T1500 - Dynamic C# Compile (#1008)

* write test * use input arg in command Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2020-05-21 17:12:16 -05:00
parent 3c588cc680
commit ef0e95bf50
3 changed files with 74 additions and 1 deletions
@@ -30,7 +30,6 @@ atomic_tests:
        New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null
        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1500/src/calc.cs" -OutFile "#{input_file}"

-
  executor:
    name: command_prompt
    elevation_required: false
@@ -38,3 +37,34 @@ atomic_tests:
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file}
    cleanup_command: | 
      del #{output_file} >nul 2>&1
+
+- name: Dynamic C# Compile
+  description: |
+    When C# is compiled dynamically, a .cmdline file will be created as a part of the process. 
+    Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution.
+    The exe file that will be executed is named as T1500_DynamicCompile.exe is containted in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder.
+    Upon execution, the exe will print 'T1500 Dynamic Compile'.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    input_file:
+      description: exe program containing dynamically compiled C# code
+      type: Path
+      default: PathToAtomicsFolder\T1500\bin\T1500_DynamicCompile.exe
+
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        exe file must exist on disk at specified location (#{input_file})
+      prereq_command: |
+        if (Test-Path #{input_file}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1500/bin/T1500_DynamicCompile.exe -OutFile #{input_file}
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Invoke-Expression #{input_file}
@@ -0,0 +1,43 @@
+using Microsoft.CSharp;
+using System.CodeDom.Compiler;
+using System.Reflection;
+
+
+namespace T1500_DynamicCompile
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            CSharpCodeProvider provider = new CSharpCodeProvider();
+            CompilerParameters parameters = new CompilerParameters();
+            parameters.GenerateInMemory = true;
+            parameters.ReferencedAssemblies.Add("System.dll");
+
+            CompilerResults results = provider.CompileAssemblyFromSource(parameters, GetCode());
+
+            var cls = results.CompiledAssembly.GetType("DynamicNS.DynamicCode");
+            var method = cls.GetMethod("DynamicMethod", BindingFlags.Static | BindingFlags.Public);
+            method.Invoke(null, null);
+        }
+
+        static string[] GetCode()
+        {
+            return new string[]
+            {
+                @"using System;
+ 
+                namespace DynamicNS
+                {
+                    public static class DynamicCode
+                    {
+                        public static void DynamicMethod()
+                        {
+                            Console.WriteLine(""T1500 Dynamic Compile"");
+                        }
+                    }
+                }"
+            };
+        }
+    }
+}