From 735447ace8218b786cf089d8a46bacec81f4fc5e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 5 Feb 2019 21:04:08 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1101/T1101.md | 34 ++++++++++++++++ atomics/index.md | 2 + atomics/index.yaml | 84 ++++++++++++++++++++++++++++++++++++++++ atomics/linux-index.md | 1 + atomics/macos-index.md | 1 + atomics/windows-index.md | 1 + 6 files changed, 123 insertions(+) create mode 100644 atomics/T1101/T1101.md diff --git a/atomics/T1101/T1101.md b/atomics/T1101/T1101.md new file mode 100644 index 00000000..dd62804c --- /dev/null +++ b/atomics/T1101/T1101.md @@ -0,0 +1,34 @@ +# T1101 - Security Support Provider +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1101) +
Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called. + (Citation: Graeber 2014)
+ +## Atomic Tests + +- [Atomic Test #1 - Modify SSP configuration in registry](#atomic-test-1---modify-ssp-configuration-in-registry) + + +
+ +## Atomic Test #1 - Modify SSP configuration in registry +Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys. +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | String | not-a-ssp| + +#### Run it with `powershell`! +``` +# run these in sequence +$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' +$SecurityPackagesUpdated = $SecurityPackages +$SecurityPackagesUpdated += "#{fake_ssp_dll}" +Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated + +# revert (before reboot) +Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages +``` +
diff --git a/atomics/index.md b/atomics/index.md index 54ff04a4..6b18f9d6 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -111,6 +111,7 @@ - [T1180 Screensaver](./T1180/T1180.md) - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] - [T1101 Security Support Provider](./T1101/T1101.md) + - Atomic Test #1: Modify SSP configuration in registry [windows] - T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1166 Setuid and Setgid](./T1166/T1166.md) - Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux] @@ -213,6 +214,7 @@ - Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux] - Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux] - Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux] + - Atomic Test #16: chattr - Remove immutable file attribute [macos, linux] - T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1144 Gatekeeper Bypass](./T1144/T1144.md) - Atomic Test #1: Gatekeeper Bypass [macos] diff --git a/atomics/index.yaml b/atomics/index.yaml index 9a3293a7..bcd4d04a 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -3241,6 +3241,73 @@ persistence: reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f shutdown /r /t 0 + T1101: + technique: + id: attack-pattern--6c174520-beea-43d9-aac6-28fb77f3e446 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Security Support Provider + description: |- + Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called. + (Citation: Graeber 2014) + external_references: + - external_id: T1101 + url: https://attack.mitre.org/techniques/T1101 + source_name: mitre-attack + - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html + description: Graeber, M. (2014, October). Analysis of Malicious Security Support + Provider DLLs. Retrieved March 1, 2017. + source_name: Graeber 2014 + - url: https://technet.microsoft.com/en-us/library/dn408187.aspx + description: Microsoft. (2013, July 31). Configuring Additional LSA Protection. + Retrieved June 24, 2015. + source_name: Microsoft Configure LSA + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_version: '1.0' + x_mitre_data_sources: + - DLL monitoring + - Windows Registry + - Loaded DLLs + x_mitre_detection: 'Monitor the Registry for changes to the SSP Registry keys. + Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 + R2 may generate events when unsigned SSP DLLs try to load into the LSA by + setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image + File Execution Options\LSASS.exe with AuditLevel = 8. (Citation: Graeber + 2014) (Citation: Microsoft Configure LSA)' + x_mitre_permissions_required: + - Administrator + x_mitre_platforms: + - Windows + type: attack-pattern + kill_chain_phases: + - phase_name: persistence + kill_chain_name: mitre-attack + modified: '2018-10-17T00:14:20.652Z' + created: '2017-05-31T21:31:13.447Z' + identifier: T1101 + atomic_tests: + - name: Modify SSP configuration in registry + description: Add a value to a Windows registry SSP key, simulating an adversarial + modification of those keys. + supported_platforms: + - windows + input_arguments: + fake_ssp_dll: + description: Value added to registry key. Normally refers to a DLL name + in C:\Windows\System32. + type: String + default: not-a-ssp + executor: + name: powershell + command: | + # run these in sequence + $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' + $SecurityPackagesUpdated = $SecurityPackages + $SecurityPackagesUpdated += "#{fake_ssp_dll}" + Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated + + # revert (before reboot) + Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages T1166: technique: id: attack-pattern--c0df6533-30ee-4a4a-9c6d-17af5abdf0b2 @@ -5717,6 +5784,23 @@ defense-evasion: name: bash command: 'chown #{owner} #{file_or_folder} -R +' + - name: chattr - Remove immutable file attribute + description: | + Remove's a file's `immutable` attribute using `chattr`. + This technique was used by the threat actor Rocke during the compromise of Linux web servers. + supported_platforms: + - macos + - linux + input_arguments: + file_to_modify: + description: Path of the file + type: path + default: "/var/spool/cron/root" + executor: + name: sh + command: 'chattr -i #{file_to_modify} + ' T1144: technique: diff --git a/atomics/linux-index.md b/atomics/linux-index.md index f6dc1aac..a144b8f1 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -162,6 +162,7 @@ - Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux] - Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux] - Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux] + - Atomic Test #16: chattr - Remove immutable file attribute [macos, linux] - [T1148 HISTCONTROL](./T1148/T1148.md) - Atomic Test #1: Disable history collection [linux, macos] - Atomic Test #2: Mac HISTCONTROL [macos, linux] diff --git a/atomics/macos-index.md b/atomics/macos-index.md index 0b5ef359..e99dd6a4 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -220,6 +220,7 @@ - Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux] - Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux] - Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux] + - Atomic Test #16: chattr - Remove immutable file attribute [macos, linux] - [T1144 Gatekeeper Bypass](./T1144/T1144.md) - Atomic Test #1: Gatekeeper Bypass [macos] - [T1148 HISTCONTROL](./T1148/T1148.md) diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 388b7878..a257100e 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -249,6 +249,7 @@ - [T1180 Screensaver](./T1180/T1180.md) - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] - [T1101 Security Support Provider](./T1101/T1101.md) + - Atomic Test #1: Modify SSP configuration in registry [windows] - T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1023 Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)