security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1218.009/T1218.009.yaml
T
Carrie Roberts d4709021fb Handle spaces in file paths (#2535) 
* updating atomics count in README.md [ci skip]

* wip

* handle spaces in path

* update readme

* fix typo

---------

Co-authored-by: publish bot <opensource@redcanary.com>
2023-09-22 10:47:25 -06:00

74 lines
4.1 KiB
YAML
Raw Permalink Blame History

attack_technique: T1218.009
display_name: 'Signed Binary Proxy Execution: Regsvcs/Regasm'
atomic_tests:
- name: Regasm Uninstall Method Call Test
auto_generated_guid: 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112
description: |
Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed.
supported_platforms:
- windows
input_arguments:
output_file:
description: Location of the payload
type: path
default: '%tmp%\T1218.009.dll'
source_file:
description: Location of the CSharp source_file
type: path
default: PathToAtomicsFolder\T1218.009\src\T1218.009.cs
dependency_executor_name: powershell
dependencies:
- description: |
The CSharp source file must exist on disk at specified location (#{source_file})
prereq_command: |
if (Test-Path "#{source_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{source_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}"
executor:
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library "#{source_file}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
cleanup_command: |
del #{output_file} >nul 2>&1
name: command_prompt
- name: Regsvcs Uninstall Method Call Test
auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126
description: |
Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed
along with other information about the assembly being installed.
supported_platforms:
- windows
input_arguments:
output_file:
description: Location of the payload
type: path
default: $Env:TEMP\T1218.009.dll
source_file:
description: Location of the CSharp source_file
type: path
default: PathToAtomicsFolder\T1218.009\src\T1218.009.cs
dependency_executor_name: powershell
dependencies:
- description: |
The CSharp source file must exist on disk at specified location (#{source_file})
prereq_command: |
if (Test-Path "#{source_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{source_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}"
executor:
command: |
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library /keyfile:$env:Temp\key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{output_file}
cleanup_command: |
Remove-Item #{output_file} -ErrorAction Ignore | Out-Null
$parentpath = Split-Path -Path "#{output_file}"
Remove-Item $parentpath\key.snk -ErrorAction Ignore | Out-Null
Remove-Item $parentpath\T1218.009.tlb -ErrorAction Ignore | Out-Null
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink