Customshellhost (#2509)

* Adding CustomShellHost * Update T1218.yaml * fixed
2023-08-14 19:02:11 -06:00
parent 0fbf08855e
commit 55301cf3a3
1 changed files with 27 additions and 0 deletions
@@ -322,3 +322,30 @@ atomic_tests:
      del %TEMP%\ie4uinit.exe >nul 2>&1
      del %TEMP%\ieuinit.inf >nul 2>&1
    name: command_prompt
+- name: LOLBAS CustomShellHost to Spawn Process
+  description: |
+    This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
+    Upon execution, customshellhost.exe will spawn calc.exe.
+    Note this will only work on Windows 10 or 11.
+    [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
+    [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
+  supported_platforms:
+    - windows
+  input_arguments:
+    dest_path:
+      description: Directory to copy files into
+      type: path
+      default: C:\test
+  executor:
+    command: |
+      if (-not (Test-Path #{dest_path})) {
+      New-Item -Path #{dest_path} -ItemType Directory
+      } else {
+      Write-Host "Directory #{dest_path} already exists." }
+      Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
+      Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
+      #{dest_path}\customshellhost.exe
+    cleanup_command: | 
+      Remove-Item -Path #{dest_path} -Recurse -Force
+    name: powershell
+    elevation_required: true