Skip to content

Commit

Permalink
Adding: Invoke-ATHTokenImpersonation, Invoke-ATHCreateProcessWithToken (
Browse files Browse the repository at this point in the history
#6)

* Adding TokenImpersonation + CreateProcessWithToken functions

This update adds the following functions to the Atomic Test Harnesses:
* Invoke-ATHTokenImpersonation
* Invoke-ATHCreateProcessWithToken

* Fixing directory placement

Fixing directory placement
  • Loading branch information
jsecurity101 authored Nov 17, 2021
1 parent 7b8f153 commit 5dc5095
Show file tree
Hide file tree
Showing 5 changed files with 1,535 additions and 2 deletions.
12 changes: 10 additions & 2 deletions AtomicTestHarnesses.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,13 @@
RootModule = 'AtomicTestHarnesses.psm1'

# Version number of this module.
ModuleVersion = '1.7.0.0'
ModuleVersion = '1.8.0.0'

# ID used to uniquely identify this module
GUID = '195a1637-d4a4-4cb3-8d80-5b5d4e3e930a'

# Author of this module
Author = 'Mike Haag, Jesse Brown, Matt Graeber'
Author = 'Mike Haag, Jesse Brown, Matt Graeber, Jonathan Johnson'

# Company or vendor of this module
CompanyName = 'Red Canary, Inc.'
Expand All @@ -29,9 +29,11 @@ FunctionsToExport = 'Get-ATHDriverService',
'Invoke-ATHHTMLApplication',
'Invoke-ATHCompiledHelp',
'Invoke-ATHCorProfiler',
'Invoke-ATHCreateProcessWithToken',
'Invoke-ATHInjectedThread',
'Invoke-ATHMSBuild',
'Invoke-ATHRemoteFXvGPUDisablementCommand',
'Invoke-ATHTokenImpersonation',
'New-ATHDriverService',
'Out-ATHPowerShellCommandLineParameter',
'Remove-ATHDriverService',
Expand All @@ -55,6 +57,12 @@ PrivateData = @{

# ReleaseNotes of this module
ReleaseNotes = @'
1.8.0
-----
Added:
* Invoke-ATHTokenImpersonation
* Invoke-ATHCreateProcessWithToken
1.7.0
-----
Added:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
Set-StrictMode -Version Latest

$TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
$ModuleRoot = Resolve-Path "$TestScriptRoot\..\..\"
$ModuleManifest = "$ModuleRoot\AtomicTestHarnesses.psd1"

Remove-Module [A]tomicTestHarnesses
Import-Module $ModuleManifest -Force -ErrorAction Stop

Describe 'Invoke-ATHTokenImpersonation' {
BeforeAll {
$Help = Get-Help -Name Invoke-ATHTokenImpersonation -Full

$ExpectedTechniqueID = $null

if ($Help.Synopsis.Split("`r`n")[-1] -match '^(?-i:Technique ID: )(?<TechniqueID>\S+) (?<TechniqueDescription>\(.+\))$') {
$ExpectedTechniqueID = $Matches['TechniqueID']
}

$FixedTestGuid = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'
}

Context 'Validating error conditions' -Tag 'Unit', 'T1134.001' {
It 'should fail to open process' {
{ Invoke-ATHTokenImpersonation -ProcessId 1234 -ErrorAction Stop } | Should -Throw
}

It 'should fail to open a handle with the specified access rights' {
{ Invoke-ATHTokenImpersonation -ProcessId $PID -AccessRights CreateThread -ErrorAction Stop } | Should -Throw
}

}

Context 'Expected artifacts and behaviors when exercising the attack technique' -Tag 'Technique', 'T1134.001' {
It 'should impersonate user SYSTEM running under the winlogon process with QueryLimitedInformation as the requested rights' {
$Result = Invoke-ATHTokenImpersonation -TestGuid $FixedTestGuid

$Result | Should -Not -BeNullOrEmpty

$Result.TechniqueID | Should -BeExactly $ExpectedTechniqueID
$Result.TestSuccess | Should -BeTrue
$Result.TestGuid | Should -BeExactly $FixedTestGuid
$Result.TestCommand | Should -Not -BeNullOrEmpty
$Result.SourceUser | Should -Not -BeNullOrEmpty
$Result.SourceExecutableFilePath | Should -Match 'powershell.exe'
$Result.SourceExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.SourceProcessId | Should -Not -BeNullOrEmpty
$Result.GrantedRights | Should -Match 'QueryLimitedInformation'
$Result.ImpersonatedUser | Should -Match 'SYSTEM'
$Result.TargetExecutableFilePath | Should -Match 'winlogon.exe'
$Result.TargetExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.TargetProcessId | Should -Not -BeNullOrEmpty

$Result
}

It 'should impersonate user SYSTEM running under the winlogon process with QueryInformation as the requested rights' {
$Result = Get-Process -Name winlogon | Select-Object -First 1 | Invoke-ATHTokenImpersonation -AccessRights QueryInformation -TestGuid $FixedTestGuid

$Result | Should -Not -BeNullOrEmpty

$Result.TechniqueID | Should -BeExactly $ExpectedTechniqueID
$Result.TestSuccess | Should -BeTrue
$Result.TestGuid | Should -BeExactly $FixedTestGuid
$Result.TestCommand | Should -Not -BeNullOrEmpty
$Result.SourceUser | Should -Not -BeNullOrEmpty
$Result.SourceExecutableFilePath | Should -Match 'powershell.exe'
$Result.SourceExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.SourceProcessId | Should -Not -BeNullOrEmpty
$Result.GrantedRights | Should -Match 'QueryInformation'
$Result.ImpersonatedUser | Should -Match 'SYSTEM'
$Result.TargetExecutableFilePath | Should -Match 'winlogon.exe'
$Result.TargetExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.TargetProcessId | Should -Not -BeNullOrEmpty

$Result
}

It 'should impersonate user SYSTEM running under the winlogon process with AllAcccess as the requested rights' {
$Result = Get-Process -Name winlogon | Select-Object -First 1 | Invoke-ATHTokenImpersonation -AccessRights AllAccess -TestGuid $FixedTestGuid

$Result | Should -Not -BeNullOrEmpty

$Result.TechniqueID | Should -BeExactly $ExpectedTechniqueID
$Result.TestSuccess | Should -BeTrue
$Result.TestGuid | Should -BeExactly $FixedTestGuid
$Result.TestCommand | Should -Not -BeNullOrEmpty
$Result.SourceUser | Should -Not -BeNullOrEmpty
$Result.SourceExecutableFilePath | Should -Match 'powershell.exe'
$Result.SourceExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.SourceProcessId | Should -Not -BeNullOrEmpty
$Result.GrantedRights | Should -Match 'AllAccess'
$Result.ImpersonatedUser | Should -Match 'SYSTEM'
$Result.TargetExecutableFilePath | Should -Match 'winlogon.exe'
$Result.TargetExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.TargetProcessId | Should -Not -BeNullOrEmpty

$Result
}

It 'should impersonate user SYSTEM running under the LSASS process with QueryLimitedInformation as the requested rights' {
$Result = Get-Process -Name lsass | Invoke-ATHTokenImpersonation -TestGuid $FixedTestGuid

$Result | Should -Not -BeNullOrEmpty

$Result.TechniqueID | Should -BeExactly $ExpectedTechniqueID
$Result.TestSuccess | Should -BeTrue
$Result.TestGuid | Should -BeExactly $FixedTestGuid
$Result.TestCommand | Should -Not -BeNullOrEmpty
$Result.SourceUser | Should -Not -BeNullOrEmpty
$Result.SourceExecutableFilePath | Should -Match 'powershell.exe'
$Result.SourceExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.SourceProcessId | Should -Not -BeNullOrEmpty
$Result.GrantedRights | Should -Match 'QueryLimitedInformation'
$Result.ImpersonatedUser | Should -Match 'SYSTEM'
$Result.TargetExecutableFilePath | Should -Match 'lsass.exe'
$Result.TargetExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.TargetProcessId | Should -Not -BeNullOrEmpty

