security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/redcanaryco/atomic-red-team

Browse Source
This commit is contained in:
caseysmithrc
2018-08-28 21:08:30 -06:00
parent a066585755 e40e3d9e0a
commit 24a3f301a1
3 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1014/T1014.md
+25
View File
@@ -22,6 +22,8 @@ Permissions Required: Administrator, SYSTEM, root</blockquote>
- [Atomic Test #3 - LD_PRELOAD based Rootkit](#atomic-test-3---ld_preload-based-rootkit)
- [Atomic Test #4 - Windows Driver Exploit To Load Rootkit](#atomic-test-4---windows-driver-exploit-to-load-rootkit)
<br/>
@@ -72,3 +74,26 @@ LD_PRELOAD based Rootkit
export LD_PRELOAD=$PWD/#{rootkit_file}
```
<br/>
<br/>
## Atomic Test #4 - Windows Driver Exploit To Load Rootkit
We will leverage a signed vulnerable driver to test this.
You are responsible for obtaining the specific driver for the test.
SHA1 for puppetstrings.exe DD8DA630C00953B6D5182AA66AF999B1E117F441
Fullcredit for this test here:
https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
Signed Driver Hash: C1D5CF8C43E7679B782630E93F5E6420CA1749A7
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| capcom_path | Path to vulnerable CapCom Driver | Path | C:\Drivers\CapCom.sys|
#### Run it with `command_prompt`!
```
puppetstrings.exe #{capcom_path}
```
<br/>
atomics/index.md
+1
View File
@@ -242,6 +242,7 @@
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: LD_PRELOAD based Rootkit [linux]
- Atomic Test #4: Windows Driver Exploit To Load Rootkit [windows]
- [T1085 Rundll32](./T1085/T1085.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/windows-index.md
+1
View File
@@ -76,6 +76,7 @@
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- [T1014 Rootkit](./T1014/T1014.md)
- Atomic Test #4: Windows Driver Exploit To Load Rootkit [windows]
- [T1085 Rundll32](./T1085/T1085.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)