From ef0e95bf50d126b592449b47bf6097127755df25 Mon Sep 17 00:00:00 2001
From: Andrew Beers <apbeers@icloud.com>
Date: Thu, 21 May 2020 17:12:16 -0500
Subject: [PATCH] T1500 - Dynamic C# Compile (#1008)

* write test

* use input arg in command

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1500/T1500.yaml                   |  32 ++++++++++++++-
 atomics/T1500/bin/T1500_DynamicCompile.exe | Bin 0 -> 6656 bytes
 atomics/T1500/src/DynamicCompile.cs        |  43 +++++++++++++++++++++
 3 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 atomics/T1500/bin/T1500_DynamicCompile.exe
 create mode 100644 atomics/T1500/src/DynamicCompile.cs

diff --git a/atomics/T1500/T1500.yaml b/atomics/T1500/T1500.yaml
index 5d5c0d02..6e54bfad 100644
--- a/atomics/T1500/T1500.yaml
+++ b/atomics/T1500/T1500.yaml
@@ -30,7 +30,6 @@ atomic_tests:
         New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null
         Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1500/src/calc.cs" -OutFile "#{input_file}"
 
-
   executor:
     name: command_prompt
     elevation_required: false
@@ -38,3 +37,34 @@ atomic_tests:
       C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file}
     cleanup_command: | 
       del #{output_file} >nul 2>&1
+
+- name: Dynamic C# Compile
+  description: |
+    When C# is compiled dynamically, a .cmdline file will be created as a part of the process. 
+    Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution.
+    The exe file that will be executed is named as T1500_DynamicCompile.exe is containted in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder.
+    Upon execution, the exe will print 'T1500 Dynamic Compile'.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    input_file:
+      description: exe program containing dynamically compiled C# code
+      type: Path
+      default: PathToAtomicsFolder\T1500\bin\T1500_DynamicCompile.exe
+
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        exe file must exist on disk at specified location (#{input_file})
+      prereq_command: |
+        if (Test-Path #{input_file}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1500/bin/T1500_DynamicCompile.exe -OutFile #{input_file}
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Invoke-Expression #{input_file}
diff --git a/atomics/T1500/bin/T1500_DynamicCompile.exe b/atomics/T1500/bin/T1500_DynamicCompile.exe
new file mode 100644
index 0000000000000000000000000000000000000000..deb3f676356f20e07acdb1f5e65574d4c3fe6352
GIT binary patch
literal 6656
zcmeHLU2Ggz6+W};*p3rB@!I)M+Q}wq^XK*2aef;o{#iS98#|77?UK~Oot?d2Pcu8S
zotbsLp{Y_3kt#qm4<PXp1d2fA1u8&<0;xctzEA`bf<8phM+6UjKvcj3<vVv~cGo{?
zojwxodd}Q?&bjBFbMBpU?(yj5*C<Lvb$CAfkmwHH-1;Q^XmB0mmPg-gp&zV$XZIcD
z{5!idbB3!H9Xs!61y$E9%l6c)P@R&c8kU;6kX8$JP9&O}oAw5x$A^f{D^Ys$+Z%3%
ztG!2YTBjr-9GE5_d$0p<6;B@?1}a_=UvKoNo&mS(c!1{?rRP3Rv{C+5-@(vlp?41x
zUEqEn(fW#zfXJ`sfX7P(-w7VCwy8voHN1@&KUp(Qcw)iBIN1yUnzS|08zb3Nte$XO
