atomic-red-team icon indicating copy to clipboard operation
atomic-red-team copied to clipboard

Published 20 hours ago verified publisher icon redcanaryco

Idea: Add tests for T1547/003 addition of time providers

Open tbennett6421 opened this issue 2 years ago • 1 comments

Use-cases

I'm unsure if this is the correct template or not. Should this be Idea or Test?

No test exists in the repo to support privesc/persistence via the time providers. This is an important test that can be used to obtain privilege escalation or install an implant for persistence.

Proposal

Ideally we should create a test for the following

Adding a dll to the following reg key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\ and restarting the time service.

References

https://attack.mitre.org/techniques/T1547/003/ https://stmxcsr.com/persistence/time-provider.html

Happy to add a test, if/when I have the resources

tbennett6421 avatar Jun 06 '22 20:06 tbennett6421

Working on the DLL at the moment, I can write the test too when it's ready. Just note that the DLL is not directly added under TimeProviders. The subkey is the name of the provider and can be arbitrary. In the subkey, the DllName value will contain the path to the DLL.

traceflow avatar Jun 13 '22 18:06 traceflow

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Mar 05 '23 02:03 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Mar 16 '23 01:03 github-actions[bot]