Adding termsrv.dll path modification (#2576)

* adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * adding test for t1505.005, fixing issue with existing test to simulate termsrv.dll patching * restore original guid --------- Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Oct 26, 2023 · 03b7cd1 · 03b7cd1
1 parent 0efeb2e
commit 03b7cd1
Showing 1 changed file with 41 additions and 3 deletions.
diff --git a/atomics/T1505.005/T1505.005.yaml b/atomics/T1505.005/T1505.005.yaml
@@ -2,7 +2,7 @@ attack_technique: T1505.005
 display_name: 'Server Software Component: Terminal Services DLL'
 atomic_tests:
 - name: Simulate Patching termsrv.dll
-  auto_generated_guid: 0b2eadeb-4a64-4449-9d43-3d999f4a317b
+  auto_generated_guid: 0b2eadeb-4a64-4449-9d43-3d999f4a317b
   description: |
     Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards.
     Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions.
@@ -11,15 +11,53 @@ atomic_tests:
   executor:
     elevation_required: true
     command: |
-      $ACL = Get-Acl $fileName
+      $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+      $ACL = Get-Acl $termsrvDll
       $permission = "Administrators","FullControl","Allow"
       $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
       $ACL.SetAccessRule($accessRule)
-      Set-Acl -Path $fileName -AclObject $ACL
+      Set-Acl -Path $termsrvDll -AclObject $ACL
 
       Copy-Item -Path "C:\Windows\System32\termsrv.dll" -Destination "C:\Windows\System32\termsrv_backup.dll" -ErrorAction Ignore
       Add-Content -Path "C:\Windows\System32\termsrv.dll" -Value "`n" -NoNewline -ErrorAction Ignore
       Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
     cleanup_command: |
       Move-Item -Path "C:\Windows\System32\termsrv_backup.dll" -Destination "C:\Windows\System32\termsrv.dll" -Force -ErrorAction Ignore
     name: powershell
+
+- name: Modify Terminal Services DLL Path
+  description: This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish persistence by loading a patched version of the DLL containing malicious code.
+  supported_platforms:
+  - windows
+  executor:
+    elevation_required: true
+    command: |-
+      $termsrvDll = "C:\Windows\System32\termsrv.dll"
+
+      $ACL = Get-Acl $termsrvDll
+      $permission = "Administrators","FullControl","Allow"
+      $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+      $ACL.SetAccessRule($accessRule)
+      Set-Acl -Path $termsrvDll -AclObject $ACL
+
+      Copy-Item -Path $termsrvDll -Destination "$HOME\AtomicTest.dll"
+
+      $newServiceDll = "$HOME\AtomicTest.dll"
+
+      $registryPath = "HKLM:\System\CurrentControlSet\services\TermService\Parameters"
+
+      # Check if the registry key exists
+      if (Test-Path -Path $registryPath) {
+          # Modify the ServiceDll value in the registry
+          Set-ItemProperty -Path $registryPath -Name "ServiceDll" -Value $newServiceDll
+          Write-Host "ServiceDll value in the registry has been updated to: $newServiceDll"
+      } else {
+          Write-Host "Registry key not found. Make sure the 'TermService\Parameters' key exists."
+      }
+
+    cleanup_command: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\services\TermService\Parameters" -Name "ServiceDll" -Value "C:\Windows\System32\termsrv.dll"
+
+    name: powershell
+
+    elevation_required: true