Created
July 29, 2024 18:39
-
-
Save MHaggis/5af86a70a0e7d6eb0c3953059f2b8e5f to your computer and use it in GitHub Desktop.
Compile with https://nsis.sourceforge.io/Main_Page. Be sure to modify the path to where a driver is located for testing purposes ("path\to\your\ListOpenedFileDrv_32.sys"). Compile with .\makensis.exe C:\users\Administrator\Desktop\AtomicRedTeam.nsi or via the NSIS UI.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; NSIS Script for Atomic Red Team Tests (AutoIt, T1218.009, and driver load) | |
| ; Source and credit https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/src/T1218.009.cs | |
| !macro T1218_009_CS_CONTENT | |
| FileWrite $0 "using System;$\r$\n\ | |
| using System.EnterpriseServices;$\r$\n\ | |
| using System.Runtime.InteropServices;$\r$\n\ | |
| $\r$\n\ | |
| namespace regsvcser$\r$\n\ | |
| {$\r$\n\ | |
| $\r$\n\ | |
| public class Bypass : ServicedComponent$\r$\n\ | |
| {$\r$\n\ | |
| public Bypass() { Console.WriteLine($\"I am a basic COM Object$\"); }$\r$\n\ | |
| $\r$\n\ | |
| [ComRegisterFunction] //This executes if registration is successful$\r$\n\ | |
| public static void RegisterClass ( string key )$\r$\n\ | |
| {$\r$\n\ | |
| Console.WriteLine($\"I shouldn't really execute$\");$\r$\n\ | |
| }$\r$\n\ | |
| $\r$\n\ | |
| [ComUnregisterFunction] //This executes if registration fails$\r$\n\ | |
| public static void UnRegisterClass ( string key )$\r$\n\ | |
| {$\r$\n\ | |
| Console.WriteLine($\"I shouldn't really execute either.$\");$\r$\n\ | |
| }$\r$\n\ | |
| }$\r$\n\ | |
| }$\r$\n" | |
| !macroend | |
| !include "MUI2.nsh" | |
| !include "FileFunc.nsh" | |
| !include "LogicLib.nsh" | |
| OutFile "AtomicRedTeamTest.exe" | |
| InstallDir "$TEMP\AtomicRedTeamTest" | |
| RequestExecutionLevel user | |
| !insertmacro MUI_PAGE_INSTFILES | |
| !insertmacro MUI_LANGUAGE "English" | |
| Var AutoItExe | |
| Section "MainSection" SEC01 | |
| SetOutPath "$INSTDIR" | |
| ; AutoIt Test | |
| DetailPrint "Starting AutoIt Test..." | |
| ; Download AutoIt | |
| DetailPrint "Downloading AutoIt..." | |
| NSISdl::download "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip" "$INSTDIR\autoit-v3.zip" | |
| Pop $0 | |
| ${If} $0 != "success" | |
| MessageBox MB_OK "Failed to download AutoIt. Error: $0" | |
| Abort | |
| ${EndIf} | |
| DetailPrint "AutoIt downloaded successfully." | |
| ; Extract AutoIt | |
| DetailPrint "Extracting AutoIt..." | |
| CreateDirectory "$INSTDIR\AutoIt" | |
| nsExec::ExecToLog 'powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Expand-Archive -Path \"$INSTDIR\autoit-v3.zip\" -DestinationPath \"$INSTDIR\AutoIt\" -Force"' | |
| Pop $0 | |
| ${If} $0 != "0" | |
| MessageBox MB_OK "Failed to extract AutoIt. Error code: $0" | |
| Abort | |
| ${EndIf} | |
| DetailPrint "AutoIt extracted successfully." | |
| ; Locate AutoIt3.exe | |
| StrCpy $AutoItExe "$INSTDIR\AutoIt\install\autoit3.exe" | |
| ${If} ${FileExists} $AutoItExe | |
| DetailPrint "AutoIt3.exe found at: $AutoItExe" | |
| ${Else} | |
| DetailPrint "AutoIt3.exe not found at $AutoItExe. Searching..." | |
| FindFirst $0 $1 "$INSTDIR\AutoIt\*" | |
| loop: | |
| StrCmp $1 "" done | |
| ${If} ${FileExists} "$INSTDIR\AutoIt\$1\install\autoit3.exe" | |
| StrCpy $AutoItExe "$INSTDIR\AutoIt\$1\install\autoit3.exe" | |
| DetailPrint "AutoIt3.exe found at: $AutoItExe" | |
| Goto done | |
| ${EndIf} | |
| FindNext $0 $1 | |
| Goto loop | |
| done: | |
| FindClose $0 | |
| ${If} $AutoItExe == "" | |
| MessageBox MB_OK "Could not find AutoIt3.exe in the extracted folders." | |
| Abort | |
| ${EndIf} | |
| ${EndIf} | |
| ; Write the AutoIt script | |
| DetailPrint "Creating AutoIt script..." | |
| FileOpen $0 "$INSTDIR\atomic_script.au3" w | |
| FileWrite $0 'MsgBox(0, "Atomic Message", "hello from Atomic Red Team")' | |
| FileClose $0 | |
| DetailPrint "AutoIt script created at: $INSTDIR\atomic_script.au3" | |
| ; Execute the AutoIt script | |
| DetailPrint "Executing AutoIt script..." | |
| ExecWait '"$AutoItExe" "$INSTDIR\atomic_script.au3"' | |
| Pop $0 | |
| DetailPrint "AutoIt execution finished with exit code: $0" | |
| ${If} $0 != "0" | |
| MessageBox MB_OK "AutoIt script execution failed. Error code: $0" | |
| ${Else} | |
| DetailPrint "AutoIt script executed successfully." | |
| ${EndIf} | |
| ; T1218.009 Test | |
| DetailPrint "Starting T1218.009 Test..." | |
| ; Write T1218.009.cs to disk | |
| DetailPrint "Writing T1218.009.cs to disk..." | |
| FileOpen $0 "$INSTDIR\T1218.009.cs" w | |
| !insertmacro T1218_009_CS_CONTENT | |
| FileClose $0 | |
| DetailPrint "T1218.009.cs written successfully." | |
| ; Compile T1218.009.cs | |
| DetailPrint "Compiling T1218.009.cs..." | |
| nsExec::ExecToLog 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"$INSTDIR\T1218.009.dll" /target:library "$INSTDIR\T1218.009.cs"' | |
| Pop $0 | |
| ${If} $0 != "0" | |
| MessageBox MB_OK "Failed to compile T1218.009.cs. Error code: $0" | |
| Abort | |
| ${EndIf} | |
| DetailPrint "T1218.009.cs compiled successfully." | |
| ; Execute regasm | |
| DetailPrint "Executing regasm..." | |
| nsExec::ExecToLog 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U "$INSTDIR\T1218.009.dll"' | |
| Pop $0 | |
| DetailPrint "Regasm execution finished with exit code: $0" | |
| ${If} $0 != "0" | |
| MessageBox MB_OK "Regasm execution failed. Error code: $0" | |
| ${Else} | |
| DetailPrint "Regasm executed successfully." | |
| ${EndIf} | |
| ; Embed and extract the driver | |
| DetailPrint "Extracting driver..." | |
| File "/oname=$INSTDIR\driver.sys" "path\to\your\ListOpenedFileDrv_32.sys" | |
| DetailPrint "Driver extracted to $INSTDIR\driver.sys" | |
| ; Attempt to load the driver as a service | |
| DetailPrint "Attempting to load the driver as a service..." | |
| nsExec::ExecToLog 'sc.exe create TestDriver type= kernel binPath= "$INSTDIR\driver.sys"' | |
| Pop $0 | |
| DetailPrint "Service creation attempt finished with exit code: $0" | |
| ${If} $0 != "0" | |
| MessageBox MB_OK "Service creation may have failed. Error code: $0" | |
| ${Else} | |
| DetailPrint "Service created successfully." | |
| ; Attempt to start the service | |
| nsExec::ExecToLog 'sc.exe start TestDriver' | |
| Pop $0 | |
| DetailPrint "Service start attempt finished with exit code: $0" | |
| ${If} $0 != "0" | |
| MessageBox MB_OK "Service start may have failed. Error code: $0" | |
| ${Else} | |
| DetailPrint "Service started successfully." | |
| ${EndIf} | |
| ${EndIf} | |
| ; Pause before cleanup | |
| MessageBox MB_OK "Both tests execution complete. Press OK to clean up and exit." | |
| ; Clean up | |
| DetailPrint "Cleaning up..." | |
| Delete "$INSTDIR\atomic_script.au3" | |
| Delete "$INSTDIR\autoit-v3.zip" | |
| Delete "$INSTDIR\T1218.009.cs" | |
| Delete "$INSTDIR\T1218.009.dll" | |
| RMDir /r "$INSTDIR\AutoIt" | |
| RMDir "$INSTDIR" | |
| DetailPrint "Cleanup complete." | |
| ; Attempt to stop and remove the service | |
| nsExec::ExecToLog 'sc.exe stop TestDriver' | |
| nsExec::ExecToLog 'sc.exe delete TestDriver' | |
| SectionEnd |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment