From 0a8ad64ee87f47354f60b39e249d91ae41147925 Mon Sep 17 00:00:00 2001 From: Badoodish <88710522+Badoodish@users.noreply.github.com> Date: Wed, 24 Jul 2024 07:38:25 +1000 Subject: [PATCH] =?UTF-8?q?Added=20new=20test=20to=20T1614.001=20"Discover?= =?UTF-8?q?=20System=20Language=20by=20Windows=20API=20=E2=80=A6=20(#2857)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Added new test to T1614.001 "Discover System Language by Windows API Query" * Fixed indentation on line 139. Added input arguments * Fixed indentation on line 126 * Added markdown formatting. * Added C# source code as requested * Removed input arguments because not arguments are supported. * Updated exe output --------- Co-authored-by: Carrie Roberts --- atomics/T1614.001/T1614.001.yaml | 23 ++++++ .../T1614.001/bin/LanguageKeyboardLayout.exe | Bin 0 -> 5632 bytes .../T1614.001/src/LanguageKeyboardLayout.cs | 67 ++++++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 atomics/T1614.001/bin/LanguageKeyboardLayout.exe create mode 100644 atomics/T1614.001/src/LanguageKeyboardLayout.cs diff --git a/atomics/T1614.001/T1614.001.yaml b/atomics/T1614.001/T1614.001.yaml index 7c99fea1..5fb35a07 100644 --- a/atomics/T1614.001/T1614.001.yaml +++ b/atomics/T1614.001/T1614.001.yaml @@ -114,3 +114,26 @@ atomic_tests: elevation_required: true command: | dism.exe /online /Get-Intl +- name: Discover System Language by Windows API Query + description: | + This test executes a custom script called LanguageKeyboardLayout.exe which outputs the values of the following Windows API functions to the user terminal: + + `GetKeyboardLayout`, `GetKeyboardLayoutList`, `GetUserDefaultUILanguage`, `GetSystemDefaultUILanguage`, `GetUserDefaultLangID`. + + Documentation for these functions is located [here](https://learn.microsoft.com/en-us/windows/win32/api/winuser/). + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: | + LanguageKeyboardLayout.exe must exist on disk (default location: PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe) + prereq_command: | + if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") -ErrorAction Ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1614.001/bin/LanguageKeyboardLayout.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe" + executor: + name: command_prompt + elevation_required: false + command: | + PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe \ No newline at end of file diff --git a/atomics/T1614.001/bin/LanguageKeyboardLayout.exe b/atomics/T1614.001/bin/LanguageKeyboardLayout.exe new file mode 100644 index 0000000000000000000000000000000000000000..424cbe8b80027fa3b53d9d08051962bae8c015b8 GIT binary patch literal 5632 zcmeHLPi!1l8UJRz-hYmlIvb1&q#bV(v~BU)i7k`_yIKEBSh8uX_)kkf)U&&9?J2V} zn>RDYi&V6r2C0IU_RwqP14ocJG@_zHR6SKHxxfJd0tE>UaG;zxAk^^t-t2gH9b;LP z#tBB5k>Lby-V~adTs>;4+bqvryu=kn%+p>9(_|Q-5y=p zG+n(RoegQ!^@?HJj;EJ}E`3`!ZGGYDvR-$pB0o5oI@wmev`AFa`sm9SU$2GM?odP< z&<2Q(fRYHPuRnoa$5X(=Kt~q|{KiQ6&poy9fX=Ot3O9)!Qh%MkjRq`Kg5IkR*LB670RDw8!MrE7J>Wk;m?{>Iwe5GvrW38_r7J5SDBlVg#PFo? zbhQG!&r4xBU}QD4j)!#}!_(CYL~~uJ8n!sEXzW{r`swXaqVFY%G~n^T8c!d(WhVOQ zOAyB25ar-(EC)|wDG5SjATDp9%VD#n2I5Ca{*EzZJthChBe16ihL7dI8#|JC38*%h zNGkL*arx(tsH|wA8cJpo!@?ME`PtPIWE^Dp_Ta2{y-OU((NpV63fKm@(&$WY4&x*V*86B=2#{k zmw)fD%IBgTvG~4X@f_ZU6g~b(B!?wRJ&skGTmIslrdBIh`>m<`M1FE&^7J`gvVO7v ze}R0S_$JX=ti+#qyzEKS-f)@Y(+J=Wo)fFf^eP15J_)&7ql|rL;!NqQJir%}Mi@Owkc(`kA~ zn^NO*bWV+D>9<+|nPSd74bUoJhQ3OR^qRJVkostWy4jqf5f;6)KtTK2+vgb%k6IHN&^O)naIoCjyQ8PIbw!1hypj z=Y1)K?X7G|VN{D%x?-3%pGU8r={tM zl4%PfCq=VVA&*SjB7t3Y8L&xZa>yV_RZvP8HG%u!(kVw5F|yk-4o2rey#y)m9@%cm z$H12&GRLsP?*9*`NB=gR#RU(W&!