T1547.001 runkeys (#2150)

* added tests 10-15 to T1547.001.yaml covering various missing keys used for run persistence Committer: Thomas De Brelaz <thockoro@hotmail.com> * fixed name for test 14 Committer: Thomas De Brelaz <thockoro@hotmail.com> * added missing HKLM test for explorer run key Committer: Thomas De Brelaz <thockoro@hotmail.com> * readability improvements * fixed readability issues Committer: Thomas De Brelaz <thockoro@hotmail.com> * small ymal type fix Committer: Thomas De Brelaz <thockoro@hotmail.com> Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2022-09-26 17:50:21 +00:00
parent 09bc35dea1
commit c0c31e4c0c
1 changed files with 142 additions and 0 deletions
@@ -176,3 +176,145 @@ atomic_tests:
      Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore
    name: powershell
    
+- name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
+  description: |
+    This test will modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V "Common Startup" 
+    value to point to a new startup folder where a payload could be stored to launch at boot.  *successful execution requires system restart
+  supported_platforms:
+  - windows
+  input_arguments:
+    new_startup_folder:
+      description: new startup folder to replace standard one
+      type: String
+      default: $env:TMP\atomictest\
+    payload:
+      description: 'executable to be placed in new startup location '
+      type: String
+      default: C:\Windows\System32\calc.exe
+  executor:
+    command: |
+      New-Item -ItemType Directory -path "#{new_startup_folder}"
+      Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
+      Set-ItemProperty -Path  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "#{new_startup_folder}"
+    cleanup_command: |
+      Set-ItemProperty -Path  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
+      Remove-Item "#{new_startup_folder}" -Recurse -Force
+    name: powershell
+    elevation_required: true
+
+- name: Change Startup Folder - HKCU Modify User Shell Folders Startup Value
+  description: | 
+    This test will modify the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders  -V "Startup" value 
+    to point to a new startup folder where a payload could be stored to launch at boot.  *successful execution requires system restart
+  supported_platforms:
+  - windows
+  input_arguments:
+    new_startup_folder:
+      description: new startup folder to replace standard one
+      type: String
+      default: $env:TMP\atomictest\
+    payload:
+      description: 'executable to be placed in new startup location '
+      type: String
+      default: C:\Windows\System32\calc.exe
+  executor:
+    command: | 
+        New-Item -ItemType Directory -path "#{new_startup_folder}"
+        Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
+        Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}"
+    cleanup_command: |
+        Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
+        Remove-Item "#{new_startup_folder}" -Recurse -Force
+    name: powershell
+    elevation_required: true
+
+- name: HKCU - Policy Settings Explorer Run Key
+  description: | 
+    This test will create a new value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run to launch calc.exe on boot. 
+    *Requires reboot
+  supported_platforms:
+  - windows
+  input_arguments:
+    target_key_value_name:
+      description: registry value to crate on target key
+      type: string
+      default: atomictest
+    payload:
+      description: 'payload to execute'
+      type: String
+      default: C:\Windows\System32\calc.exe
+  executor:
+    command: try {if($(get-item -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run").PSChildName -eq "Run"){Set-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}
+    cleanup_command: Remove-ItemProperty -Path  "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
+    name: powershell
+    elevation_required: true
+
+- name: HKLM - Policy Settings Explorer Run Key
+  description: | 
+    This test will create a HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run key value to launch calc.exe on boot. 
+    *Requires reboot
+  supported_platforms:
+  - windows
+  input_arguments:
+    target_key_value_name:
+      description: registry value to crate on target key
+      type: string
+      default: atomictest
+    payload:
+      description: 'payload to execute'
+      type: String
+      default: C:\Windows\System32\calc.exe
+  executor:
+    command: try {if($(get-item -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -ErrorAction Stop).PSChildName -eq "Run"){Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}
+    cleanup_command: Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
+    name: powershell
+    elevation_required: true
+    
+- name: HKLM - Append Command to Winlogon Userinit KEY Value
+  description: | 
+    This test will append a command to the  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit value to launch calc.exe on boot.
+    * Requires reboot
+  supported_platforms:
+  - windows
+  input_arguments:
+    payload:
+      description: what to run
+      type: String
+      default: C:\Windows\System32\calc.exe
+  executor:
+    command: |
+      $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit");
+      Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit-backup" -Value "$oldvalue";
+      $newvalue = $oldvalue + " #{payload}";
+      Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$newvalue"
+    cleanup_command: |-
+      $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup');
+      Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$oldvalue";
+      Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup'
+    name: powershell
+    elevation_required: true
+
+- name: 'HKLM - Modify default System Shell - Winlogon Shell KEY Value '
+  description: | 
+    This test change the default value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell from "explorer.exe" to the full path of "C:\Windows\explorer.exe" 
+    to log a change to the key's default value without breaking boot sequence. 
+    An atacker will alternatively replace this with a custom shell. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    payload:
+      description: what to run
+      type: String
+      default: C:\Windows\explorer.exe
+  executor:
+    command: |
+      $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell");
+      Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell-backup" -Value "$oldvalue";
+      $newvalue = $oldvalue + ", #{payload}";
+      Set-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$newvalue"
+    cleanup_command: |-
+      $oldvalue = $(Get-ItemPropertyValue -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup');
+      Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$oldvalue";
+      Remove-ItemProperty -Path  "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
+    name: powershell
+    elevation_required: true