security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #234 from redcanaryco/T1202

Browse Source 
T1202
This commit is contained in:
Michael Haag
2018-05-31 10:50:52 -04:00
committed by GitHub
parent 7500c91be7 f40f5065f0
commit ac8a756c00
6 changed files with 87 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1202/T1202.md
+47
View File
@@ -0,0 +1,47 @@
# T1202 - Indirect Command Execution
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1202)
<blockquote>Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.
Detection: Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands and/or spawning child processes. (Citation: RSA Forfiles Aug 2017)
Platforms: Windows
Data Sources: Process Monitoring, Process command-line parameters, Windows event logs
Defense Bypassed: Application whitelisting, Process whitelisting, Whitelisting by file name or path
Permissions Required: User
Contributors: Matthew Demaske, Adaptforward</blockquote>
## Atomic Tests
- [Atomic Test #1 - Indirect Command Execution - pcalua.exe](#atomic-test-1---indirect-command-execution---pcaluaexe)
<br/>
## Atomic Test #1 - Indirect Command Execution - pcalua.exe
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process | Process to execute | string | calc.exe|
| payload_path | Path to payload | path | c:\temp\payload.dll|
| payload_cpl_path | Path to payload | path | C:\Windows\system32\javacpl.cpl -c Java|
#### Run it with `command_prompt`!
```
pcalua.exe -a ${process}
pcalua.exe -a ${payload_path}
pcalua.exe -a ${payload_cpl_path}
```
<br/>
atomics/T1202/T1202.yaml
+34
View File
@@ -0,0 +1,34 @@
---
attack_technique: T1202
display_name: Indirect Command Execution
atomic_tests:
- name: Indirect Command Execution - pcalua.exe
description: |
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
supported_platforms:
- windows
input_arguments:
process:
description: Process to execute
type: string
default: calc.exe
payload_path:
description: Path to payload
type: path
default: c:\temp\payload.dll
payload_cpl_path:
description: Path to payload
type: path
default: C:\Windows\system32\javacpl.cpl -c Java
executor:
name: command_prompt
command: |
pcalua.exe -a ${process}
pcalua.exe -a ${payload_path}
pcalua.exe -a ${payload_cpl_path}
atomics/index.md
+2 -1
View File
@@ -190,7 +190,8 @@
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- Atomic Test #3: rm -rf [macos, linux]
- [T1202 Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1202 Indirect Command Execution](./T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- [T1118 InstallUtil](./T1118/T1118.md)
atomics/matrix.md
+1 -1
View File
@@ -29,7 +29,7 @@
| | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Launch Daemon](./T1160/T1160.md) | [Sudo Caching](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [Trap](./T1154/T1154.md) | [Launchctl](./T1152/T1152.md) | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Local Job Scheduling](./T1168/T1168.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | |
| | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [Logon Scripts](./T1037/T1037.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |
| | [Windows Remote Management](./T1028/T1028.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
| | | [Netsh Helper DLL](./T1128/T1128.md) | | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
atomics/windows-index.md
+2 -1
View File
@@ -43,7 +43,8 @@
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- [T1202 Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1202 Indirect Command Execution](./T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- [T1118 InstallUtil](./T1118/T1118.md)
- Atomic Test #1: InstallUtil uninstall method call [windows]
atomics/windows-matrix.md
+1 -1
View File
@@ -24,7 +24,7 @@
| | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Logon Scripts](./T1037/T1037.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Netsh Helper DLL](./T1128/T1128.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [New Service](./T1050/T1050.md) | | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [New Service](./T1050/T1050.md) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | |
| | [Windows Remote Management](./T1028/T1028.md) | [Office Application Startup](./T1137/T1137.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |
| | | [Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
| | | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Masquerading](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |