Merge pull request redcanaryco#189 from redcanaryco/T1183-yamlize

T1183 yamlize
timfrazier1 · May 24, 2018 · 824a910 · 824a910
2 parents e887236 + ff34140
commit 824a910
Show file tree

Hide file tree

Showing 9 changed files with 145 additions and 96 deletions.
diff --git a/Windows/Persistence/Image_File_Execution_Options_Injection.md b/Windows/Persistence/Image_File_Execution_Options_Injection.md
diff --git a/atomics/T1183/T1183.md b/atomics/T1183/T1183.md
@@ -0,0 +1,65 @@
+# T1183 - Image File Execution Options Injection
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1183)
+<blockquote>Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, any executable file present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\dbg\ntsd.exe -g  notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)
+
+IFEOs can be set directly via the Registry or in Global Flags via the Gflags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger Values in the Registry under <code>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/<executable></code> and <code> HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable> </code> where <code><executable></code> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
+
+Similar to Process Injection, this value can be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Engame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous invocation.
+
+Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)
+
+Detection: Monitor for common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as <code>DEBUG_PROCESS</code> and <code>DEBUG_ONLY_THIS_PROCESS</code>. (Citation: Microsoft Dev Blog IFEO Mar 2010)
+
+Monitor the IFEOs Registry value for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Engame Process Injection July 2017)
+
+Platforms: Windows
+
+Data Sources: Process Monitoring, Windows Registry, Windows event logs
+
+Permissions Required: Administrator, SYSTEM</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - IFEO Add Debugger](#atomic-test-1---ifeo-add-debugger)
+
+- [Atomic Test #2 - IFEO GLobal Flags](#atomic-test-2---ifeo-global-flags)
+
+
+<br/>
+
+## Atomic Test #1 - IFEO Add Debugger
+TODO
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_binary | Binary To Attach To | Path | winword.exe|
+| payload_binary | Binary To Execute | Path | cmd.exe|
+
+#### Run it with `command_prompt`!
+```
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - IFEO GLobal Flags
+Leverage Global Flags Settings
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_binary | Binary To Attach To | Path | notepad.exe|
+| payload_binary | Binary To Execute | Path | cmd.exe|
+
+#### Run it with `command_prompt`!
+```
+REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
+```
+<br/>
diff --git a/atomics/T1183/T1183.yaml b/atomics/T1183/T1183.yaml
@@ -0,0 +1,47 @@
+---
+attack_technique: T1183
+display_name: Image File Execution Options
+
+atomic_tests:
+- name: IFEO Add Debugger
+  description: |
+    TODO
+
+  supported_platforms:
+    - windows
+  input_arguments:
+    target_binary:
+      description: Binary To Attach To
+      type: Path
+      default: winword.exe
+    payload_binary:
+      description: Binary To Execute
+      type: Path
+      default: cmd.exe
+
+  executor:
+    name: command_prompt
+    command: |
+      REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
+
+- name: IFEO GLobal Flags
+  description: |
+    Leverage Global Flags Settings
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    target_binary:
+      description: Binary To Attach To
+      type: Path
+      default: notepad.exe
+    payload_binary:
+      description: Binary To Execute
+      type: Path
+      default: cmd.exe
+
+  executor:
+    name: command_prompt
+    command: |
+      REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
diff --git a/atomics/index.md b/atomics/index.md
@@ -32,7 +32,9 @@
 - [T1179 Hooking](./T1179/T1179.md)
   - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
 - [T1062 Hypervisor](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
-- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
+- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
+  - Atomic Test #1: IFEO Add Debugger [windows]
+  - Atomic Test #2: IFEO GLobal Flags [windows]
 - [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1161 LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1177 LSASS Driver](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
@@ -42,7 +44,7 @@
 - [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1162 Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1037 Logon Scripts](./T1037/T1037.md)
-  - Atomic Test #1: Logon Scripts
+  - Atomic Test #1: Logon Scripts [windows]
 - [T1031 Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1128 Netsh Helper DLL](./T1128/T1128.md)
   - Atomic Test #1: Netsh Helper DLL Registration [windows]
@@ -128,7 +130,9 @@
   - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
 - [T1147 Hidden Users](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
-- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
+- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
+  - Atomic Test #1: IFEO Add Debugger [windows]
+  - Atomic Test #2: IFEO GLobal Flags [windows]
 - [T1054 Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1070 Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
@@ -194,7 +198,9 @@
 - [T1044 File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1179 Hooking](./T1179/T1179.md)
   - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
-- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
+- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
+  - Atomic Test #1: IFEO Add Debugger [windows]
+  - Atomic Test #2: IFEO GLobal Flags [windows]
 - [T1160 Launch Daemon](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1050 New Service](./T1050/T1050.md)
   - Atomic Test #1: Service Installation [windows]
@@ -330,7 +336,7 @@
 - [T1175 Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1210 Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1037 Logon Scripts](./T1037/T1037.md)
-  - Atomic Test #1: Logon Scripts
+  - Atomic Test #1: Logon Scripts [windows]
 - [T1075 Pass the Hash](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1097 Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1076 Remote Desktop Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)

diff --git a/atomics/macos-index.md b/atomics/macos-index.md
@@ -17,7 +17,7 @@
 - [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1162 Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
-- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
+- [T1037 Logon Scripts](./T1037/T1037.md)
 - [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1163 Rc.common](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
@@ -69,7 +69,7 @@
 - [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1017 Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1210 Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
-- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
+- [T1037 Logon Scripts](./T1037/T1037.md)
 - [T1105 Remote File Copy](./T1105/T1105.md)
   - Atomic Test #1: xxxx [linux, macos]
 - [T1021 Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)