Adding Invoke-ATHDumpLsass and Invoke-ATHLogonUser (#10)

* Adding Invoke-ATHDumpLsass and Invoke-ATHLogonUser * Update AtomicTestHarnesses.psd1
redcanaryco · Aug 23, 2022 · bb21fb3 · bb21fb3
1 parent 7e1e4da
commit bb21fb3
Show file tree

Hide file tree

Showing 5 changed files with 1,271 additions and 3 deletions.
diff --git a/AtomicTestHarnesses.psd1 b/AtomicTestHarnesses.psd1
@@ -4,19 +4,19 @@
 RootModule = 'AtomicTestHarnesses.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.9.0.0'
+ModuleVersion = '1.10.0.0'
 
 # ID used to uniquely identify this module
 GUID = '195a1637-d4a4-4cb3-8d80-5b5d4e3e930a'
 
 # Author of this module
-Author = 'Mike Haag, Jesse Brown, Matt Graeber, Jonathan Johnson'
+Author = 'Mike Haag, Jesse Brown, Matt Graeber, Jonathan Johnson, Jared Atkinson'
 
 # Company or vendor of this module
 CompanyName = 'Red Canary, Inc.'
 
 # Copyright statement for this module
-Copyright = '2021 Red Canary, Inc. All rights reserved.'
+Copyright = '2022 Red Canary, Inc. All rights reserved.'
 
 # Description of the functionality provided by this module
 Description = 'A module to facilitate the testing of attack techniques and their corresponding procedures.'
@@ -34,7 +34,9 @@ FunctionsToExport = 'Get-ATHDriverService',
                     'Invoke-ATHCompiledHelp',
                     'Invoke-ATHCORProfiler',
                     'Invoke-ATHCreateProcessWithToken',
+                    'Invoke-ATHDumpLSASS',
                     'Invoke-ATHInjectedThread',
+                    'Invoke-ATHLogonUser',
                     'Invoke-ATHMSBuild',
                     'Invoke-ATHRemoteFXvGPUDisablementCommand',
                     'Invoke-ATHTokenImpersonation',
@@ -64,6 +66,12 @@ PrivateData = @{
         # ReleaseNotes of this module
         ReleaseNotes = @'
 
+1.10.0 
+-----
+Added: 
+* Invoke-ATHDumpLSASS
+* Invoke-ATHLogonUser
+
 1.9.0
 -----
 Added: 