zN5@F&)`t!Yg-Nxo585XjVcKA1U0G-8gRMNMwmzbP>d5b{XTPGcZV_5Te^FuQI`&<J
zlp41(&uUs*GD@EYBj&b}y8-*x<U-x1bq!nWR^H79JBF77deLq}@3H!Z{jj^<ZpUDK
zqrHi#TbQ~Tz2>#fAo`DPwSj7Ct81-mZ?|Dq(_;sT+LCpIS!`-6ZTZp;th#TrGXwr_
zHXWk+gYn4zZD1v^(m?vD0fn_fV;{};B$A0E$s=7S8MB5=z&Qxo^D@!z@xC2JKkYe&
zm3NtA0cRt_xXCpAdab_&d(KUcq(Hle@iav588GcEGowL-a&A+EKqC6La)e+FuMQ=d
z2LJkFC|KEgrZbJ`1I5?0o~|e#MC$2X3BOLijBKFIm|9P7QwsPog<+?JZ%OzC32#gI
zC&}}D`XhL5N*I&)f6)eD+~|o&6MZh?0FFn$1*iko(<^iWFds<)GZona|9v&W_#07P
z>x_gqq~rsU6H;AYSKqrEDH$=SAGRtquCgsR>1-s6(NBZXWtxMP_vGlt*1M3&LKJ#B
zx|Z%n6l^8qwgEQL0l<yaCE-a4`z0Ka@S=p5B-8*mks<ppNLZHeRY11hhhL6vLVsWM
zae9N==rH}5`XK#lbTxX4eoimbS^5SYqapeoWoZ<i;8_V;M+Lw(ng`rLUjf`hw*U_z
zS|;d-gilB~DDh9zUEtFa^Q?qA{Q;OOFf&0eH7naGLv`2v69D6bX5h_nIBb`K;I|m(
z`&{yz9<_5NQ=FlKtJ{ugWT`)wqjcHzL?JO~o2Jk`!?xT+x+ru*GmWbvN9Tk$D!e&6
zM}u~uXqckkbwwd-mWLg?khV*XE|_N!ftp6FdHaf>OxMw5awb)_w1S}rvzRASE(-F6
z4QMW=m5f}!hmR&(@&u(swv^9nS*%dOVe*vW8jEn@`WeHkWv!qcEhh?^bEPUJqd9ru
z4I{~j7wuX?IA<7UO$o<^@zq%&anQDAjeN<`*f-0`DdFmlQCv*)jg~VegsCmap1XYV
zxPu+hz2$^KyI6LN{M?G9LQ%8I)j1O-%QFgs*Tgzm!!*1a>PnlD5DOyQ_h5D+upa@8
z{5VEXjuUghNTZrzRVInq;IIVD)zcGf@Q5{Q)2N|4wrkINiNW-o<`l_)@mYcJc_Swr
zoT{8i*@eouavUWZ$5I|ThZ4GHJK_2%L(5yX>lwNmqCz`HEKfLgF)f^VLl?`)p}Y#+
zKXx!19|zcRP-Z5?tZ;;-i(GI93=jqkD+jJ&Q$vKufpWv|!5P>1WMS1RYC^ar({t%U
z_IZ3$QfRPnD6&j0RyrpvfrBMRtWi<0oifp;G=W4O2^mFl$TY|`hf=^=qycA;PGg7`
z30jOBB%5-WMLQPbM}hMYLzzmS{d)<*4T#E<3L({{o}gxg4>f=)diVeNiU>$5LM0sw
zs7sV#1$}w<m%^0Ktcoj?QKS+AttnlgN+)SBjUA%mF`<i#-%?#d$E-%5aHR*+E1dOF
z`pshl3~a$t?P|AYKN8r3Xc?~i$+Qh;vwtl3&4vdBj@2{dKvO<|=kd1i-j54*28r(|
zCGlHofl4f)fU{so32|5vo~Ce()xEDhkoBwMzDD%+ugrhGaaB2YyJh-X>ASn*RHrIR
zV^k$&4LYr@JZxbQS>LcGHWV9)jm9p<ChJs+T>`qXrBRIlHL?p#6w@#%cCn=axXG4Q
zQLjdJ?%cJru0h$=()gpR(^K1e-g|WoDHtLT1E&P{`bYSRlZkA8#?gvnwl%b%3z;-B
zbB_I@tAMXT;VivPq4t$xHg27gzD1!}B|E6UcwJSylietO4k)x&KcXj3=8h#hlF3}I
zqeshX9Vc^Qw&Qs6Sn}ktquTM~$GUN!#Zq0k&f-Tjs?g5F*ifdD9S;YIpchx(<B4wQ
z+|phlrVO`eYUMG+yLO(XRw%0Eme-8OADKcO<=;)O<Nc|_c(^vJX-i5Hnn<V8zy0%f
zZhi4etnb#d<`3`u<{y7!a|cgNPr8V#5>C7Fx-spDqU}zv<fN66cJ}#c8Rl0cCyKc&
zQBc>gird55u}0sp8`eMmcxKRch8Bd(jPgz;L?UN$ZGh@{AE|w^_rD7wvb0oDMRVym
z?pM<_=K6Ph)WO$lkm$;Tyc8+%Oqsh6|9X5-uk{hV#Kln1UW)dhH-&UF12{wz=#8L4
zAH#SAaM-Wb>1TEC|Hog~Upv&{Y#;}s1FZrCUMY#2LRxVk#}95J2#B)?cii?8&&q(R
z$pFd;h|>{=Q@?$$?p}oDrh(_6%4v7Gq&t#_L#zMmL6XClN!u|~34&_@Vc3EcSzLk^
zuc2`gwvful@MgZSP0%KAh3ln2agiojkK!UdtD${nNg7`q*ja88(X1+S3Njr?t=im$
z1d^;gg#FkCe)bwC6bEk&NusLhYS&I+_5vPmPf`pr&tsIA(pbwP>}SjJI6eG-lI1v+
zUMCg5Zs^Akq0VRjR^|9R$#<v%<T|LoLT?jYmUdhS*5I9FJ3`;`$oKpwvF9ndPvely
zceE1r$gA-XpRh3Xe*FIQ$o*L?Yw0d6-J=t7PCu-5rR{vhD#KGBH*Y6CkiUkX6a4x9
zPu@CxcA;RZ^L{DS8%LIjtGGzpd~@!NPiBTYPQ+E$)2y6k+Lq{zmxUWYd#1Umx#_eP
z)RihkSZ;5;<XER%eGavp+kraLFC;p2yKqW#3yJxzxLVLGV^+9cn6cz~5T>dXVIw(#
z;>as6(up%)Tt#&X1xCyL#iD8GvO-H}#bUhEm*6=i*W)T?mHKqY<vgtI3cciD&0q|S
zBVH&$PmvpUjCs_WdEu^7>XA^YidL0_q@$O(<UB9tg{hhhd*hnx7vN4@EgAhfsvo#<
zRx@1@7$t>tuAoh*dgmhDPj^<F0EW|@;SQa_X8*rEoE}j9|A!v#eK^g3*scCAigpxW