$Result
}

It 'should impersonate user SYSTEM running under the LSASS process with QueryInformation as the requested rights' {
$Result = Get-Process -Name lsass | Invoke-ATHTokenImpersonation -AccessRights QueryInformation -TestGuid $FixedTestGuid

$Result | Should -Not -BeNullOrEmpty

$Result.TechniqueID | Should -BeExactly $ExpectedTechniqueID
$Result.TestSuccess | Should -BeTrue
$Result.TestGuid | Should -BeExactly $FixedTestGuid
$Result.TestCommand | Should -Not -BeNullOrEmpty
$Result.SourceUser | Should -Not -BeNullOrEmpty
$Result.SourceExecutableFilePath | Should -Match 'powershell.exe'
$Result.SourceExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.SourceProcessId | Should -Not -BeNullOrEmpty
$Result.GrantedRights | Should -Match 'QueryInformation'
$Result.ImpersonatedUser | Should -Match 'SYSTEM'
$Result.TargetExecutableFilePath | Should -Match 'lsass.exe'
$Result.TargetExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.TargetProcessId | Should -Not -BeNullOrEmpty

$Result
}

It 'should impersonate user SYSTEM running under the LSASS process with AllAccess as the requested rights' {
$Result = Get-Process -Name lsass | Invoke-ATHTokenImpersonation -AccessRights AllAccess -TestGuid $FixedTestGuid

$Result | Should -Not -BeNullOrEmpty

$Result.TechniqueID | Should -BeExactly $ExpectedTechniqueID
$Result.TestSuccess | Should -BeTrue
$Result.TestGuid | Should -BeExactly $FixedTestGuid
$Result.TestCommand | Should -Not -BeNullOrEmpty
$Result.SourceUser | Should -Not -BeNullOrEmpty
$Result.SourceExecutableFilePath | Should -Match 'powershell.exe'
$Result.SourceExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.SourceProcessId | Should -Not -BeNullOrEmpty
$Result.GrantedRights | Should -Match 'AllAccess'
$Result.ImpersonatedUser | Should -Match 'SYSTEM'
$Result.TargetExecutableFilePath | Should -Match 'lsass.exe'
$Result.TargetExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.TargetProcessId | Should -Not -BeNullOrEmpty

$Result
}

It 'should logon user John Doe with fake credentials and impersonate impersonate user John Doe' {
$Result = Invoke-ATHTokenImpersonation -Credential $(New-Object System.Management.Automation.PSCredential ('JohnDoe', $(ConvertTo-SecureString 'fakecreds' -AsPlainText -Force))) -LogonType NewCredential -TestGuid $FixedTestGuid

$Result | Should -Not -BeNullOrEmpty

$Result.TechniqueID | Should -BeExactly $ExpectedTechniqueID
$Result.TestSuccess | Should -BeTrue
$Result.TestGuid | Should -BeExactly $FixedTestGuid
$Result.TestCommand | Should -Not -BeNullOrEmpty
$Result.SourceUser | Should -Not -BeNullOrEmpty
$Result.SourceExecutableFilePath | Should -Match 'powershell.exe'
$Result.SourceExecutableFileHash | Should -Not -BeNullOrEmpty
$Result.SourceProcessId | Should -Not -BeNullOrEmpty
$Result.GrantedRights | Should -BeNullOrEmpty
$Result.ImpersonatedUser | Should -Match 'JohnDoe'
$Result.TargetExecutableFilePath | Should -BeNullOrEmpty
$Result.TargetExecutableFileHash | Should -BeNullOrEmpty
$Result.TargetProcessId | Should -BeNullOrEmpty

$Result
}

}
}
Loading

0 comments on commit 5dc5095

Please sign in to comment.