security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-03-12 13:33:53 +00:00
parent d0687be58c
commit 8cb0e3e283
4 changed files with 1384 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1118/T1118.md
+454 -40
View File
@@ -6,14 +6,268 @@ Adversaries may use InstallUtil to proxy execution of code through a trusted Win
## Atomic Tests
- [Atomic Test #1 - InstallUtil uninstall method call](#atomic-test-1---installutil-uninstall-method-call)
- [Atomic Test #1 - CheckIfInstallable method call](#atomic-test-1---checkifinstallable-method-call)
- [Atomic Test #2 - InstallUtil GetHelp method call](#atomic-test-2---installutil-gethelp-method-call)
- [Atomic Test #2 - InstallHelper method call](#atomic-test-2---installhelper-method-call)
- [Atomic Test #3 - InstallUtil class constructor method call](#atomic-test-3---installutil-class-constructor-method-call)
- [Atomic Test #4 - InstallUtil Install method call](#atomic-test-4---installutil-install-method-call)
- [Atomic Test #5 - InstallUtil Uninstall method call - /U variant](#atomic-test-5---installutil-uninstall-method-call---u-variant)
- [Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant](#atomic-test-6---installutil-uninstall-method-call---installtypenotransaction-actionuninstall-variant)
- [Atomic Test #7 - InstallUtil HelpText method call](#atomic-test-7---installutil-helptext-method-call)
- [Atomic Test #8 - InstallUtil evasive invocation](#atomic-test-8---installutil-evasive-invocation)
<br/>
## Atomic Test #1 - InstallUtil uninstall method call
## Atomic Test #1 - CheckIfInstallable method call
Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | CheckIfInstallable|
#### Attack Commands: Run with `powershell`!
```
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
```
#### Cleanup Commands:
```
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
```
<br/>
<br/>
## Atomic Test #2 - InstallHelper method call
Executes the InstallHelper class constructor runner instead of executing InstallUtil.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | InstallHelper|
#### Attack Commands: Run with `powershell`!
```
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
```
#### Cleanup Commands:
```
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
```
<br/>
<br/>
## Atomic Test #3 - InstallUtil class constructor method call
Executes the installer assembly class constructor.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
#### Attack Commands: Run with `powershell`!
```
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
```
#### Cleanup Commands:
```
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
```
<br/>
<br/>
## Atomic Test #4 - InstallUtil Install method call
Executes the Install Method
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
#### Attack Commands: Run with `powershell`!
```
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Install_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
```
#### Cleanup Commands:
```
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
```
<br/>
<br/>
## Atomic Test #5 - InstallUtil Uninstall method call - /U variant
Executes the Uninstall Method
**Supported Platforms:** Windows
@@ -22,41 +276,59 @@ Executes the Uninstall Method
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | location of the payload | Path | %tmp%\T1118.dll|
| source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs|
| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `powershell`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file}
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Uninstall_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
```
#### Cleanup Commands:
```
del #{output_file} >nul 2>&1
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
```
#### Dependencies: Run with `powershell`!
##### Description: Source code must exist on disk at specified location (#{source})
##### Check Prereq Commands:
```
if (Test-Path #{source}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
```
<br/>
<br/>
## Atomic Test #2 - InstallUtil GetHelp method call
## Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
Executes the Uninstall Method
**Supported Platforms:** Windows
@@ -65,34 +337,176 @@ Executes the Uninstall Method
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | location of the payload | Path | %tmp%\T1118.dll|
| source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs|
| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `powershell`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file}
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Uninstall_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
```
#### Cleanup Commands:
```
del #{output_file} >nul 2>&1
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
```
<br/>
<br/>
## Atomic Test #7 - InstallUtil HelpText method call
Executes the Uninstall Method
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
#### Attack Commands: Run with `powershell`!
```
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/? `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_HelpText_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
```
#### Cleanup Commands:
```
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
```
<br/>
<br/>
## Atomic Test #8 - InstallUtil evasive invocation
Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
#### Attack Commands: Run with `powershell`!
```
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "$Env:windir\System32\Tasks"
$InstallerAssemblyFileName = 'readme.txt'
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "readme.txt"
$ExpectedOutput = 'Constructor_'
# Explicitly set the directory so that a relative path to readme.txt can be supplied.
Set-Location "$Env:windir\System32\Tasks"
Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = 'Executable'
