From 03b7cd199225ba99a1b93d44dbbfbf0d3971322a Mon Sep 17 00:00:00 2001 From: traceflow Date: Wed, 25 Oct 2023 23:40:13 -0400 Subject: [PATCH] Adding termsrv.dll path modification (#2576) * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * restore original guid --------- Co-authored-by: Carrie Roberts --- atomics/T1505.005/T1505.005.yaml | 44 +++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-) diff --git a/atomics/T1505.005/T1505.005.yaml b/atomics/T1505.005/T1505.005.yaml index 8c4133f9..a940bcfb 100644 --- a/atomics/T1505.005/T1505.005.yaml +++ b/atomics/T1505.005/T1505.005.yaml @@ -2,7 +2,7 @@ attack_technique: T1505.005 display_name: 'Server Software Component: Terminal Services DLL' atomic_tests: - name: Simulate Patching termsrv.dll - auto_generated_guid: 0b2eadeb-4a64-4449-9d43-3d999f4a317b + auto_generated_guid: 0b2eadeb-4a64-4449-9d43-3d999f4a317b description: | Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards. Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions. @@ -11,11 +11,13 @@ atomic_tests: executor: elevation_required: true command: | - $ACL = Get-Acl $fileName + $termsrvDll = "C:\Windows\System32\termsrv.dll" + + $ACL = Get-Acl $termsrvDll $permission = "Administrators","FullControl","Allow" $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $ACL.SetAccessRule($accessRule) - Set-Acl -Path $fileName -AclObject $ACL + Set-Acl -Path $termsrvDll -AclObject $ACL Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore @@ -23,3 +25,39 @@ atomic_tests: cleanup_command: | Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore name: powershell + +- name: Modify Terminal Services DLL Path + description: This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish persistence by loading a patched version of the DLL containing malicious code. + supported_platforms: + - windows + executor: + elevation_required: true + command: |- + $termsrvDll = "C:\Windows\System32\termsrv.dll" + + $ACL = Get-Acl $termsrvDll + $permission = "Administrators","FullControl","Allow" + $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission + $ACL.SetAccessRule($accessRule) + Set-Acl -Path $termsrvDll -AclObject $ACL + + Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll" + + $newServiceDll = "$HOME\AtomicTest.dll" + + $registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters" + + # Check if the registry key exists + if (Test-Path -Path $registryPath) { + # Modify the ServiceDll value in the registry + Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll + Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll" + } else { + Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists." + } + + cleanup_command: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters" -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll" + + name: powershell + + elevation_required: true