From 20563e42eded6a95be076350b35a78d2239fde5d Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Tue, 26 Nov 2019 18:59:41 -0600
Subject: [PATCH] T1112 Registry Modification to Store PowerShell Code (#693)

* T1112 - Storing PoSH code in Registry

* Generate docs from job=validate_atomics_generate_docs branch=t1112-posh-code
---
 atomics/T1112/T1112.md   | 33 +++++++++++++++++++++++++++++++++
 atomics/T1112/T1112.yaml | 30 ++++++++++++++++++++++++++++++
 atomics/index.md         |  1 +
 atomics/index.yaml       | 31 +++++++++++++++++++++++++++++++
 atomics/windows-index.md |  1 +
 5 files changed, 96 insertions(+)

diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 8f0acce5..9acd2680 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -18,6 +18,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #4 - Modify registry to store logon credentials](#atomic-test-4---modify-registry-to-store-logon-credentials)
 
+- [Atomic Test #5 - Modify registry to store PowerShell code](#atomic-test-5---modify-registry-to-store-powershell-code)
+
 
 <br/>
 
@@ -139,3 +141,34 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
 ```
 
 <br/>
+<br/>
+
+## Atomic Test #5 - Modify registry to store PowerShell code
+Sets Windows Registry key containing base64-encoded PowerShell code.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
+| registry_key_storage | Windows Registry Key to store code | String | HKCU:Software\Microsoft\Windows\CurrentVersion|
+| registry_entry_storage | Windows Registry entry to store code under key | String | Debug|
+
+#### Run it with `powershell`! 
+```
+$OriginalCommand = '#{powershell_command}'
+$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
+$EncodedCommand =[Convert]::ToBase64String($Bytes)
+$EncodedCommand
+Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
+```
+
+
+#### Cleanup Commands:
+```
+Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
+```
+
+<br/>
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 85346e63..204b2e27 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -100,3 +100,33 @@ atomic_tests:
         reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
       cleanup_command: |
         reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f
+
+- name: Modify registry to store PowerShell code
+  description: |
+    Sets Windows Registry key containing base64-encoded PowerShell code.
+  supported_platforms:
+    - windows
+  input_arguments:
+      powershell_command:
+        description: PowerShell command to encode
+        type: String
+        default: Write-Host "Hey, Atomic!"
+      registry_key_storage:
+        description: Windows Registry Key to store code
+        type: String
+        default: HKCU:Software\Microsoft\Windows\CurrentVersion
+      registry_entry_storage:
+        description: Windows Registry entry to store code under key
+        type: String
+        default: Debug
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $OriginalCommand = '#{powershell_command}'
+      $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
+      $EncodedCommand =[Convert]::ToBase64String($Bytes)
+      $EncodedCommand
+      Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
+    cleanup_command: |
+      Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
\ No newline at end of file
diff --git a/atomics/index.md b/atomics/index.md
index 631cf15a..cca10781 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -305,6 +305,7 @@
   - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
   - Atomic Test #3: Modify Registry of Another User Profile [windows]
   - Atomic Test #4: Modify registry to store logon credentials [windows]
+  - Atomic Test #5: Modify registry to store PowerShell code [windows]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index c1fced15..7ed1c534 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -9256,6 +9256,37 @@ defense-evasion:
           /v UseLogonCredential /t REG_DWORD /d 0 /f
 
 '
+    - name: Modify registry to store PowerShell code
+      description: 'Sets Windows Registry key containing base64-encoded PowerShell
+        code.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        powershell_command:
+          description: PowerShell command to encode
+          type: String
+          default: Write-Host "Hey, Atomic!"
+        registry_key_storage:
+          description: Windows Registry Key to store code
+          type: String
+          default: HKCU:Software\Microsoft\Windows\CurrentVersion
+        registry_entry_storage:
+          description: Windows Registry entry to store code under key
+          type: String
+          default: Debug
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $OriginalCommand = '#{powershell_command}'
+          $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
+          $EncodedCommand =[Convert]::ToBase64String($Bytes)
+          $EncodedCommand
+          Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
+        cleanup_command: 'Remove-ItemProperty -Force -Path -Path #{registry_key_storage}
+          -Name #{registry_entry_storage}'
   T1170:
     technique:
       x_mitre_data_sources:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index e9e86144..7cfa78a3 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -102,6 +102,7 @@
   - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
   - Atomic Test #3: Modify Registry of Another User Profile [windows]
   - Atomic Test #4: Modify registry to store logon credentials [windows]
+  - Atomic Test #5: Modify registry to store PowerShell code [windows]
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]