diff --git a/atomics/T1138/T1138.yaml b/atomics/T1138/T1138.yaml index c20dc47a..15f9b867 100644 --- a/atomics/T1138/T1138.yaml +++ b/atomics/T1138/T1138.yaml @@ -5,16 +5,19 @@ display_name: Application Shimming atomic_tests: - name: Application Shim Installation description: | - Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete." - will be displayed. + Install a shim database. This technique is used for privilege escalation and bypassing user access control. + Upon execution, "Installation of AtomicShim complete." will be displayed. To verify the shim behavior, run + the AtomicTest.exe from the \T1138\bin directory. You should see a message box appear + with "Atomic Shim DLL Test!" as defined in the AtomicTest.dll. To better understand what is happening, review + the source code files is the \T1138\src directory. supported_platforms: - windows input_arguments: file_path: - description: Path to the shim databaase file + description: Path to the shim database file type: String - default: PathToAtomicsFolder\T1138\src\AtomicShimx86.sdb + default: PathToAtomicsFolder\T1138\bin\AtomicShimx86.sdb dependency_executor_name: powershell dependencies: @@ -24,7 +27,14 @@ atomic_tests: if (Test-Path #{file_path}) {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/src/AtomicShimx86.sdb" -OutFile "#{file_path}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" + - description: | + AtomicTest.dll must exist at c:\Tools\AtomicTest.dll + prereq_command: | + if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1138/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: name: command_prompt diff --git a/atomics/T1138/src/AtomicShimx86.sdb b/atomics/T1138/bin/AtomicShimx86.sdb old mode 100755 new mode 100644 similarity index 100% rename from atomics/T1138/src/AtomicShimx86.sdb rename to atomics/T1138/bin/AtomicShimx86.sdb diff --git a/atomics/T1138/src/AtomicTest.dll b/atomics/T1138/bin/AtomicTest.dll old mode 100755 new mode 100644 similarity index 100% rename from atomics/T1138/src/AtomicTest.dll rename to atomics/T1138/bin/AtomicTest.dll diff --git a/atomics/T1138/bin/AtomicTest.exe b/atomics/T1138/bin/AtomicTest.exe new file mode 100644 index 00000000..e66b63dd Binary files /dev/null and b/atomics/T1138/bin/AtomicTest.exe differ diff --git a/atomics/T1138/src/AtomicShim.zip b/atomics/T1138/src/AtomicShim.zip deleted file mode 100755 index 610cda5c..00000000 Binary files a/atomics/T1138/src/AtomicShim.zip and /dev/null differ diff --git a/atomics/T1138/src/README.md b/atomics/T1138/src/README.md index a1ea1682..de6d4895 100644 --- a/atomics/T1138/src/README.md +++ b/atomics/T1138/src/README.md @@ -1,9 +1,5 @@ ## Application Compatibility Shims -[Reference](https://blogs.technet.microsoft.com/askperf/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff/) - -[Additional References:](https://sdb.tools/resources.html) - All Files Contained in .Zip. Otherwise you can roll your own.