T1112 Registry Modification to Store PowerShell Code (#693)

* T1112 - Storing PoSH code in Registry * Generate docs from job=validate_atomics_generate_docs branch=t1112-posh-code
2019-11-26 18:59:41 -06:00
parent 979695d818
commit 20563e42ed
5 changed files with 96 additions and 0 deletions
@@ -18,6 +18,8 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #4 - Modify registry to store logon credentials](#atomic-test-4---modify-registry-to-store-logon-credentials)

+- [Atomic Test #5 - Modify registry to store PowerShell code](#atomic-test-5---modify-registry-to-store-powershell-code)
+

 <br/>

@@ -139,3 +141,34 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
 ```

 <br/>
+<br/>
+
+## Atomic Test #5 - Modify registry to store PowerShell code
+Sets Windows Registry key containing base64-encoded PowerShell code.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
+| registry_key_storage | Windows Registry Key to store code | String | HKCU:Software\Microsoft\Windows\CurrentVersion|
+| registry_entry_storage | Windows Registry entry to store code under key | String | Debug|
+
+#### Run it with `powershell`! 
+```
+$OriginalCommand = '#{powershell_command}'
+$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
+$EncodedCommand =[Convert]::ToBase64String($Bytes)
+$EncodedCommand
+Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
+```
+
+
+#### Cleanup Commands:
+```
+Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
+```
+
+<br/>
@@ -100,3 +100,33 @@ atomic_tests:
        reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
      cleanup_command: |
        reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f
+
+- name: Modify registry to store PowerShell code
+  description: |
+    Sets Windows Registry key containing base64-encoded PowerShell code.
+  supported_platforms:
+    - windows
+  input_arguments:
+      powershell_command:
+        description: PowerShell command to encode
+        type: String
+        default: Write-Host "Hey, Atomic!"
+      registry_key_storage:
+        description: Windows Registry Key to store code
+        type: String
+        default: HKCU:Software\Microsoft\Windows\CurrentVersion
+      registry_entry_storage:
+        description: Windows Registry entry to store code under key
+        type: String
+        default: Debug
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $OriginalCommand = '#{powershell_command}'
+      $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
+      $EncodedCommand =[Convert]::ToBase64String($Bytes)
+      $EncodedCommand
+      Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
+    cleanup_command: |
+      Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
@@ -305,6 +305,7 @@
  - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
  - Atomic Test #3: Modify Registry of Another User Profile [windows]
  - Atomic Test #4: Modify registry to store logon credentials [windows]
+  - Atomic Test #5: Modify registry to store PowerShell code [windows]
 - [T1170 Mshta](./T1170/T1170.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
@@ -9256,6 +9256,37 @@ defense-evasion:
          /v UseLogonCredential /t REG_DWORD /d 0 /f

 '
+    - name: Modify registry to store PowerShell code
+      description: 'Sets Windows Registry key containing base64-encoded PowerShell
+        code.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        powershell_command:
+          description: PowerShell command to encode
+          type: String
+          default: Write-Host "Hey, Atomic!"
+        registry_key_storage:
+          description: Windows Registry Key to store code
+          type: String
+          default: HKCU:Software\Microsoft\Windows\CurrentVersion
+        registry_entry_storage:
+          description: Windows Registry entry to store code under key
+          type: String
+          default: Debug
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $OriginalCommand = '#{powershell_command}'
+          $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
+          $EncodedCommand =[Convert]::ToBase64String($Bytes)
+          $EncodedCommand
+          Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
+        cleanup_command: 'Remove-ItemProperty -Force -Path -Path #{registry_key_storage}
+          -Name #{registry_entry_storage}'
  T1170:
    technique:
      x_mitre_data_sources:
@@ -102,6 +102,7 @@
  - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
  - Atomic Test #3: Modify Registry of Another User Profile [windows]
  - Atomic Test #4: Modify registry to store logon credentials [windows]
+  - Atomic Test #5: Modify registry to store PowerShell code [windows]
 - [T1170 Mshta](./T1170/T1170.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]