From 527fd3b78bddbfbe70b094aa31def9bb869982e9 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 28 Dec 2020 16:19:14 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 43 +++++++++++++++ atomics/T1218/T1218.md | 54 +++++++++++++++++++ 6 files changed, 101 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5379c2b3..05cfd87a 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -492,6 +492,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell +defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index e7b06daa..b2555df7 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -292,6 +292,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell +defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index b64b5c88..5e778201 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -898,6 +898,7 @@ - Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows] - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows] - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows] + - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows] - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md) - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 4a6d592b..62c22ec4 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -526,6 +526,7 @@ - Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows] - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows] - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows] + - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows] - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md) - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ca086f79..4e1eb1dd 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -39090,6 +39090,49 @@ defense-evasion: #{renamed_binary} #{xml_payload} output.txt name: powershell elevation_required: false + - name: Invoke-ATHRemoteFXvGPUDisablementCommand base test + auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db + description: | + RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). + + One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. + + Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe. + + The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. + + Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 + supported_platforms: + - windows + input_arguments: + module_name: + description: Specifies a temporary module name to use. If -ModuleName is + not supplied, a 16-character random temporary module name is used. A PowerShell + module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses + module load order, a module name must be specified. + type: string + default: foo + module_path: + description: Specifies an alternate, non-default PowerShell module path + for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the + first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. + type: string + default: "$PWD" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} + -ModulePath #{module_path}' + name: powershell T1216: technique: id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index 738c180b..a1441aa2 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -18,6 +18,8 @@ - [Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions](#atomic-test-7---renamed-microsoftworkflowcompilerexe-payload-executions) +- [Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test](#atomic-test-8---invoke-athremotefxvgpudisablementcommand-base-test) +
@@ -304,4 +306,56 @@ write-host "you need to rename workflow complier before you run this test" +
+
+ +## Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test +RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). + +One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. + +Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe. + +The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. + +Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| module_name | Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified. | string | foo| +| module_path | Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. | string | $PWD| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + +