Adding Invoke-ATHRemoteFXvGPUDisablementCommand

redcanaryco · Dec 7, 2020 · 2f65db8 · 2f65db8
1 parent f734b9d
commit 2f65db8
Show file tree

Hide file tree

Showing 4 changed files with 391 additions and 2 deletions.
diff --git a/AtomicTestHarnesses.psd1 b/AtomicTestHarnesses.psd1
@@ -4,7 +4,7 @@
 RootModule = 'AtomicTestHarnesses.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.1.1.0'
+ModuleVersion = '1.2.0.0'
 
 # ID used to uniquely identify this module
 GUID = '195a1637-d4a4-4cb3-8d80-5b5d4e3e930a'
@@ -27,6 +27,7 @@ PowerShellVersion = '5.0'
 # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
 FunctionsToExport = 'Invoke-ATHHTMLApplication',
                     'Invoke-ATHCompiledHelp',
+                    'Invoke-ATHRemoteFXvGPUDisablementCommand',
                     'Out-ATHPowerShellCommandLineParameter',
                     'Start-ATHProcessUnderSpecificParent'
 
@@ -46,6 +47,11 @@ PrivateData = @{
 
         # ReleaseNotes of this module
         ReleaseNotes = @'
+1.2.0
+-----
+Added:
+* Invoke-ATHRemoteFXvGPUDisablementCommand
+
 1.1.1
 -----
 Added:

diff --git a/Readme.md b/Readme.md
@@ -98,7 +98,8 @@ Specific groups of tests can be run rather than running all available tests. The
 4. `T1059.001` - [Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/)
 5. `T1134.004` - [Access Token Manipulation: Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004/)
 6. `T1218.001` - [Signed Binary Proxy Execution: Compiled HTML File](https://attack.mitre.org/techniques/T1218/001/)
-7. `T1218.005` - [Signed Binary Proxy Execution: Mshta](https://attack.mitre.org/techniques/T1218/005/)
+7. `T1218` - [Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)
+8. `T1218.005` - [Signed Binary Proxy Execution: Mshta](https://attack.mitre.org/techniques/T1218/005/)
 
 ## Running Tests
 

diff --git a/...Harnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.Tests.ps1 b/...Harnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.Tests.ps1
@@ -0,0 +1,90 @@
+Set-StrictMode -Version Latest
+
+$TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
+$ModuleRoot = Resolve-Path "$TestScriptRoot\..\..\"
+$ModuleManifest = "$ModuleRoot\AtomicTestHarnesses.psd1"
+
+Remove-Module [A]tomicTestHarnesses
+Import-Module $ModuleManifest -Force -ErrorAction Stop
+
+Describe 'Invoke-ATHRemoteFXvGPUDisablementCommand' {
+    BeforeAll {
+        $Help = Get-Help -Name Invoke-ATHRemoteFXvGPUDisablementCommand -Full
+
+        $ExpectedTechniqueID = $null
+
+        if ($Help.Synopsis.Split("`r`n")[-1] -match '^(?-i:Technique ID: )(?<TechniqueID>\S+) (?<TechniqueDescription>\(.+\))$') {
+            $ExpectedTechniqueID = $Matches['TechniqueID']
+        }
+
+        $FixedTestGuid = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'
+    }
+
+    Context 'Validating error conditions' -Tag 'Unit', 'T1218' {
+        It 'should not execute an EXE that is not RemoteFXvGPUDisablement.exe' -Tag 'Unit', 'T1218' {
+            { Invoke-ATHRemoteFXvGPUDisablementCommand -RemoteFXvGPUDisablementFilePath "$Env:windir\System32\notepad.exe" -ErrorAction Stop } | Should -Throw
+        }
+    }
+
+    Context 'Expected artifacts and behaviors when exercising the attack technique' -Tag 'Technique', 'T1218' {
+        It 'should execute using default options' -Tag 'Technique', 'T1218' {
+            $Result = Invoke-ATHRemoteFXvGPUDisablementCommand -TestGuid $FixedTestGuid
+
+            $Result | Should -Not -BeNullOrEmpty
+
+            $Result.TechniqueID       | Should -BeExactly $ExpectedTechniqueID
+            $Result.TestSuccess       | Should -BeTrue
+            $Result.TestGuid          | Should -BeExactly $FixedTestGuid
+            $Result.ModulePath        | Should -Not -BeNullOrEmpty
+            $Result.ModuleContents    | Should -Not -BeNullOrEmpty
+            $Result.ModuleFileHash    | Should -Not -BeNullOrEmpty
+            $Result.RunnerFilePath    | Should -Match '\\System32\\RemoteFXvGPUDisablement.exe$'
+            $Result.RunnerProcessId   | Should -Not -BeNullOrEmpty
+            $Result.RunnerCommandLine | Should -Match '\\System32\\RemoteFXvGPUDisablement.exe" Disable$'
+            $Result.RunnerChildProcessId          | Should -Not -BeNullOrEmpty
+            $Result.RunnerChildProcessCommandLine | Should -MatchExactly "$($FixedTestGuid)`$"
+        }
+
+        It 'should execute from a non-standard path' -Tag 'Technique', 'T1218' {
+            $AlternatePath = "$env:windir\Temp\notepad.exe"
+
+            Copy-Item -Path "$Env:windir\System32\RemoteFXvGPUDisablement.exe" -Destination $AlternatePath -ErrorAction Stop
+
+            $Result = Invoke-ATHRemoteFXvGPUDisablementCommand -RemoteFXvGPUDisablementFilePath $AlternatePath -TestGuid $FixedTestGuid
+
+            $Result | Should -Not -BeNullOrEmpty
+
+            $Result.TechniqueID       | Should -BeExactly $ExpectedTechniqueID
+            $Result.TestSuccess       | Should -BeTrue
+            $Result.TestGuid          | Should -BeExactly $FixedTestGuid
+            $Result.ModulePath        | Should -Not -BeNullOrEmpty
+            $Result.ModuleContents    | Should -Not -BeNullOrEmpty
+            $Result.ModuleFileHash    | Should -Not -BeNullOrEmpty
+            $Result.RunnerFilePath    | Should -BeExactly "$AlternatePath"
+            $Result.RunnerProcessId   | Should -Not -BeNullOrEmpty
+            $Result.RunnerCommandLine | Should -BeExactly "`"$AlternatePath`" Disable"
+            $Result.RunnerChildProcessId          | Should -Not -BeNullOrEmpty
+            $Result.RunnerChildProcessCommandLine | Should -MatchExactly "$($FixedTestGuid)`$"
+
+            Remove-Item -Path $AlternatePath -Force -ErrorAction SilentlyContinue
+        }
+
+        It 'should execute using a module path that is not specified in %PSModulePath%' -Tag 'Technique', 'T1218' {
+            $Result = Invoke-ATHRemoteFXvGPUDisablementCommand -ModulePath $Env:TEMP -TestGuid $FixedTestGuid
+
+            $Result | Should -Not -BeNullOrEmpty
+
+            $Result.TechniqueID       | Should -BeExactly $ExpectedTechniqueID
+            $Result.TestSuccess       | Should -BeTrue
+            $Result.TestGuid          | Should -BeExactly $FixedTestGuid
+            $Result.ModulePath.StartsWith("$Env:TEMP") | Should -BeTrue 
+            $Result.ModuleContents    | Should -Not -BeNullOrEmpty
+            $Result.ModuleFileHash    | Should -Not -BeNullOrEmpty
+            $Result.RunnerFilePath    | Should -Match '\\System32\\RemoteFXvGPUDisablement.exe$'
+            $Result.RunnerProcessId   | Should -Not -BeNullOrEmpty
+            $Result.RunnerCommandLine | Should -Match '\\System32\\RemoteFXvGPUDisablement.exe" Disable$'
+            $Result.RunnerChildProcessId          | Should -Not -BeNullOrEmpty
+            $Result.RunnerChildProcessCommandLine | Should -MatchExactly "$($FixedTestGuid)`$"
+        }
+    }
+}