eric-forte-elastic
138 lines
4.4 KiB
Python
138 lines
4.4 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
# Name: Registry persistence creation
|
|
# RTA: registry_persistence_create.py
|
|
# signal.rule.name: Local Service Commands
|
|
# signal.rule.name: Potential Modification of Accessibility Binaries
|
|
# ATT&CK: T1015, T1103
|
|
# Description: Creates registry persistence for mock malware in Run and RunOnce keys, Services, NetSH and debuggers.
|
|
|
|
# TODO: Split into multiple files
|
|
import time
|
|
|
|
from . import common
|
|
from . import RtaMetadata
|
|
|
|
|
|
metadata = RtaMetadata(
|
|
uuid="c62c65bf-248e-4f5a-ad4f-a48736c1d6f2",
|
|
platforms=["windows"],
|
|
endpoint=[],
|
|
siem=[
|
|
{
|
|
"rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8",
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
}
|
|
],
|
|
techniques=["T1546"],
|
|
)
|
|
|
|
|
|
TARGET_APP = common.get_path("bin", "myapp.exe")
|
|
|
|
|
|
def pause():
|
|
time.sleep(0.5)
|
|
|
|
|
|
@common.requires_os(*metadata.platforms)
|
|
@common.dependencies(TARGET_APP)
|
|
def main():
|
|
common.log("Suspicious Registry Persistence")
|
|
winreg = common.get_winreg()
|
|
|
|
for hive in (common.HKLM, common.HKCU):
|
|
common.write_reg(
|
|
hive,
|
|
"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\",
|
|
"RunOnceTest",
|
|
TARGET_APP,
|
|
)
|
|
common.write_reg(
|
|
hive,
|
|
"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
|
|
"RunTest",
|
|
TARGET_APP,
|
|
)
|
|
|
|
# create Services subkey for "ServiceTest"
|
|
common.log("Creating ServiceTest registry key")
|
|
hklm = winreg.HKEY_LOCAL_MACHINE
|
|
hkey = winreg.CreateKey(hklm, "System\\CurrentControlSet\\Services\\ServiceTest\\")
|
|
|
|
# create "ServiceTest" data values
|
|
common.log("Updating ServiceTest metadata")
|
|
winreg.SetValueEx(hkey, "Description", 0, winreg.REG_SZ, "A fake service")
|
|
winreg.SetValueEx(hkey, "DisplayName", 0, winreg.REG_SZ, "ServiceTest Service")
|
|
winreg.SetValueEx(hkey, "ImagePath", 0, winreg.REG_SZ, "c:\\ServiceTest.exe")
|
|
winreg.SetValueEx(hkey, "ServiceDLL", 0, winreg.REG_SZ, "C:\\ServiceTest.dll")
|
|
|
|
# modify contents of ServiceDLL and ImagePath
|
|
common.log("Modifying ServiceTest binary")
|
|
winreg.SetValueEx(hkey, "ImagePath", 0, winreg.REG_SZ, "c:\\ServiceTestMod.exe")
|
|
winreg.SetValueEx(hkey, "ServiceDLL", 0, winreg.REG_SZ, "c:\\ServiceTestMod.dll")
|
|
|
|
hkey.Close()
|
|
common.pause()
|
|
|
|
# delete Service subkey for "ServiceTest"
|
|
common.log("Removing ServiceTest", log_type="-")
|
|
hkey = winreg.CreateKey(hklm, "System\\CurrentControlSet\\Services\\")
|
|
winreg.DeleteKeyEx(hkey, "ServiceTest")
|
|
|
|
hkey.Close()
|
|
common.pause()
|
|
|
|
# Additional persistence
|
|
common.log("Adding AppInit DLL")
|
|
windows_base = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\"
|
|
common.write_reg(common.HKLM, windows_base, "AppInit_Dlls", "evil.dll", restore=True, pause=True)
|
|
|
|
common.log("Adding AppCert DLL")
|
|
appcertdlls_key = "System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls"
|
|
common.write_reg(common.HKLM, appcertdlls_key, "evil", "evil.dll", restore=True, pause=True)
|
|
|
|
debugger_targets = [
|
|
"normalprogram.exe",
|
|
"sethc.exe",
|
|
"utilman.exe",
|
|
"magnify.exe",
|
|
"narrator.exe",
|
|
"osk.exe",
|
|
"displayswitch.exe",
|
|
"atbroker.exe",
|
|
]
|
|
|
|
for victim in debugger_targets:
|
|
common.log("Registering Image File Execution Options debugger for %s -> %s" % (victim, TARGET_APP))
|
|
base_key = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" % victim
|
|
common.write_reg(common.HKLM, base_key, "Debugger", TARGET_APP, restore=True)
|
|
|
|
# create new NetSh key value
|
|
common.log("Adding a new NetSh Helper DLL")
|
|
key = "Software\\Microsoft\\NetSh"
|
|
common.write_reg(common.HKLM, key, "BadHelper", "c:\\windows\\system32\\BadHelper.dll")
|
|
|
|
# modify the list of SSPs
|
|
common.log("Adding a new SSP to the list of security packages")
|
|
key = "System\\CurrentControlSet\\Control\\Lsa"
|
|
common.write_reg(
|
|
common.HKLM,
|
|
key,
|
|
"Security Packages",
|
|
["evilSSP"],
|
|
common.MULTI_SZ,
|
|
append=True,
|
|
pause=True,
|
|
)
|
|
|
|
hkey.Close()
|
|
pause()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|