_N~uzx~%EmTwo$LW5ENK4423v2C&oA*E3{VX5@ zt#74pV7LfdA{r6M3Nkxd(*8i2e34qD()TdywGv{z3%_~-X??ZMDE z0WYR#8GDykLs0#Hl!R`LhfYN6=7Wj)AS=j7^PnBEcMWx{>%xDvBSK9q-`)xSL7v^8 zImG*q)c6kYA2dknX2QI-SNaosLl-hH0>C>5s(+M$(WSNhXuWM-q{Q*8T)}go})o$newBXguZE zi`x~^;0puyjPrF@!_DfoYiYh@U*@sSqkCIea|bie&O35(Td0dnU9>`|8-Qo;o+7;v zusskMQT3mW@@NG1aKg5F%?5SW(tn_D?n7t!JxV~~Y!SVJXQx2)0*acj<>rb08cZwF z3y~@GYk1S21zeaCC$I}Uyldc<;O_V`f!eY25IsYm0zXH?rz46Z_--Lz z22M&;2KOB4dv8pB$-}xJ4~cChMYurN=Mu0DrEwnFXn>Qw-k?obBVvEomHn%2I%kIM zhq+bwx_uu;Y z^o8xZrEdx8;;o;_p3YBXbzxVWD!!#=va2f>$IfPT*E8&@VL7&#$u@Cf9SUrBChJT4yj$56b;BL2n-%G}PR$#uIQ8>}ThDKu&gyl;HfzH5*1D}hm9Fn9 zD^^hlqYmxy2p@m&$~NjSf2BFwXjmpnM);dI8jb9Dpuv;A>lN*qb4Y*AWR)CjyQ1Qw zyll2{P^7rw!%tCNlI9j_>J8x@QtM=>RY&XS!BJT8+2fMf5|(Z;oXHw)(cW@U6lZnc zoUNc{M;dE}<%)JtO3C;>-h{4?_xL_NzMBLvOpk{v1cX=nBh>WZ{{}ms{|LqW|4?@` F@Nc+H9UTAw literal 0 HcmV?d00001 diff --git a/atomics/T1614.001/src/LanguageKeyboardLayout.cs b/atomics/T1614.001/src/LanguageKeyboardLayout.cs new file mode 100644 index 00000000..48e9f891 --- /dev/null +++ b/atomics/T1614.001/src/LanguageKeyboardLayout.cs @@ -0,0 +1,67 @@ +using System; +using System.Runtime.InteropServices; + +class Program +{ + // Import the necessary Windows functions from user32.dll and kernel32.dll + [DllImport("user32.dll")] + static extern int GetKeyboardLayoutList(int nBuff, IntPtr[] lpList); + + [DllImport("user32.dll")] + static extern IntPtr GetKeyboardLayout(uint idThread); + + [DllImport("kernel32.dll")] + static extern uint GetUserDefaultUILanguage(); + + [DllImport("kernel32.dll")] + static extern uint GetSystemDefaultUILanguage(); + + [DllImport("kernel32.dll")] + static extern uint GetUserDefaultLangID(); + + [DllImport("kernel32.dll")] + static extern uint GetCurrentThreadId(); + + static void Main(string[] args) + { + + // Get and display the active keyboard layout + IntPtr activeLayout = GetKeyboardLayout(GetCurrentThreadId()); + string output = "\nActive Keyboard Layout (Function: GetKeyboardLayout):\n"; + output += "---------------------------------------------------\n"; + output += activeLayout.ToString("x8") + "\n"; + + // Get and display keyboard layouts + int numberOfLayouts = GetKeyboardLayoutList(0, null); + IntPtr[] layoutList = new IntPtr[numberOfLayouts]; + GetKeyboardLayoutList(numberOfLayouts, layoutList); + + output += "\nDetected Keyboard Layouts (Function: GetKeyboardLayoutList):\n"; + output += "-----------------------------------------------------------\n"; + foreach (var layout in layoutList) + { + output += layout.ToString("x8") + "\n"; + } + + // Get and display user default UI language + uint userDefaultUILanguage = GetUserDefaultUILanguage(); + output += "\nUser Default UI Language (Function: GetUserDefaultUILanguage):\n"; + output += "-------------------------------------------------------------\n"; + output += userDefaultUILanguage.ToString("x8") + "\n"; + + // Get and display system default UI language + uint systemDefaultUILanguage = GetSystemDefaultUILanguage(); + output += "\nSystem Default UI Language (Function: GetSystemDefaultUILanguage):\n"; + output += "-----------------------------------------------------------------\n"; + output += systemDefaultUILanguage.ToString("x8") + "\n"; + + // Get and display user default language ID + uint userDefaultLangID = GetUserDefaultLangID(); + output += "\nUser Default Language ID (Function: GetUserDefaultLangID):\n"; + output += "---------------------------------------------------------\n"; + output += userDefaultLangID.ToString("x8") + "\n"; + + // Write to the console + Console.WriteLine(output); + } +} \ No newline at end of file