CommandLine = $CommandLine
InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
```
#### Cleanup Commands:
```
Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
```
#### Dependencies: Run with `powershell`!
##### Description: Source code must exist on disk at specified location (#{source})
##### Check Prereq Commands:
```
if (Test-Path #{source}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```
New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
```
atomics/index.md
+16 -4
View File
@@ -292,8 +292,14 @@
- [T1130 Install Root Certificate](./T1130/T1130.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- [T1118 InstallUtil](./T1118/T1118.md)
- Atomic Test #1: InstallUtil uninstall method call [windows]
- Atomic Test #2: InstallUtil GetHelp method call [windows]
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
@@ -727,8 +733,14 @@
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1118 InstallUtil](./T1118/T1118.md)
- Atomic Test #1: InstallUtil uninstall method call [windows]
- Atomic Test #2: InstallUtil GetHelp method call [windows]
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
atomics/index.yaml
+898 -74
View File
@@ -9120,68 +9120,480 @@ defense-evasion:
- Digital Certificate Validation
identifier: T1118
atomic_tests:
- name: InstallUtil uninstall method call
- name: CheckIfInstallable method call
description: 'Executes the CheckIfInstallable class constructor runner instead
of executing InstallUtil.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: CheckIfInstallable
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallHelper method call
description: 'Executes the InstallHelper class constructor runner instead of
executing InstallUtil.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: InstallHelper
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil class constructor method call
description: 'Executes the installer assembly class constructor.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil Install method call
description: 'Executes the Install Method
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Install_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil Uninstall method call - /U variant
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
output_file:
description: location of the payload
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: "%tmp%\\T1118.dll"
source:
description: location of the source code to compile
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: PathToAtomicsFolder\T1118\src\T1118.cs
dependency_executor_name: powershell
dependencies:
- description: Source code must exist on disk at specified location (#{source})
prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: command_prompt
name: powershell
elevation_required: false
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file}
cleanup_command: 'del #{output_file} >nul 2>&1
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
'
- name: InstallUtil GetHelp method call
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Uninstall_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
variant
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
output_file:
description: location of the payload
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: "%tmp%\\T1118.dll"
source:
description: location of the source code to compile
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: PathToAtomicsFolder\T1118\src\T1118.cs
dependency_executor_name: powershell
dependencies:
- description: Source code must exist on disk at specified location (#{source})
prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: command_prompt
name: powershell
elevation_required: false
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file}
cleanup_command: 'del #{output_file} >nul 2>&1
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Uninstall_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil HelpText method call
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/? `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_HelpText_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil evasive invocation
description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
using a nonstandard extension for the assembly.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "$Env:windir\System32\Tasks"
$InstallerAssemblyFileName = 'readme.txt'
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "readme.txt"
$ExpectedOutput = 'Constructor_'
# Explicitly set the directory so that a relative path to readme.txt can be supplied.
Set-Location "$Env:windir\System32\Tasks"
Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = 'Executable'
CommandLine = $CommandLine
InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |-
Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
T1152:
technique:
x_mitre_permissions_required:
@@ -21813,68 +22225,480 @@ execution:
- Digital Certificate Validation
identifier: T1118
atomic_tests:
- name: InstallUtil uninstall method call
- name: CheckIfInstallable method call
description: 'Executes the CheckIfInstallable class constructor runner instead
of executing InstallUtil.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: CheckIfInstallable
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallHelper method call
description: 'Executes the InstallHelper class constructor runner instead of
executing InstallUtil.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: InstallHelper
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil class constructor method call
description: 'Executes the installer assembly class constructor.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil Install method call
description: 'Executes the Install Method
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Install_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil Uninstall method call - /U variant
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
output_file:
description: location of the payload
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: "%tmp%\\T1118.dll"
source:
description: location of the source code to compile
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: PathToAtomicsFolder\T1118\src\T1118.cs
dependency_executor_name: powershell
dependencies:
- description: Source code must exist on disk at specified location (#{source})
prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: command_prompt
name: powershell
elevation_required: false
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file}
cleanup_command: 'del #{output_file} >nul 2>&1
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
'
- name: InstallUtil GetHelp method call
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Uninstall_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
variant
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
output_file:
description: location of the payload
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: "%tmp%\\T1118.dll"
source:
description: location of the source code to compile
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: PathToAtomicsFolder\T1118\src\T1118.cs
dependency_executor_name: powershell
dependencies:
- description: Source code must exist on disk at specified location (#{source})
prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: command_prompt
name: powershell
elevation_required: false
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file}
cleanup_command: 'del #{output_file} >nul 2>&1
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_Uninstall_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil HelpText method call
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
assembly_dir:
description: directory to drop the compiled installer assembly
type: Path
default: "$Env:TEMP\\"
assembly_filename:
description: filename of the compiled installer assembly
type: String
default: T1118.dll
invocation_method:
description: the type of InstallUtil invocation variant - Executable, InstallHelper,
or CheckIfInstallable
type: String
default: Executable
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "/? `"$InstallerAssemblyFullPath`""
$ExpectedOutput = 'Constructor_HelpText_'
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = '#{invocation_method}'
CommandLine = $CommandLine
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |
$InstallerAssemblyDir = "#{assembly_dir}"
$InstallerAssemblyFileName = "#{assembly_filename}"
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
Remove-Item -Path $InstallerAssemblyFullPath
- name: InstallUtil evasive invocation
description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
using a nonstandard extension for the assembly.
'
supported_platforms:
- windows
input_arguments:
test_harness:
description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
executor:
name: powershell
elevation_required: false
command: |
# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
. #{test_harness}
$InstallerAssemblyDir = "$Env:windir\System32\Tasks"
$InstallerAssemblyFileName = 'readme.txt'
$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
$CommandLine = "readme.txt"
$ExpectedOutput = 'Constructor_'
# Explicitly set the directory so that a relative path to readme.txt can be supplied.
Set-Location "$Env:windir\System32\Tasks"
Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
$TestArgs = @{
OutputAssemblyDirectory = $InstallerAssemblyDir
OutputAssemblyFileName = $InstallerAssemblyFileName
InvocationMethod = 'Executable'
CommandLine = $CommandLine
InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
}
$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
if ($ActualOutput -ne $ExpectedOutput) {
throw @"
Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
Expected: $ExpectedOutput
Actual: $ActualOutput
"@
}
cleanup_command: |-
Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
T1152:
technique:
x_mitre_permissions_required:
atomics/windows-index.md
+16 -4
View File
@@ -98,8 +98,14 @@
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- [T1118 InstallUtil](./T1118/T1118.md)
- Atomic Test #1: InstallUtil uninstall method call [windows]
- Atomic Test #2: InstallUtil GetHelp method call [windows]
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- [T1036 Masquerading](./T1036/T1036.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
@@ -611,8 +617,14 @@
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1118 InstallUtil](./T1118/T1118.md)
- Atomic Test #1: InstallUtil uninstall method call [windows]
- Atomic Test #2: InstallUtil GetHelp method call [windows]
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]