diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml index d5d1c5ef..81518de9 100644 --- a/atomics/T1547.001/T1547.001.yaml +++ b/atomics/T1547.001/T1547.001.yaml @@ -176,3 +176,145 @@ atomic_tests: Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore name: powershell +- name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value + description: | + This test will modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V "Common Startup" + value to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart + supported_platforms: + - windows + input_arguments: + new_startup_folder: + description: new startup folder to replace standard one + type: String + default: $env:TMP\atomictest\ + payload: + description: 'executable to be placed in new startup location ' + type: String + default: C:\Windows\System32\calc.exe + executor: + command: | + New-Item -ItemType Directory -path "#{new_startup_folder}" + Copy-Item -path "#{payload}" -destination "#{new_startup_folder}" + Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "#{new_startup_folder}" + cleanup_command: | + Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup" + Remove-Item "#{new_startup_folder}" -Recurse -Force + name: powershell + elevation_required: true + +- name: Change Startup Folder - HKCU Modify User Shell Folders Startup Value + description: | + This test will modify the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V "Startup" value + to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart + supported_platforms: + - windows + input_arguments: + new_startup_folder: + description: new startup folder to replace standard one + type: String + default: $env:TMP\atomictest\ + payload: + description: 'executable to be placed in new startup location ' + type: String + default: C:\Windows\System32\calc.exe + executor: + command: | + New-Item -ItemType Directory -path "#{new_startup_folder}" + Copy-Item -path "#{payload}" -destination "#{new_startup_folder}" + Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}" + cleanup_command: | + Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" + Remove-Item "#{new_startup_folder}" -Recurse -Force + name: powershell + elevation_required: true + +- name: HKCU - Policy Settings Explorer Run Key + description: | + This test will create a new value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run to launch calc.exe on boot. + *Requires reboot + supported_platforms: + - windows + input_arguments: + target_key_value_name: + description: registry value to crate on target key + type: string + default: atomictest + payload: + description: 'payload to execute' + type: String + default: C:\Windows\System32\calc.exe + executor: + command: try {if($(get-item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run").PSChildName -eq "Run"){Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"} + cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" + name: powershell + elevation_required: true + +- name: HKLM - Policy Settings Explorer Run Key + description: | + This test will create a HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run key value to launch calc.exe on boot. + *Requires reboot + supported_platforms: + - windows + input_arguments: + target_key_value_name: + description: registry value to crate on target key + type: string + default: atomictest + payload: + description: 'payload to execute' + type: String + default: C:\Windows\System32\calc.exe + executor: + command: try {if($(get-item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -ErrorAction Stop).PSChildName -eq "Run"){Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"}} catch {New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"; Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"} + cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" + name: powershell + elevation_required: true + +- name: HKLM - Append Command to Winlogon Userinit KEY Value + description: | + This test will append a command to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit value to launch calc.exe on boot. + * Requires reboot + supported_platforms: + - windows + input_arguments: + payload: + description: what to run + type: String + default: C:\Windows\System32\calc.exe + executor: + command: | + $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit"); + Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit-backup" -Value "$oldvalue"; + $newvalue = $oldvalue + " #{payload}"; + Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$newvalue" + cleanup_command: |- + $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup'); + Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$oldvalue"; + Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup' + name: powershell + elevation_required: true + +- name: 'HKLM - Modify default System Shell - Winlogon Shell KEY Value ' + description: | + This test change the default value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell from "explorer.exe" to the full path of "C:\Windows\explorer.exe" + to log a change to the key's default value without breaking boot sequence. + An atacker will alternatively replace this with a custom shell. + supported_platforms: + - windows + input_arguments: + payload: + description: what to run + type: String + default: C:\Windows\explorer.exe + executor: + command: | + $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell"); + Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell-backup" -Value "$oldvalue"; + $newvalue = $oldvalue + ", #{payload}"; + Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$newvalue" + cleanup_command: |- + $oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'); + Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$oldvalue"; + Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup' + name: powershell + elevation_required: true