Merge pull request #346 from redcanaryco/T1140-Add

T1140 - certutil rename and decode

atomics/T1140/T1140.md

@@ -26,6 +26,8 @@ Contributors: Matthew Demaske, Adaptforward, Red Canary</blockquote>
 
 - [Atomic Test #1 - Deobfuscate/Decode Files Or Information](#atomic-test-1---deobfuscatedecode-files-or-information)
 
+- [Atomic Test #2 - Certutil Rename and Decode](#atomic-test-2---certutil-rename-and-decode)
+
 
 <br/>
 
@@ -46,3 +48,22 @@ certutil.exe -encode #{executable} file.txt
 certutil.exe -decode file.txt #{executable}
 ```
 <br/>
+<br/>
+
+## Atomic Test #2 - Certutil Rename and Decode
+Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| executable | name of executable/file to decode | path | c:\file.exe|
+
+#### Run it with `command_prompt`!
+```
+cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
+cmd.exe /c %temp%tcm.tmp -decode #{executable}
+```
+<br/>

atomics/T1140/T1140.yaml

@@ -21,3 +21,22 @@ atomic_tests:
     command: |
       certutil.exe -encode #{executable} file.txt
       certutil.exe -decode file.txt #{executable}
+
+- name: Certutil Rename and Decode
+  description: |
+    Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    executable:
+      description: name of executable/file to decode
+      type: path
+      default: c:\file.exe
+
+  executor:
+    name: command_prompt
+    command: |
+      cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
+      cmd.exe /c %temp%tcm.tmp -decode #{executable}

atomics/index.md

@@ -149,6 +149,7 @@
 - T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
+  - Atomic Test #2: Certutil Rename and Decode [windows]
 - [T1089 Disabling Security Tools](./T1089/T1089.md)
   - Atomic Test #1: Disable iptables firewall [linux]
   - Atomic Test #2: Disable syslog [linux]

atomics/windows-index.md

@@ -21,6 +21,7 @@
 - T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
+  - Atomic Test #2: Certutil Rename and Decode [windows]
 - [T1089 Disabling Security Tools](./T1089/T1089.md)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)