literal 0
HcmV?d00001

diff --git a/atomics/T1500/src/DynamicCompile.cs b/atomics/T1500/src/DynamicCompile.cs
new file mode 100644
index 00000000..554c79c3
--- /dev/null
+++ b/atomics/T1500/src/DynamicCompile.cs
@@ -0,0 +1,43 @@
+using Microsoft.CSharp;
+using System.CodeDom.Compiler;
+using System.Reflection;
+
+
+namespace T1500_DynamicCompile
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            CSharpCodeProvider provider = new CSharpCodeProvider();
+            CompilerParameters parameters = new CompilerParameters();
+            parameters.GenerateInMemory = true;
+            parameters.ReferencedAssemblies.Add("System.dll");
+
+            CompilerResults results = provider.CompileAssemblyFromSource(parameters, GetCode());
+
+            var cls = results.CompiledAssembly.GetType("DynamicNS.DynamicCode");
+            var method = cls.GetMethod("DynamicMethod", BindingFlags.Static | BindingFlags.Public);
+            method.Invoke(null, null);
+        }
+
+        static string[] GetCode()
+        {
+            return new string[]
+            {
+                @"using System;
+ 
+                namespace DynamicNS
+                {
+                    public static class DynamicCode
+                    {
+                        public static void DynamicMethod()
+                        {
+                            Console.WriteLine(""T1500 Dynamic Compile"");
+                        }
+                    }
+                }"
+            };
+        }
+    }
+}