From f223d288608c9aa1425fdb3d6cc2388bafc9b084 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Thu, 31 May 2018 10:50:06 -0400 Subject: [PATCH 1/2] T1202 Add Adding T1202 Indirect Command Execution PCALUA --- atomics/T1202/T1202.yaml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 atomics/T1202/T1202.yaml diff --git a/atomics/T1202/T1202.yaml b/atomics/T1202/T1202.yaml new file mode 100644 index 00000000..6f59a1f8 --- /dev/null +++ b/atomics/T1202/T1202.yaml @@ -0,0 +1,34 @@ +--- +attack_technique: T1202 +display_name: Indirect Command Execution + +atomic_tests: +- name: Indirect Command Execution - pcalua.exe + description: | + The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. + + [Reference](https://twitter.com/KyleHanslovan/status/912659279806640128) + + supported_platforms: + - windows + + input_arguments: + process: + description: Process to execute + type: string + default: calc.exe + payload_path: + description: Path to payload + type: path + default: c:\temp\payload.dll + payload_cpl_path: + description: Path to payload + type: path + default: C:\Windows\system32\javacpl.cpl -c Java + + executor: + name: command_prompt + command: | + pcalua.exe -a ${process} + pcalua.exe -a ${payload_path} + pcalua.exe -a ${payload_cpl_path} From f40f5065f07c5a155ad0f1b556eddce9d10159ee Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 31 May 2018 14:50:20 +0000 Subject: [PATCH 2/2] Generate docs from job=validate_atomics_generate_docs branch=T1202 --- atomics/T1202/T1202.md | 47 +++++++++++++++++++++++++++++++++++++++ atomics/index.md | 3 ++- atomics/matrix.md | 2 +- atomics/windows-index.md | 3 ++- atomics/windows-matrix.md | 2 +- 5 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 atomics/T1202/T1202.md diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md new file mode 100644 index 00000000..b5301c82 --- /dev/null +++ b/atomics/T1202/T1202.md @@ -0,0 +1,47 @@ +# T1202 - Indirect Command Execution +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1202) +
Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) + +Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd. + +Detection: Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands and/or spawning child processes. (Citation: RSA Forfiles Aug 2017) + +Platforms: Windows + +Data Sources: Process Monitoring, Process command-line parameters, Windows event logs + +Defense Bypassed: Application whitelisting, Process whitelisting, Whitelisting by file name or path + +Permissions Required: User + +Contributors: Matthew Demaske, Adaptforward
+ +## Atomic Tests + +- [Atomic Test #1 - Indirect Command Execution - pcalua.exe](#atomic-test-1---indirect-command-execution---pcaluaexe) + + +
+ +## Atomic Test #1 - Indirect Command Execution - pcalua.exe +The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. + +[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128) + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| process | Process to execute | string | calc.exe| +| payload_path | Path to payload | path | c:\temp\payload.dll| +| payload_cpl_path | Path to payload | path | C:\Windows\system32\javacpl.cpl -c Java| + +#### Run it with `command_prompt`! +``` +pcalua.exe -a ${process} +pcalua.exe -a ${payload_path} +pcalua.exe -a ${payload_cpl_path} +``` +
diff --git a/atomics/index.md b/atomics/index.md index b5f57c2c..12983eb2 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -190,7 +190,8 @@ - Atomic Test #1: Clear Logs [windows] - Atomic Test #2: FSUtil [windows] - Atomic Test #3: rm -rf [macos, linux] -- [T1202 Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) +- [T1202 Indirect Command Execution](./T1202/T1202.md) + - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] - [T1130 Install Root Certificate](./T1130/T1130.md) - Atomic Test #1: Install root CA on CentOS/RHEL [linux] - [T1118 InstallUtil](./T1118/T1118.md) diff --git a/atomics/matrix.md b/atomics/matrix.md index 548a7332..83ce8233 100644 --- a/atomics/matrix.md +++ b/atomics/matrix.md @@ -29,7 +29,7 @@ | | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Launch Daemon](./T1160/T1160.md) | [Sudo Caching](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | [Trap](./T1154/T1154.md) | [Launchctl](./T1152/T1152.md) | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | [Trusted Developer Utilities](./T1127/T1127.md) | [Local Job Scheduling](./T1168/T1168.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | | -| | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | +| | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | | | | [Windows Management Instrumentation](./T1047/T1047.md) | [Logon Scripts](./T1037/T1037.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | | | | [Windows Remote Management](./T1028/T1028.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | | | | | [Netsh Helper DLL](./T1128/T1128.md) | | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | diff --git a/atomics/windows-index.md b/atomics/windows-index.md index d97f60ec..ace71341 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -43,7 +43,8 @@ - [T1070 Indicator Removal on Host](./T1070/T1070.md) - Atomic Test #1: Clear Logs [windows] - Atomic Test #2: FSUtil [windows] -- [T1202 Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) +- [T1202 Indirect Command Execution](./T1202/T1202.md) + - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] - [T1130 Install Root Certificate](./T1130/T1130.md) - [T1118 InstallUtil](./T1118/T1118.md) - Atomic Test #1: InstallUtil uninstall method call [windows] diff --git a/atomics/windows-matrix.md b/atomics/windows-matrix.md index 0f43f879..8fbacf13 100644 --- a/atomics/windows-matrix.md +++ b/atomics/windows-matrix.md @@ -24,7 +24,7 @@ | | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Logon Scripts](./T1037/T1037.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | [Trusted Developer Utilities](./T1127/T1127.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Netsh Helper DLL](./T1128/T1128.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | | -| | [Windows Management Instrumentation](./T1047/T1047.md) | [New Service](./T1050/T1050.md) | | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | +| | [Windows Management Instrumentation](./T1047/T1047.md) | [New Service](./T1050/T1050.md) | | [Indirect Command Execution](./T1202/T1202.md) | | | | | | | | | [Windows Remote Management](./T1028/T1028.md) | [Office Application Startup](./T1137/T1137.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | | | | | [Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | | | | | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Masquerading](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |