forked from facebookincubator/ForgeArmory
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Windows Atomic Tests to TTP facebookincubator#9
Summary: Converting atomics to ttps in Windows Atomic Red Team Tests This ttp was 9/10 and it performs the follow function: Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). Reviewed By: godlovepenn Differential Revision: D62652075
- Loading branch information
1 parent
bf4d1cb
commit d6a578a
Showing
3 changed files
with
429 additions
and
0 deletions.
There are no files selected for viewing
46 changes: 46 additions & 0 deletions
46
ttps/privilege-escalation/windows/sedebugprivilege-token-dupl/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| # "SeDebugPrivilege" Token Duplication | ||
|
|
||
|  | ||
|
|
||
| This TTP uses PowerShell and a modified version of Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). | ||
| The modified script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process. | ||
| When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). | ||
|
|
||
| Derived from [Atomic Red Team T1134.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md#atomic-test-2---sedebugprivilege-token-duplication) | ||
|
|
||
| ## Arguments | ||
| - **script**: a string variable specifying location of Get-System.ps1 script. Default is $PWD\src\Get-System.ps1 | ||
|
|
||
| ## Pre-requisites | ||
| - Windows operating system equipped with powershell | ||
|
|
||
| ## Examples | ||
| You can run the TTP using the following example (after updating the arguments): | ||
| ```bash | ||
| ttpforge run forgearmory//collection/windows/privilege-escalation/sedebugprivilege-token-dupl.yaml | ||
| ``` | ||
| ```bash | ||
| ttpforge run forgearmory//collection/windows/privilege-escalation/sedebugprivilege-token-dupl.yaml --arg Get-System-mod.ps1 | ||
| ``` | ||
|
|
||
| ## Steps | ||
| 1. **execute_script** : This step executes the script which obtain, duplicate and impersonate the token of a another process. | ||
|
|
||
| Note: cleanup --> TTP user is responsible for cleanup by removing Get-System.ps1 manually | ||
|
|
||
| ## Manual Reproduction | ||
| ```bash | ||
| #Commands to execute the script | ||
| IEX (Get-Content "src\Get-System.ps1" -Raw); Get-System -Technique Token | ||
| Start-Sleep -Second 3 | ||
| IEX (Get-Content "src\Get-System.ps1" -Raw); Get-System -RevToSelf | ||
| ``` | ||
|
|
||
| ## MITRE ATT&CK Mapping | ||
|
|
||
| - **Tactics**: | ||
| - TA0004 Privilege Escalation | ||
| - **Techniques**: | ||
| - T1134 Access Token Manipulation | ||
| - **Subtechniques**: | ||
| - T1134.003 Make and Impersonate Token |
38 changes: 38 additions & 0 deletions
38
...privilege-escalation/windows/sedebugprivilege-token-dupl/sedebugprivilege-token-dupl.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| --- | ||
| api_version: 2.0 | ||
| uuid: 0495fc77-3ef2-4aff-ae1b-c50fcac5fe89 | ||
| name: '`SeDebugPrivilege` token duplication' | ||
| description: | | ||
| Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). | ||
| The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process. | ||
| When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). | ||
| Derived from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md#atomic-test-2---sedebugprivilege-token-duplication | ||
| requirements: | ||
| platforms: | ||
| - os: windows | ||
| mitre: | ||
| tactics: | ||
| - TA0004 Privilege Escalation | ||
| techniques: | ||
| - T1134 Access Token Manipulation | ||
| subtechniques: | ||
| - T1134.003 Make and Impersonate Token | ||
| args: | ||
| - name: script | ||
| description: location of script | ||
| type: string | ||
| default: $PWD\src\Get-System.ps1 | ||
| steps: | ||
| - name: execute_script | ||
| executor: powershell | ||
| description: Executing script Get-System.ps1 | ||
| inline: | | ||
| if (-Not(Test-Path "{{.Args.script}}")){ | ||
| Write-Host "The script was not provided at {{.Args.script}} or EDR has quarantined/deleted it." | ||
| exit 1 | ||
| } | ||
| else { | ||
| IEX (Get-Content "{{.Args.script}}" -Raw); Get-System -Technique Token | ||
| Start-Sleep -Second 3 | ||
| IEX (Get-Content "{{.Args.script}}" -Raw); Get-System -RevToSelf | ||
| } |
Oops, something went wrong.