Atomic RedTeam: T1547.001

# Intro This is my first time to exploit Atomic RedTeam, a PowerShell-based execution framework and provides a library of simple tests that every security team can execute to test their defenses. It's worth [installing](https://www.linkedin.com/pulse/atomic-red-team-step-by-step-installation-meysam-tajassosi-usu5f/) :3 In this post, I will discuss with you about `T1547.001`, Boot or Logon Autostart Execution. Before starting, we should install it by this command line: ```powershell! Invoke-AtomicTest T1547.001 ``` ![image](https://hackmd.io/_uploads/B1edLD190.png) Then restart your computer and here we go! # Scenario ![image](https://hackmd.io/_uploads/BJeunHl9R.png) After restarting, 5 calculators and one Windows Explorer window were running at the start. Besides, the `Recycle Bin` had a problem too. When I clicked on icon, it runs `Calculator`. However, the properties still told the information of the `Recycle Bin`. Now we have to check to find out what is the root of the problem and how to tackle it. # Hunting time ## Naive approach Whenever we see programs running, `Autoruns` is the first to come to my mind. While checking with the Administrator's permission, I witnessed something: ![image](https://hackmd.io/_uploads/SJLQRrgqA.png) ![image](https://hackmd.io/_uploads/HJiR0HlcA.png) There are some file, namely `batstartup.bat`, `jsestartup.jse` and `vbsstartup.vbs` that are located in `Startup` folder. I wonder how it didn't show up, but it doesn't matter, if it is suspect, it must be kill :smiley: If we choose the option `Jump to Entry...` or `Jump to Image` of one of these files above, it will jump to the same location because they use alternative methods to launch at startup, which may not be visible in the typical registry locations. Anyway, let's clear these image and reload the `Autoruns`. Remember, we should clear files at two red parts above, to specify, `C:\Users\Atomic_Redteam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup` is the path of Startup Programs of user `Atomic_Redteam` and `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` is that for all users. However, we faced with this problem: `Autoruns` didn't list enough files: ![image](https://hackmd.io/_uploads/S1r-M8gcA.png) File `calc.exe` is attached into that folder, which made the Windows not start normally. Kill 'em! Besides, we also need to clear `iexplorer.exe` that are highlighted yellow. ![image](https://hackmd.io/_uploads/B1F03IxqA.png) In conclusion, our first step is to clear suspect files highlighted red and yellow by Jump to entry (`winrar` and other `dll` files are clean so no need to do that). Another problem is the `Recycle Bin`. `Autoruns` had no information. It came to my mind to check the registry of the Recycle Bin, which has a unique [CLSID](https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm). We can connect via `regedit.exe` or finding `Registry Editor` in Windows Search. Remember to run as Administator. CLSID is a subkey of `HKCR` and the CLSID of the Recycle Bin is `{645FF040-5081-101B-9F08-00AA002F954E}`. ![image](https://hackmd.io/_uploads/BJzndUe50.png) Yah, that's the reason why calculator always appear when we clicked on the Recycle Bin icon. To tackcle it, what you have to do is delete the `open` subkey. If you only delete `command` subkey, it will not succeed. Otherwise, you can try this command, it would lead to the same picture below. ```powershell~ reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f ``` ![image](https://hackmd.io/_uploads/Hyw5FUlcC.png) If you wanna trick your friends like this, just run this and `calc.exe` can be alternated with any file you want. ```powershell! reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f ``` Now restart the windows and see what happen (to be continued.....) ## Plot twist After Restart, that's what I got ![image](https://hackmd.io/_uploads/H1MmRIgc0.png) Surprise!? 3 calculators still remained running. It really needs a more advance approach: **REGISTRY**. As I mentioned in my [Registry basis](https://hackmd.io/@d4tb30/H1aW5MKtA) post, these below are the path we need to check in Registry Editor ![image](https://hackmd.io/_uploads/ByeTDJDx5R.png) The first two paths are deleted by the naive way, so we focus on the last three paths. `SOFTWARE` is the subkey of `HKCU`, `HKCR`, `HKU` and `HKLM`. Search it in the path and that's what I got: ![image](https://hackmd.io/_uploads/ByypZwx5C.png) ![image](https://hackmd.io/_uploads/HJg4MwxcA.png) ![image](https://hackmd.io/_uploads/rykLGPg50.png) There are the path we find: ```bash= HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ``` OK clear them and restart to check whether they were cleared. I can't import picture now but I confirm it can restart normally from then :3 ## Advanced approach # Conclusion `AutoRuns` is an awesome app to observe and follow running app and process. However, nothing is perfect, so is `Autoruns`. It doesn't catch enough events and apps, that will prevent SOC team from detecting threats. To deal with this problem, I suggest 2 ideas: 1. Approaching via Registry: Using basic knowledge about registry to check some potential threating folders and be aware against some abnormal subkeys. 1. Build your own Hunting tools: this is a harder ways because when you have to scan all your computer, resources lavishness is inevitable. I've been building my own tools but it still need some innovation, so I'd like to public it later. Otherwise, the `Recycle Bin` task is a simple form of the technique Persistence via Registry. I would discuss about this technique in another post because it's really amazing.