Generated docs from job=generate-docs branch=master [ci skip]

2024-08-03 01:27:36 +00:00
parent 5182c34b07
commit e580d4420f
12 changed files with 172 additions and 3 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1625-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1626-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -690,6 +690,7 @@ privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissi
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
+privilege-escalation,T1547,Boot or Logon Autostart Execution,3,Leverage Virtual Channels to execute custom DLL during successful RDP session,fdd45306-74f6-4ade-9a97-0a4895961228,command_prompt
 privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
 privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
 privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
@@ -1066,6 +1067,7 @@ persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakn
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
+persistence,T1547,Boot or Logon Autostart Execution,3,Leverage Virtual Channels to execute custom DLL during successful RDP session,fdd45306-74f6-4ade-9a97-0a4895961228,command_prompt
 persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
 persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
 persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
@@ -483,6 +483,7 @@ privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissi
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
+privilege-escalation,T1547,Boot or Logon Autostart Execution,3,Leverage Virtual Channels to execute custom DLL during successful RDP session,fdd45306-74f6-4ade-9a97-0a4895961228,command_prompt
 privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
 privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
 privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
@@ -730,6 +731,7 @@ persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakn
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
+persistence,T1547,Boot or Logon Autostart Execution,3,Leverage Virtual Channels to execute custom DLL during successful RDP session,fdd45306-74f6-4ade-9a97-0a4895961228,command_prompt
 persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
 persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
 persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
@@ -903,6 +903,7 @@
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
  - Atomic Test #1: Add a driver [windows]
  - Atomic Test #2: Driver Installation Using pnputil.exe [windows]
+  - Atomic Test #3: Leverage Virtual Channels to execute custom DLL during successful RDP session [windows]
 - [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
  - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
  - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
@@ -1429,6 +1430,7 @@
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
  - Atomic Test #1: Add a driver [windows]
  - Atomic Test #2: Driver Installation Using pnputil.exe [windows]
+  - Atomic Test #3: Leverage Virtual Channels to execute custom DLL during successful RDP session [windows]
 - [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
  - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
  - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
@@ -648,6 +648,7 @@
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
  - Atomic Test #1: Add a driver [windows]
  - Atomic Test #2: Driver Installation Using pnputil.exe [windows]
+  - Atomic Test #3: Leverage Virtual Channels to execute custom DLL during successful RDP session [windows]
 - [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
  - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
  - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
@@ -998,6 +999,7 @@
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
  - Atomic Test #1: Add a driver [windows]
  - Atomic Test #2: Driver Installation Using pnputil.exe [windows]
+  - Atomic Test #3: Leverage Virtual Channels to execute custom DLL during successful RDP session [windows]
 - [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
  - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
  - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
@@ -34765,6 +34765,35 @@ privilege-escalation:

          '
        name: powershell
+    - name: Leverage Virtual Channels to execute custom DLL during successful RDP
+        session
+      auto_generated_guid: fdd45306-74f6-4ade-9a97-0a4895961228
+      description: "Virtual Channels can be leveraged to alter RDP behavior using
+        dedicated Addins.The mechanism is implemented using DLLs which can be executed
+        during RDP session automatically. \nThe DLLs are loaded in the host system
+        only after successful connection is established with the remote system.\nOnce
+        the test is run, amsi.dll will be loaded on the host system during successful
+        RDP session.\nBlog :https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-virtual-channels?redirectedfrom=MSDN\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        Subkey_Added:
+          description: New Sub key added in the registry path
+          type: String
+          default: Malware
+        dll_inf:
+          description: custom DLL to be executed
+          type: Path
+          default: C:\Windows\System32\amsi.dll
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}"
+          /v Name /t REG_SZ /d "#{dll_inf}" /f
+
+          '
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal
+          Server Client\Default\Addins\#{Subkey_Added}" /f      '
+        name: command_prompt
+        elevation_required: true
  T1547.014:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -58509,6 +58538,35 @@ persistence:

          '
        name: powershell
+    - name: Leverage Virtual Channels to execute custom DLL during successful RDP
+        session
+      auto_generated_guid: fdd45306-74f6-4ade-9a97-0a4895961228
+      description: "Virtual Channels can be leveraged to alter RDP behavior using
+        dedicated Addins.The mechanism is implemented using DLLs which can be executed
+        during RDP session automatically. \nThe DLLs are loaded in the host system
+        only after successful connection is established with the remote system.\nOnce
+        the test is run, amsi.dll will be loaded on the host system during successful
+        RDP session.\nBlog :https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-virtual-channels?redirectedfrom=MSDN\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        Subkey_Added:
+          description: New Sub key added in the registry path
+          type: String
+          default: Malware
+        dll_inf:
+          description: custom DLL to be executed
+          type: Path
+          default: C:\Windows\System32\amsi.dll
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}"
+          /v Name /t REG_SZ /d "#{dll_inf}" /f
+
+          '
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal
+          Server Client\Default\Addins\#{Subkey_Added}" /f      '
+        name: command_prompt
+        elevation_required: true
  T1547.014:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -29165,6 +29165,35 @@ privilege-escalation:

          '
        name: powershell
+    - name: Leverage Virtual Channels to execute custom DLL during successful RDP
+        session
+      auto_generated_guid: fdd45306-74f6-4ade-9a97-0a4895961228
+      description: "Virtual Channels can be leveraged to alter RDP behavior using
+        dedicated Addins.The mechanism is implemented using DLLs which can be executed
+        during RDP session automatically. \nThe DLLs are loaded in the host system
+        only after successful connection is established with the remote system.\nOnce
+        the test is run, amsi.dll will be loaded on the host system during successful
+        RDP session.\nBlog :https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-virtual-channels?redirectedfrom=MSDN\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        Subkey_Added:
+          description: New Sub key added in the registry path
+          type: String
+          default: Malware
+        dll_inf:
+          description: custom DLL to be executed
+          type: Path
+          default: C:\Windows\System32\amsi.dll
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}"
+          /v Name /t REG_SZ /d "#{dll_inf}" /f
+
+          '
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal
+          Server Client\Default\Addins\#{Subkey_Added}" /f      '
+        name: command_prompt
+        elevation_required: true
  T1547.014:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -48488,6 +48517,35 @@ persistence:

          '
        name: powershell
+    - name: Leverage Virtual Channels to execute custom DLL during successful RDP
+        session
+      auto_generated_guid: fdd45306-74f6-4ade-9a97-0a4895961228
+      description: "Virtual Channels can be leveraged to alter RDP behavior using
+        dedicated Addins.The mechanism is implemented using DLLs which can be executed
+        during RDP session automatically. \nThe DLLs are loaded in the host system
+        only after successful connection is established with the remote system.\nOnce
+        the test is run, amsi.dll will be loaded on the host system during successful
+        RDP session.\nBlog :https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-virtual-channels?redirectedfrom=MSDN\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        Subkey_Added:
+          description: New Sub key added in the registry path
+          type: String
+          default: Malware
+        dll_inf:
+          description: custom DLL to be executed
+          type: Path
+          default: C:\Windows\System32\amsi.dll
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}"
+          /v Name /t REG_SZ /d "#{dll_inf}" /f
+
+          '
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal
+          Server Client\Default\Addins\#{Subkey_Added}" /f      '
+        name: command_prompt
+        elevation_required: true
  T1547.014:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -10,6 +10,8 @@ Since some boot or logon autostart programs run with higher privileges, an adver

 - [Atomic Test #2 - Driver Installation Using pnputil.exe](#atomic-test-2---driver-installation-using-pnputilexe)

+- [Atomic Test #3 - Leverage Virtual Channels to execute custom DLL during successful RDP session](#atomic-test-3---leverage-virtual-channels-to-execute-custom-dll-during-successful-rdp-session)
+

 <br/>

@@ -76,4 +78,45 @@ pnputil.exe -i -a #{driver_path}



+<br/>
+<br/>
+
+## Atomic Test #3 - Leverage Virtual Channels to execute custom DLL during successful RDP session
+Virtual Channels can be leveraged to alter RDP behavior using dedicated Addins.The mechanism is implemented using DLLs which can be executed during RDP session automatically. 
+The DLLs are loaded in the host system only after successful connection is established with the remote system.
+Once the test is run, amsi.dll will be loaded on the host system during successful RDP session.
+Blog :https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-virtual-channels?redirectedfrom=MSDN
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fdd45306-74f6-4ade-9a97-0a4895961228
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| Subkey_Added | New Sub key added in the registry path | String | Malware|
+| dll_inf | custom DLL to be executed | Path | C:&#92;Windows&#92;System32&#92;amsi.dll|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}" /v Name /t REG_SZ /d "#{dll_inf}" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}" /f
+```
+
+
+
+
+
 <br/>
@@ -32,6 +32,7 @@ atomic_tests:
      pnputil.exe -i -a #{driver_path}
    name: powershell
 - name: Leverage Virtual Channels to execute custom DLL during successful RDP session
+  auto_generated_guid: fdd45306-74f6-4ade-9a97-0a4895961228
  description: |
    Virtual Channels can be leveraged to alter RDP behavior using dedicated Addins.The mechanism is implemented using DLLs which can be executed during RDP session automatically. 
    The DLLs are loaded in the host system only after successful connection is established with the remote system.
@@ -1664,3 +1664,4 @@ bcd4c2bc-490b-4f91-bd31-3709fe75bbdf
 ab4d04af-68dc-4fee-9c16-6545265b3276
 b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
 c095ad8e-4469-4d33-be9d-6f6d1fb21585
+fdd45306-74f6-4ade-9a97-0a4895961228