From f85b47c2d29ccb0b0dc341193a4ad5c5a4566487 Mon Sep 17 00:00:00 2001 From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com> Date: Tue, 4 Sep 2018 20:40:31 -0600 Subject: [PATCH 1/6] T1121 Fixed Test --- atomics/T1121/T1121.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/atomics/T1121/T1121.yaml b/atomics/T1121/T1121.yaml index d510af56..3b4486e2 100644 --- a/atomics/T1121/T1121.yaml +++ b/atomics/T1121/T1121.yaml @@ -16,7 +16,7 @@ atomic_tests: executor: name: command_prompt command: | - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library T1121.cs + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll - name: Regsvs Uninstall Method Call Test @@ -35,5 +35,7 @@ atomic_tests: $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Byte - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk T1121.cs + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe T1121.dll + del T1121.dll + del key.snk From 8418f402945d2a53ac177d2cb15484e1b62d97be Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 5 Sep 2018 02:40:48 +0000 Subject: [PATCH 2/6] Generate docs from job=validate_atomics_generate_docs branch=Fix-T1121 --- atomics/T1121/T1121.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/atomics/T1121/T1121.md b/atomics/T1121/T1121.md index f3ef245b..290bbb63 100644 --- a/atomics/T1121/T1121.md +++ b/atomics/T1121/T1121.md @@ -40,7 +40,7 @@ Executes the Uninstall Method, No Admin Rights Required #### Run it with `command_prompt`! ``` -C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library T1121.cs +C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll ```
@@ -62,7 +62,9 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Byte -C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk T1121.cs +C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe T1121.dll +del T1121.dll +del key.snk ```
From da9748c7db0c36ebad7d03e9b5c47ba60d6ba941 Mon Sep 17 00:00:00 2001 From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com> Date: Tue, 4 Sep 2018 20:44:37 -0600 Subject: [PATCH 3/6] parameterized path and source code --- atomics/T1121/T1121.yaml | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/atomics/T1121/T1121.yaml b/atomics/T1121/T1121.yaml index 3b4486e2..3e50bd0b 100644 --- a/atomics/T1121/T1121.yaml +++ b/atomics/T1121/T1121.yaml @@ -9,15 +9,19 @@ atomic_tests: supported_platforms: - windows input_arguments: - filename: + file_name: description: Location of the payload type: Path default: T1121.dll + source_file: + description: Location of the CSharp source_file + type: Path + default: C:\AtomicRedTeam\atomics\T1121\src\T1121.cs executor: name: command_prompt command: | - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} - name: Regsvs Uninstall Method Call Test description: | @@ -25,17 +29,21 @@ atomic_tests: supported_platforms: - windows input_arguments: - filename: + file_name: description: Location of the payload type: Path default: T1121.dll + source_file: + description: Location of the CSharp source_file + type: Path + default: C:\AtomicRedTeam\atomics\T1121\src\T1121.cs executor: name: powershell command: | $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Byte - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe T1121.dll - del T1121.dll + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file} + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name} + del #{file_name} del key.snk From 14cbfa95e9d4f0035fd35b04ec30f2e42f5bebbb Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 5 Sep 2018 02:44:59 +0000 Subject: [PATCH 4/6] Generate docs from job=validate_atomics_generate_docs branch=Fix-T1121 --- atomics/T1121/T1121.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/atomics/T1121/T1121.md b/atomics/T1121/T1121.md index 290bbb63..cd4122ee 100644 --- a/atomics/T1121/T1121.md +++ b/atomics/T1121/T1121.md @@ -36,12 +36,13 @@ Executes the Uninstall Method, No Admin Rights Required #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| filename | Location of the payload | Path | T1121.dll| +| file_name | Location of the payload | Path | T1121.dll| +| source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs| #### Run it with `command_prompt`! ``` -C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs -C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll +C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} ```

@@ -55,16 +56,17 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| filename | Location of the payload | Path | T1121.dll| +| file_name | Location of the payload | Path | T1121.dll| +| source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs| #### Run it with `powershell`! ``` $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Byte -C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs -C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe T1121.dll -del T1121.dll +C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file} +C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name} +del #{file_name} del key.snk ```
From cbe95e5a3a04724291066304b78bd35aa75d16c8 Mon Sep 17 00:00:00 2001 From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com> Date: Wed, 5 Sep 2018 06:15:36 -0600 Subject: [PATCH 5/6] clean up --- atomics/T1121/T1121.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/T1121/T1121.yaml b/atomics/T1121/T1121.yaml index 3e50bd0b..5a0d9c80 100644 --- a/atomics/T1121/T1121.yaml +++ b/atomics/T1121/T1121.yaml @@ -22,6 +22,7 @@ atomic_tests: command: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} + del #{file_name} - name: Regsvs Uninstall Method Call Test description: | From deca346fcb4dea4498623a69f678dd312a8382e1 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 5 Sep 2018 12:16:41 +0000 Subject: [PATCH 6/6] Generate docs from job=validate_atomics_generate_docs branch=Fix-T1121 --- atomics/T1121/T1121.md | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/T1121/T1121.md b/atomics/T1121/T1121.md index cd4122ee..5f1d26d8 100644 --- a/atomics/T1121/T1121.md +++ b/atomics/T1121/T1121.md @@ -43,6 +43,7 @@ Executes the Uninstall Method, No Admin Rights Required ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} +del #{file_name} ```