diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
index 4c7333d7..7575b89f 100644
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,4 +1,4 @@
-# Contributor Covenant Code of Conduct
+# Contributor Code of Conduct
Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Our goal is to foster an open, safe, and welcoming environment. As a collective, we—as contributors, maintainers, and the Open Source Projects team of Red Canary—pledge to encourage our project and community to be a harassment-free space. We invite you to collaborate, exchange thoughts or information, and engage with one another. Atomic Red Team is meant for everyone, regardless of age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation.
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 7763acf2..62af702d 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -266,6 +266,7 @@ privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscrip
privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
+privilege-escalation,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -699,6 +700,7 @@ persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Pe
persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
+persistence,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 0c26c68d..e924ef6c 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -171,6 +171,7 @@ privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscrip
privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
+privilege-escalation,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -464,6 +465,7 @@ persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Pe
persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
+persistence,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index f802d2c4..8c6277f2 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -455,6 +455,7 @@
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
+ - Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
@@ -1158,6 +1159,7 @@
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
+ - Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 21c0c29d..c33352ff 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -318,6 +318,7 @@
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
+ - Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
@@ -811,6 +812,7 @@
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
+ - Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index b54288eb..7d72b915 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -20485,6 +20485,36 @@ privilege-escalation:
Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}
+ - name: TinyTurla backdoor service w64time
+ auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940
+ description: |
+ It's running Dll as service to emulate the tine turla backdoor
+
+ [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
+ supported_platforms:
+ - windows
+ input_arguments:
+ dllfilename:
+ description: It specifies Dll file to run as service
+ type: string
+ default: "$PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll"
+ executor:
+ command: |-
+ copy #{dllfilename} %systemroot%\system32\
+ sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
+ sc config W64Time DisplayName= "Windows 64 Time"
+ sc description W64Time "Maintain date and time synch on all clients and services in the network"
+ reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
+ reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
+ sc start W64Time
+ cleanup_command: |-
+ sc stop W64Time
+ sc.exe delete W64Time
+ del %systemroot%\system32\w64time.dll
+ reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
+ reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
+ name: command_prompt
+ elevation_required: true
T1547.004:
technique:
created: '2020-01-24T16:59:59.688Z'
@@ -50420,6 +50450,36 @@ persistence:
Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}
+ - name: TinyTurla backdoor service w64time
+ auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940
+ description: |
+ It's running Dll as service to emulate the tine turla backdoor
+
+ [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
+ supported_platforms:
+ - windows
+ input_arguments:
+ dllfilename:
+ description: It specifies Dll file to run as service
+ type: string
+ default: "$PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll"
+ executor:
+ command: |-
+ copy #{dllfilename} %systemroot%\system32\
+ sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
+ sc config W64Time DisplayName= "Windows 64 Time"
+ sc description W64Time "Maintain date and time synch on all clients and services in the network"
+ reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
+ reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
+ sc start W64Time
+ cleanup_command: |-
+ sc stop W64Time
+ sc.exe delete W64Time
+ del %systemroot%\system32\w64time.dll
+ reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
+ reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
+ name: command_prompt
+ elevation_required: true
T1547.004:
technique:
created: '2020-01-24T16:59:59.688Z'
diff --git a/atomics/T1543.003/T1543.003.md b/atomics/T1543.003/T1543.003.md
index 7044982f..b82342be 100644
--- a/atomics/T1543.003/T1543.003.md
+++ b/atomics/T1543.003/T1543.003.md
@@ -16,6 +16,8 @@ Services may be created with administrator privileges but are executed under SYS
- [Atomic Test #3 - Service Installation PowerShell](#atomic-test-3---service-installation-powershell)
+- [Atomic Test #4 - TinyTurla backdoor service w64time](#atomic-test-4---tinyturla-backdoor-service-w64time)
