From 2e675d73f881e3274d3bd6137119e48aea385a4b Mon Sep 17 00:00:00 2001 From: Yohann Lepage Date: Thu, 16 Nov 2017 23:27:14 +0100 Subject: [PATCH] Add T1050: Windows - Persistence - Service Installation --- Windows/Persistence/Service_Installation.md | 16 ++++++++++++++++ Windows/README.md | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 Windows/Persistence/Service_Installation.md diff --git a/Windows/Persistence/Service_Installation.md b/Windows/Persistence/Service_Installation.md new file mode 100644 index 0000000..f2a8f98 --- /dev/null +++ b/Windows/Persistence/Service_Installation.md @@ -0,0 +1,16 @@ +# Service Installation + +MITRE ATT&CK Technique: [T1050](https://attack.mitre.org/wiki/Technique/T1050) + +## sc.exe + +Input: + + sc create TestService binPath="C:\Path\file.exe" + + +## PowerShell + +Input: + + powershell New-Service -Name "TestService" -BinaryPathName "C:\Path\file.exe" diff --git a/Windows/README.md b/Windows/README.md index b441219..10ecdf5 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -12,7 +12,7 @@ | Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels | | DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels | | External Remote Services | Local Port Monitor | [Deobfuscate/Decode Files or Information](Defense Evasion/Deobfuscate_Decode_Files_Or_Information.md) | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication | -| File System Permissions Weakness | New Service | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption | +| File System Permissions Weakness | [New Service](Persistence/Service_Installation.md) | Disabling Security Tools | | [Security Software Discovery](Discovery/Security_Software_Discovery.md) | Taint Shared Content | Rundll32 | Video Capture | | Multilayer Encryption | | Hidden Files and Directories | Path Interception | Exploitation of Vulnerability | | [System Information Discovery](Discovery/System%20Information%20Discovery.md) | Third-party Software | [Scheduled Task](Persistence/Scheduled_Task.md) | | | Remote File Copy | | Hypervisor | [Scheduled Task](Persistence/Scheduled_Task.md) | [File Deletion](Defense%20Evasion/File_Deletion.md) | | System Network Configuration Discovery | [Windows Admin Shares](Lateral%20Movement/Windows%20Admin%20Shares.md) | Scripting | | | Standard Application Layer Protocol | | Local Port Monitor | Service Registry Permissions Weakness | File System Logical Offsets | | System Network Connections Discovery | Windows Remote Management | Service Execution | | | Standard Cryptographic Protocol |