security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SDDL Tampering Atomics (#3006)

Browse Source 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Nasreddine Bencherchali
2024-12-11 01:46:01 +01:00
committed by GitHub
parent 24d1919fdf
commit c800c57aab
2 changed files with 81 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1222.001/T1222.001.yaml
+24
View File
@@ -140,3 +140,27 @@ atomic_tests:
icacls '#{path}' /restore #{file_path} /q >nul 2>&1
name: command_prompt
elevation_required: true
- name: SubInAcl Execution
description: |-
This test simulates an adversary executing the Windows Resource kit utility SubInAcl. This utility was abused by adversaries in the past in order to modify access permissions. Upon execution, a process creation log should be generated indicating successful execution.
supported_platforms:
- windows
input_arguments:
SubInAclDownloadPath:
type: string
default: https://web.archive.org/web/20120528222424if_/http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi
description: Download URL for SubInAcl
dependency_executor_name: powershell
dependencies:
- description: |
Download subinacl
prereq_command: |
if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe") {exit 0} else {exit 1}
get_prereq_command: |-
New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null
Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi
msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn
executor:
command: '"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"'
name: command_prompt
elevation_required: true
atomics/T1562.002/T1562.002.yaml
+57
View File
@@ -145,3 +145,60 @@ atomic_tests:
cleanup_command: |
echo "Sorry you have to reboot"
name: command_prompt
- name: Modify Event Log Channel Access Permissions via Registry - PowerShell
description: |-
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
supported_platforms:
- windows
input_arguments:
ChannelPath:
type: string
default: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational
description: Path to the event log service channel to alter
executor:
command: |-
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
cleanup_command: |-
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
description: |-
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
supported_platforms:
- windows
input_arguments:
ChannelPath:
type: string
default: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
description: Path to the event log service channel to alter
executor:
command: |-
New-Item -Path #{ChannelPath} -Force
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
cleanup_command: |-
Remove-Item -Path #{ChannelPath} -Force
Restart-Service -Name EventLog -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Modify Event Log Access Permissions via Registry - PowerShell
description: |-
This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
supported_platforms:
- windows
input_arguments:
CustomSDPath:
type: string
default: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System
description: Path to the event log service channel to alter
executor:
command: 'Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"'
cleanup_command: 'Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"'
name: powershell
elevation_required: true