security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #326 from redcanaryco/Fix-T1121

Browse Source 
Fix T1121
This commit is contained in:
Michael Haag
2018-09-05 09:36:22 -04:00
committed by GitHub
parent f19fb29bfa deca346fcb
commit ae0022cc32
2 changed files with 28 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1121/T1121.md
+11 -6
View File
@@ -36,12 +36,14 @@ Executes the Uninstall Method, No Admin Rights Required
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | Location of the payload | Path | T1121.dll|
| file_name | Location of the payload | Path | T1121.dll|
| source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs|
#### Run it with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library T1121.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
del #{file_name}
```
<br/>
<br/>
@@ -55,14 +57,17 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | Location of the payload | Path | T1121.dll|
| file_name | Location of the payload | Path | T1121.dll|
| source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs|
#### Run it with `powershell`!
```
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk T1121.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe T1121.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
del #{file_name}
del key.snk
```
<br/>
atomics/T1121/T1121.yaml
+17 -6
View File
@@ -9,15 +9,20 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
filename:
file_name:
description: Location of the payload
type: Path
default: T1121.dll
source_file:
description: Location of the CSharp source_file
type: Path
default: C:\AtomicRedTeam\atomics\T1121\src\T1121.cs
executor:
name: command_prompt
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library T1121.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
del #{file_name}
- name: Regsvs Uninstall Method Call Test
description: |
@@ -25,15 +30,21 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
filename:
file_name:
description: Location of the payload
type: Path
default: T1121.dll
source_file:
description: Location of the CSharp source_file
type: Path
default: C:\AtomicRedTeam\atomics\T1121\src\T1121.cs
executor:
name: powershell
command: |
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk T1121.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe T1121.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
del #{file_name}
del key.snk