+
@@ -160,4 +162,53 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
+
+
+
+## Atomic Test #4 - TinyTurla backdoor service w64time
+It's running Dll as service to emulate the tine turla backdoor
+
+[Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ef0581fd-528e-4662-87bc-4c2affb86940
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dllfilename | It specifies Dll file to run as service | string | $PathToAtomicsFolder\T1543.003\bin\w64time.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+copy #{dllfilename} %systemroot%\system32\
+sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
+sc config W64Time DisplayName= "Windows 64 Time"
+sc description W64Time "Maintain date and time synch on all clients and services in the network"
+reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
+reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
+sc start W64Time
+```
+
+#### Cleanup Commands:
+```cmd
+sc stop W64Time
+sc.exe delete W64Time
+del %systemroot%\system32\w64time.dll
+reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
+reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
+```
+
+
+
+
+
diff --git a/atomics/T1543.003/T1543.003.yaml b/atomics/T1543.003/T1543.003.yaml
index b126530e..5e1f6018 100644
--- a/atomics/T1543.003/T1543.003.yaml
+++ b/atomics/T1543.003/T1543.003.yaml
@@ -91,3 +91,33 @@ atomic_tests:
Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}
+- name: TinyTurla backdoor service w64time
+ auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940
+ description: |
+ It's running Dll as service to emulate the tine turla backdoor
+
+ [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
+ supported_platforms:
+ - windows
+ input_arguments:
+ dllfilename:
+ description: It specifies Dll file to run as service
+ type: string
+ default: $PathToAtomicsFolder\T1543.003\bin\w64time.dll
+ executor:
+ command: |-
+ copy #{dllfilename} %systemroot%\system32\
+ sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
+ sc config W64Time DisplayName= "Windows 64 Time"
+ sc description W64Time "Maintain date and time synch on all clients and services in the network"
+ reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
+ reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
+ sc start W64Time
+ cleanup_command: |-
+ sc stop W64Time
+ sc.exe delete W64Time
+ del %systemroot%\system32\w64time.dll
+ reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
+ reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
+ name: command_prompt
+ elevation_required: true
diff --git a/atomics/T1543.003/bin/W64Time.dll b/atomics/T1543.003/bin/W64Time.dll
new file mode 100644
index 00000000..320e3e4b
Binary files /dev/null and b/atomics/T1543.003/bin/W64Time.dll differ
diff --git a/atomics/T1543.003/src/W64Time.cpp b/atomics/T1543.003/src/W64Time.cpp
new file mode 100644
index 00000000..b6c73e03
--- /dev/null
+++ b/atomics/T1543.003/src/W64Time.cpp
@@ -0,0 +1,98 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "pch.h"
+#include
+#include
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+ DWORD ul_reason_for_call,
+ LPVOID lpReserved
+ )
+{
+ switch (ul_reason_for_call)
+ {
+ case DLL_PROCESS_ATTACH:
+ case DLL_THREAD_ATTACH:
+ case DLL_THREAD_DETACH:
+ case DLL_PROCESS_DETACH:
+ break;
+ }
+ return TRUE;
+}
+
+SERVICE_STATUS_HANDLE SvcStatusH;
+
+//Initialize Service_Status Structure serviceType and CurrentState values
+SERVICE_STATUS SvcStatusS =
+{
+ //dwServiceType
+ SERVICE_WIN32_SHARE_PROCESS,
+ //dwCurrentState
+ SERVICE_START_PENDING,
+ //dwControlsAccepted
+ SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN | SERVICE_ACCEPT_PAUSE_CONTINUE
+};
+
+
+DWORD WINAPI SvcCtrlHandler(
+ DWORD dwControl,
+ DWORD dwEventType,
+ LPVOID lpEventData,
+ LPVOID lpContext
+)
+{
+ // Handle the requested control code.
+
+ switch (dwControl)
+ {
+ case SERVICE_CONTROL_STOP: //Notifies Service it should stop. Should only return "NO_ERROR". Same action as Service Control Shutdown
+ case SERVICE_CONTROL_SHUTDOWN: //Notifies a service that the system is shutting down so the service can perform cleanup tasks.
+ //Manually set state to "SERVICE_STOPPED" After cleanup commands are run (none in this case)
+ SvcStatusS.dwCurrentState = SERVICE_STOPPED;
+ break;
+ case SERVICE_CONTROL_PAUSE: //Notifies a service that it should pause.
+ SvcStatusS.dwCurrentState = SERVICE_PAUSED;
+ break;
+ case SERVICE_CONTROL_CONTINUE://Notifies a service that it should Continue after pause.
+ SvcStatusS.dwCurrentState = SERVICE_RUNNING;
+ break;
+ case SERVICE_CONTROL_INTERROGATE:
+ break;
+ default:
+ break;
+ };
+
+ SetServiceStatus(SvcStatusH, &SvcStatusS);
+
+ return NO_ERROR;
+}
+
+VOID main_payload() {
+ using namespace std;
+ ofstream myfile;
+ myfile.open("C:\\ART_W64Time.txt");
+ myfile << "Hello from the Atomic Red Team.\n";
+ myfile.close();
+ return;
+}
+
+extern "C" __declspec(dllexport) VOID WINAPI ServiceMain(DWORD dwArgc, LPCWSTR * lpszArgv)
+{
+
+ SvcStatusH = RegisterServiceCtrlHandlerEx(
+ L"W64Time",
+ SvcCtrlHandler,
+ nullptr
+ );
+
+ if (!SvcStatusH)
+ {
+ return;
+ }
+ // Report initial status to the SCM
+
+ SvcStatusS.dwCurrentState = SERVICE_RUNNING;
+
+ SetServiceStatus(SvcStatusH, &SvcStatusS);
+ main_payload();
+
+}
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 7aff52be..f27565b5 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -850,3 +850,4 @@ c510d25b-1667-467d-8331-a56d3e9bc4ff
deecd55f-afe0-4a62-9fba-4d1ba2deb321
d239772b-88e2-4a2e-8473-897503401bcc
eb8da98a-2e16-4551-b3dd-83de49baa14c
+ef0581fd-528e-4662-87bc-4c2affb86940