From b112d34695bb6f8e7e2dc7be92ef4f85dff8fcb0 Mon Sep 17 00:00:00 2001 From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com> Date: Wed, 23 May 2018 22:03:44 -0600 Subject: [PATCH] yamled --- Windows/Persistence/Netsh_Helper_DLL.md | 53 ------------------------- atomics/T1128/T1128.md | 43 ++++++++++++++++++++ atomics/T1128/T1128.yaml | 22 ++++++++++ atomics/index.md | 3 +- atomics/matrix.md | 2 +- 5 files changed, 68 insertions(+), 55 deletions(-) delete mode 100644 Windows/Persistence/Netsh_Helper_DLL.md create mode 100644 atomics/T1128/T1128.md create mode 100644 atomics/T1128/T1128.yaml diff --git a/Windows/Persistence/Netsh_Helper_DLL.md b/Windows/Persistence/Netsh_Helper_DLL.md deleted file mode 100644 index a60a1927..00000000 --- a/Windows/Persistence/Netsh_Helper_DLL.md +++ /dev/null @@ -1,53 +0,0 @@ -# Netsh Helper DLL - -MITRE ATT&CK Technique: [T1128](https://attack.mitre.org/wiki/Technique/T1128) - -## A DLL can be registered to be loaded each time netsh.exe is executed, or for certain events. - -Netsh interacts with other operating system components using dynamic-link library (DLL) files. Each Netsh helper DLL provides an extensive set of features called a context, which is a group of commands specific to a networking component. For example, Dhcpmon.dll provides netsh the context and set of commands necessary to configure and manage DHCP servers. - -## Attackers can register a netsh helper with this command - - netsh.exe add helper C:\Path\file.dll - -## The following registry key stores the paths to the helpers - - HKLM\SOFTWARE\Microsoft\Netsh - -## Additional Netsh.exe testing we recommend - -### Firewall Control - -Input: - - netsh firewall set opmode [disable|enable] - -### Netsh.exe Pivoting - -Input: - - netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 - -Can also support v4tov6, v6tov6, and v6tov4 - -### Netsh.exe Sniffing - -Input: - - netsh trace start capture=yes overwrite=no tracefile= - -to stop: - - netsh trace stop - -### Netsh.exe Wireless backdoor - -Input: - - netsh wlan set hostednetwork mode=[allow\|disallow] - netsh wlan set hostednetwork ssid= key= keyUsage=persistent\|temporary - netsh wlan [start|stop] hostednetwork - -Enables or disables hostednetwork service. -Complete hosted network setup for creating a wireless backdoor. -Starts or stops a wireless backdoor. See below to set it up. diff --git a/atomics/T1128/T1128.md b/atomics/T1128/T1128.md new file mode 100644 index 00000000..b13d6166 --- /dev/null +++ b/atomics/T1128/T1128.md @@ -0,0 +1,43 @@ +# T1128 - Netsh Helper DLL +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1128) +
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. + +Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. (Citation: Demaske Netsh Persistence) + +Proof of concept code exists to load Cobalt Strike's payload using netsh.exe helper DLLs. (Citation: Github Netsh Helper CS Beacon) + +Detection: It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence) + +Platforms: Windows + +Data Sources: Process monitoring, DLL monitoring, Windows Registry + +Permissions Required: Administrator, SYSTEM + +System Requirements: netsh + +Contributors: Matthew Demaske, Adaptforward
+ +## Atomic Tests + +- [Atomic Test #1 - Netsh Helper DLL Registration](#atomic-test-1---netsh-helper-dll-registration) + + +
+ +## Atomic Test #1 - Netsh Helper DLL Registration +Netsh interacts with other operating system components using dynamic-link library (DLL) files + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| helper_file | Path to DLL | Path | C:\Path\file.dll| + +#### Run it with `command_prompt`! +``` +netsh.exe add helper #{helper_file} +``` +
diff --git a/atomics/T1128/T1128.yaml b/atomics/T1128/T1128.yaml new file mode 100644 index 00000000..3b28f332 --- /dev/null +++ b/atomics/T1128/T1128.yaml @@ -0,0 +1,22 @@ +--- +attack_technique: T1128 +display_name: Netsh Helper DLL + +atomic_tests: +- name: Netsh Helper DLL Registration + description: | + Netsh interacts with other operating system components using dynamic-link library (DLL) files + + supported_platforms: + - windows + + input_arguments: + helper_file: + description: Path to DLL + type: Path + default: C:\Path\file.dll + + executor: + name: command_prompt + command: | + netsh.exe add helper #{helper_file} diff --git a/atomics/index.md b/atomics/index.md index e99e0621..98fd5c5a 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -42,7 +42,8 @@ - [T1162 Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1031 Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) -- [T1128 Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) +- [T1128 Netsh Helper DLL](./T1128/T1128.md) + - Atomic Test #1: Netsh Helper DLL Registration - [T1050 New Service](./T1050/T1050.md) - Atomic Test #1: Service Installation - Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell diff --git a/atomics/matrix.md b/atomics/matrix.md index 48f91c3f..ef8d1234 100644 --- a/atomics/matrix.md +++ b/atomics/matrix.md @@ -31,7 +31,7 @@ | | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | [Windows Management Instrumentation](./T1047/T1047.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | | | | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | | -| | | [Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | +| | | [Netsh Helper DLL](./T1128/T1128.md) | | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | | [New Service](./T1050/T1050.md) | | [Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | | [Office Application Startup](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Masquerading](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | | | | | [Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Modify Registry](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |