diff --git a/atomics/T1547.014/T1547.014.yaml b/atomics/T1547.014/T1547.014.yaml new file mode 100644 index 00000000..6ac643e2 --- /dev/null +++ b/atomics/T1547.014/T1547.014.yaml @@ -0,0 +1,64 @@ +attack_technique: T1547.014 +display_name: 'Active Setup' +atomic_tests: +- name: 'HKLM - Add atomic_test key to launch executable as part of user setup' + description: | + This test will create an "atomic_test" key under 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components' to launch calc by configuring an active setup executable and + forcing to run active setup using the "runonce.exe /AlternateShellStartup" command. + Without the "runonce.exe /AlternateShellStartup" command it would run during the next logon for each user. + + Note: If you logout before running the cleanup command, you will be required to go through the OOBE (out-of-box experience) setup sequence to log back in. + The payload will only run once unless the cleanup command is run in between tests. + + [Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/) + supported_platforms: + - windows + input_arguments: + payload: + description: Payload to run once during login + type: String + default: C:\Windows\System32\calc.exe + executor: + command: |- + New-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components" -Name "atomic_test" -Force + Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "(Default)" "ART TEST" -Force + Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "StubPath" "#{payload}" -Force + & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup + cleanup_command: |- + Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore + Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore + name: powershell + elevation_required: true +- name: 'HKLM - Add malicious StubPath value to existing Active Setup Entry' + description: | + This test will add a StubPath entry to the Active Setup native registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) + Said key doesn't have a StubPath value by default, by adding one it will launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup. + Without the last command it will normally run on next user logon. Note: this test will only run once successfully if no cleanup command is run in between test. + supported_platforms: + - windows + input_arguments: + payload: + description: Payload to run once during login + type: String + default: C:\Windows\System32\calc.exe + executor: + command: |- + Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force + & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup + cleanup_command: |- + Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force + Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force + name: powershell + elevation_required: true +- name: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number + description: | + This test will decrease the version number of the 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for the current user, + which will force the StubPath payload (if set) to execute. + supported_platforms: + - windows + executor: + command: | + Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0" + & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup + name: powershell + elevation_required: true