security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

yamled

Browse Source
This commit is contained in:
caseysmithrc
2018-05-23 22:03:44 -06:00
parent 2b570ba196
commit b112d34695
5 changed files with 68 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Windows/Persistence/Netsh_Helper_DLL.md
-53
View File
@@ -1,53 +0,0 @@
# Netsh Helper DLL
MITRE ATT&CK Technique: [T1128](https://attack.mitre.org/wiki/Technique/T1128)
## A DLL can be registered to be loaded each time netsh.exe is executed, or for certain events.
Netsh interacts with other operating system components using dynamic-link library (DLL) files. Each Netsh helper DLL provides an extensive set of features called a context, which is a group of commands specific to a networking component. For example, Dhcpmon.dll provides netsh the context and set of commands necessary to configure and manage DHCP servers.
## Attackers can register a netsh helper with this command
netsh.exe add helper C:\Path\file.dll
## The following registry key stores the paths to the helpers
HKLM\SOFTWARE\Microsoft\Netsh
## Additional Netsh.exe testing we recommend
### Firewall Control
Input:
netsh firewall set opmode [disable|enable]
### Netsh.exe Pivoting
Input:
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
Can also support v4tov6, v6tov6, and v6tov4
### Netsh.exe Sniffing
Input:
netsh trace start capture=yes overwrite=no tracefile=<FilePath.etl>
to stop:
netsh trace stop
### Netsh.exe Wireless backdoor
Input:
netsh wlan set hostednetwork mode=[allow\|disallow]
netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent\|temporary
netsh wlan [start|stop] hostednetwork
Enables or disables hostednetwork service.
Complete hosted network setup for creating a wireless backdoor.
Starts or stops a wireless backdoor. See below to set it up.
atomics/T1128/T1128.md
+43
View File
@@ -0,0 +1,43 @@
# T1128 - Netsh Helper DLL
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1128)
<blockquote>Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.
Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. (Citation: Demaske Netsh Persistence)
Proof of concept code exists to load Cobalt Strike's payload using netsh.exe helper DLLs. (Citation: Github Netsh Helper CS Beacon)
Detection: It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the <code>HKLM\SOFTWARE\Microsoft\Netsh</code> registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence)
Platforms: Windows
Data Sources: Process monitoring, DLL monitoring, Windows Registry
Permissions Required: Administrator, SYSTEM
System Requirements: netsh
Contributors: Matthew Demaske, Adaptforward</blockquote>
## Atomic Tests
- [Atomic Test #1 - Netsh Helper DLL Registration](#atomic-test-1---netsh-helper-dll-registration)
<br/>
## Atomic Test #1 - Netsh Helper DLL Registration
Netsh interacts with other operating system components using dynamic-link library (DLL) files
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| helper_file | Path to DLL | Path | C:\Path\file.dll|
#### Run it with `command_prompt`!
```
netsh.exe add helper #{helper_file}
```
<br/>
atomics/T1128/T1128.yaml
+22
View File
@@ -0,0 +1,22 @@
---
attack_technique: T1128
display_name: Netsh Helper DLL
atomic_tests:
- name: Netsh Helper DLL Registration
description: |
Netsh interacts with other operating system components using dynamic-link library (DLL) files
supported_platforms:
- windows
input_arguments:
helper_file:
description: Path to DLL
type: Path
default: C:\Path\file.dll
executor:
name: command_prompt
command: |
netsh.exe add helper #{helper_file}
atomics/index.md
+2 -1
View File
@@ -42,7 +42,8 @@
- [T1162 Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1031 Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1128 Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1128 Netsh Helper DLL](./T1128/T1128.md)
- Atomic Test #1: Netsh Helper DLL Registration
- [T1050 New Service](./T1050/T1050.md)
- Atomic Test #1: Service Installation
- Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell
atomics/matrix.md
+1 -1
View File
@@ -31,7 +31,7 @@
| | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |
| | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
| | | [Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Netsh Helper DLL](./T1128/T1128.md) | | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [New Service](./T1050/T1050.md) | | [Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Office Application Startup](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Masquerading](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Modify Registry](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |