation CMD [windows]
+  - Atomic Test #6: Modify Service to Run Arbitrary Binary (Powershell) [windows]
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
   - Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
   - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -602,6 +602,7 @@
   - Atomic Test #3: Service Installation PowerShell [windows]
   - Atomic Test #4: TinyTurla backdoor service w64time [windows]
   - Atomic Test #5: Remote Service Installation CMD [windows]
+  - Atomic Test #6: Modify Service to Run Arbitrary Binary (Powershell) [windows]
 - [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)
   - Atomic Test #1: Print Processors [windows]
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
@@ -931,6 +932,7 @@
   - Atomic Test #3: Service Installation PowerShell [windows]
   - Atomic Test #4: TinyTurla backdoor service w64time [windows]
   - Atomic Test #5: Remote Service Installation CMD [windows]
+  - Atomic Test #6: Modify Service to Run Arbitrary Binary (Powershell) [windows]
 - [T1137 Office Application Startup](../../T1137/T1137.md)
   - Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
 - [T1547.012 Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md)

atomics/Indexes/index.yaml

@@ -33203,9 +33203,41 @@ privilege-escalation:
         command: |
           sc.exe \\#{remote_host} create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
           sc.exe \\#{remote_host} start #{service_name}
-        cleanup_command: |-
+        cleanup_command: |
           sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
           sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
+    - name: Modify Service to Run Arbitrary Binary (Powershell)
+      auto_generated_guid: 1f896ce4-8070-4959-8a25-2658856a70c9
+      description: "This test will use PowerShell to temporarily modify a service
+        to run an arbitrary executable by changing its binary path and will then revert
+        the binary path change, restoring the service to its original state.\nThis
+        technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse
+        function. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        service_name:
+          description: Name of the service to modify
+          type: string
+          default: fax
+        new_bin_path:
+          description: Path of the new service binary
+          type: String
+          default: "$env:windir\\system32\\notepad.exe"
+        original_bin_path:
+          description: Path of the original service binary
+          type: String
+          default: "$env:windir\\system32\\fxssvc.exe"
+      executor:
+        command: |-
+          Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+          set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
+          start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
+        cleanup_command: |-
+          Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+          set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null
+        name: powershell
+        elevation_required: true
   T1053.003:
     technique:
       x_mitre_platforms:
@@ -55403,9 +55435,41 @@ persistence:
         command: |
           sc.exe \\#{remote_host} create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
           sc.exe \\#{remote_host} start #{service_name}
-        cleanup_command: |-
+        cleanup_command: |
           sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
           sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
+    - name: Modify Service to Run Arbitrary Binary (Powershell)
+      auto_generated_guid: 1f896ce4-8070-4959-8a25-2658856a70c9
+      description: "This test will use PowerShell to temporarily modify a service
+        to run an arbitrary executable by changing its binary path and will then revert
+        the binary path change, restoring the service to its original state.\nThis
+        technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse
+        function. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        service_name:
+          description: Name of the service to modify
+          type: string
+          default: fax
+        new_bin_path:
+          description: Path of the new service binary
+          type: String
+          default: "$env:windir\\system32\\notepad.exe"
+        original_bin_path:
+          description: Path of the original service binary
+          type: String
+          default: "$env:windir\\system32\\fxssvc.exe"
+      executor:
+        command: |-
+          Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+          set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
+          start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
+        cleanup_command: |-
+          Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+          set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null
+        name: powershell
+        elevation_required: true
   T1053.003:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -27534,9 +27534,41 @@ privilege-escalation:
         command: |
           sc.exe \\#{remote_host} create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
           sc.exe \\#{remote_host} start #{service_name}
-        cleanup_command: |-
+        cleanup_command: |
           sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
           sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
+    - name: Modify Service to Run Arbitrary Binary (Powershell)
+      auto_generated_guid: 1f896ce4-8070-4959-8a25-2658856a70c9
+      description: "This test will use PowerShell to temporarily modify a service
+        to run an arbitrary executable by changing its binary path and will then revert
+        the binary path change, restoring the service to its original state.\nThis
+        technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse
+        function. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        service_name:
+          description: Name of the service to modify
+          type: string
+          default: fax
+        new_bin_path:
+          description: Path of the new service binary
+          type: String
+          default: "$env:windir\\system32\\notepad.exe"
+        original_bin_path:
+          description: Path of the original service binary
+          type: String
+          default: "$env:windir\\system32\\fxssvc.exe"
+      executor:
+        command: |-
+          Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+          set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
+          start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
+        cleanup_command: |-
+          Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+          set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null
+        name: powershell
+        elevation_required: true
   T1053.003:
     technique:
       x_mitre_platforms:
@@ -45674,9 +45706,41 @@ persistence:
         command: |
           sc.exe \\#{remote_host} create #{service_name} binPath= "#{binary_path}" start=#{startup_type} type=#{service_type}
           sc.exe \\#{remote_host} start #{service_name}
-        cleanup_command: |-
+        cleanup_command: |
           sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
           sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
+    - name: Modify Service to Run Arbitrary Binary (Powershell)
+      auto_generated_guid: 1f896ce4-8070-4959-8a25-2658856a70c9
+      description: "This test will use PowerShell to temporarily modify a service
+        to run an arbitrary executable by changing its binary path and will then revert
+        the binary path change, restoring the service to its original state.\nThis
+        technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse
+        function. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        service_name:
+          description: Name of the service to modify
+          type: string
+          default: fax
+        new_bin_path:
+          description: Path of the new service binary
+          type: String
+          default: "$env:windir\\system32\\notepad.exe"
+        original_bin_path:
+          description: Path of the original service binary
+          type: String
+          default: "$env:windir\\system32\\fxssvc.exe"
+      executor:
+        command: |-
+          Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+          set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
+          start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
+        cleanup_command: |-
+          Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+          set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null
+        name: powershell
+        elevation_required: true
   T1053.003:
     technique:
       x_mitre_platforms:

atomics/T1543.003/T1543.003.md

@@ -20,6 +20,8 @@ Services may be created with administrator privileges but are executed under SYS
 
 - [Atomic Test #5 - Remote Service Installation CMD](#atomic-test-5---remote-service-installation-cmd)
 
+- [Atomic Test #6 - Modify Service to Run Arbitrary Binary (Powershell)](#atomic-test-6---modify-service-to-run-arbitrary-binary-powershell)
+
 
 <br/>
 
@@ -272,4 +274,48 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Modify Service to Run Arbitrary Binary (Powershell)
+This test will use PowerShell to temporarily modify a service to run an arbitrary executable by changing its binary path and will then revert the binary path change, restoring the service to its original state.
+This technique was previously observed through SnapMC's use of Powerspolit's invoke-serviceabuse function. 
+[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1f896ce4-8070-4959-8a25-2658856a70c9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of the service to modify | string | fax|
+| new_bin_path | Path of the new service binary | String | $env:windir&#92;system32&#92;notepad.exe|
+| original_bin_path | Path of the original service binary | String | $env:windir&#92;system32&#92;fxssvc.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+set-servicebinarypath -name "#{service_name}" -path "#{new_bin_path}"
+start-service -Name "#{service_name}" -erroraction silentlycontinue | out-null
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Service -Name "#{service_name}" -force -erroraction silentlycontinue | Out-Null
+set-servicebinarypath -name "#{service_name}" -path "#{original_bin_path}" -erroraction silentlycontinue | out-null
+```
+
+
+
+
+
 <br/>