Add T1050: Windows - Persistence - Service Installation
parent
0eb05ace09
commit
2e675d73f8
|
@ -0,0 +1,16 @@
|
|||
# Service Installation
|
||||
|
||||
MITRE ATT&CK Technique: [T1050](https://attack.mitre.org/wiki/Technique/T1050)
|
||||
|
||||
## sc.exe
|
||||
|
||||
Input:
|
||||
|
||||
sc create TestService binPath="C:\Path\file.exe"
|
||||
|
||||
|
||||
## PowerShell
|
||||
|
||||
Input:
|
||||
|
||||
powershell New-Service -Name "TestService" -BinaryPathName "C:\Path\file.exe"
|
|
@ -12,7 +12,7 @@
|
|||
| Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels |
|
||||
| DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels |
|
||||
| External Remote Services | Local Port Monitor | [Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication |
|
||||
| File System Permissions Weakness | New Service | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption |
|
||||
| File System Permissions Weakness | [New Service](Persistence/Service_Installation.md) | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption |
|
||||
| Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy |
|
||||
| Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | [File Deletion](Defense%20Evasion/File_Deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol |
|
||||
| Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol |
|
||||
|
|
Loading…
Reference in New Issue