diff --git a/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.Tests.ps1 b/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.Tests.ps1
@@ -0,0 +1,128 @@
+Set-StrictMode -Version Latest
+
+$TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
+$ModuleRoot = Resolve-Path "$TestScriptRoot\..\..\"
+$ModuleManifest = "$ModuleRoot\AtomicTestHarnesses.psd1"
+
+Remove-Module [A]tomicTestHarnesses
+Import-Module $ModuleManifest -Force -ErrorAction Stop
+
+Describe 'Invoke-ATHDumpLSASS' {
+    BeforeAll {
+        $Help = Get-Help -Name Invoke-ATHDumpLSASS -Full
+
+        $ExpectedTechniqueID = $null
+
+        if ($Help.Synopsis.Split("`r`n")[-1] -match '^(?-i:Technique ID: )(?<TechniqueID>\S+) (?<TechniqueDescription>\(.+\))$') {
+            $ExpectedTechniqueID = $Matches['TechniqueID']
+        }
+
+        $FixedTestGuid = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'
+    }
+
+    Context 'Validating error conditions' -Tag 'Unit', 'T1003.001' {
+        It 'should fail to open process' {
+            { Invoke-ATHDumpLSASS -ProcessId 0000 -ErrorAction Stop } | Should -Throw
+        }
+
+        It 'should fail to open a handle with the specified access rights' {
+            { Invoke-ATHDumpLSASS -AccessRights CreateThread -ErrorAction Stop } | Should -Throw
+        }
+
+    }
+
+    Context 'Expected artifacts and behaviors when exercising the attack technique' -Tag 'Technique', 'T1003.001' {
+        It 'should read LSASSs process memory via Dbghelp!MiniDumpWriteDump function' {
+            $Result =  Invoke-ATHDumpLSASS -TestGuid $FixedTestGuid
+
+            $Result | Should -Not -BeNullOrEmpty
+
+            $Result.TechniqueID                 | Should -BeExactly $ExpectedTechniqueID
+            $Result.TestSuccess                 | Should -BeTrue
+            $Result.TestGuid                    | Should -BeExactly $FixedTestGuid
+            $Result.TestCommand                 | Should -Not -BeNullOrEmpty
+            $Result.Variant                     | Should -match 'Dbghelp!MiniDumpWriteDump'
+            $Result.SourceUser                  | Should -Not -BeNullOrEmpty
+            $Result.SourceExecutableFilePath    | Should -match 'powershell.exe'
+            $Result.SourceExecutableFileHash    | Should -Not -BeNullOrEmpty
+            $Result.SourceProcessId             | Should -Not -BeNullOrEmpty
+            $Result.GrantedRights               | Should -Match 'QueryInformation, VirtualMemoryRead'
+            $Result.TargetExecutableFilePath    | Should -Match 'lsass.exe'
+            $Result.TargetExecutableFileHash    | Should -Not -BeNullOrEmpty
+            $Result.TargetProcessId             | Should -Not -BeNullOrEmpty
+            $Result.DumpFile                    | Should -BeExactly 'C:\TestHarness.dmp'
+
+            $Result
+        }
+
+        It 'should get LSASSs PID via Get-Process and pipe PID into Invoke-ATHDumpLSASS then read LSASSs process memory via Dbghelp!MiniDumpWriteDump function' {
+            $Result =  Get-Process -name lsass | Invoke-ATHDumpLSASS -TestGuid $FixedTestGuid
+
+            $Result | Should -Not -BeNullOrEmpty
+
+            $Result.TechniqueID                 | Should -BeExactly $ExpectedTechniqueID
+            $Result.TestSuccess                 | Should -BeTrue
+            $Result.TestGuid                    | Should -BeExactly $FixedTestGuid
+            $Result.TestCommand                 | Should -Not -BeNullOrEmpty
+            $Result.Variant                     | Should -match 'Dbghelp!MiniDumpWriteDump'
+            $Result.SourceUser                  | Should -Not -BeNullOrEmpty
+            $Result.SourceExecutableFilePath    | Should -match 'powershell.exe'
+            $Result.SourceExecutableFileHash    | Should -Not -BeNullOrEmpty
+            $Result.SourceProcessId             | Should -Not -BeNullOrEmpty
+            $Result.GrantedRights               | Should -Match 'QueryInformation, VirtualMemoryRead'
+            $Result.TargetExecutableFilePath    | Should -Match 'lsass.exe'
+            $Result.TargetExecutableFileHash    | Should -Not -BeNullOrEmpty
+            $Result.TargetProcessId             | Should -Not -BeNullOrEmpty
+            $Result.DumpFile                    | Should -BeExactly 'C:\TestHarness.dmp'
+
+            $Result
+        }
+
+        It 'should read LSASSs process memory via Kernel32!ReadProcessMemory function' {
+            $Result =  Invoke-ATHDumpLSASS -Variant Kernel32!ReadProcessMemory -TestGuid $FixedTestGuid
+
+            $Result | Should -Not -BeNullOrEmpty
+
+            $Result.TechniqueID                 | Should -BeExactly $ExpectedTechniqueID
+            $Result.TestSuccess                 | Should -BeTrue
+            $Result.TestGuid                    | Should -BeExactly $FixedTestGuid
+            $Result.TestCommand                 | Should -Not -BeNullOrEmpty
+            $Result.Variant                     | Should -match 'Kernel32!ReadProcessMemory'
+            $Result.SourceUser                  | Should -Not -BeNullOrEmpty
+            $Result.SourceExecutableFilePath    | Should -match 'powershell.exe'
+            $Result.SourceExecutableFileHash    | Should -Not -BeNullOrEmpty
+            $Result.SourceProcessId             | Should -Not -BeNullOrEmpty
+            $Result.GrantedRights               | Should -Match 'QueryInformation, VirtualMemoryRead'
+            $Result.TargetExecutableFilePath    | Should -Match 'lsass.exe'
+            $Result.TargetExecutableFileHash    | Should -Not -BeNullOrEmpty
+            $Result.TargetProcessId             | Should -Not -BeNullOrEmpty
+            $Result.DumpFile                    | Should -BeNullOrEmpty
+
+            $Result
+        }
+
+        It 'should read LSASSs process memory via Kernel32!ReadProcessMemory function with AllAccess' {
+            $Result =  Invoke-ATHDumpLSASS -Variant Kernel32!ReadProcessMemory -AccessRights AllAccess -TestGuid $FixedTestGuid
+
+            $Result | Should -Not -BeNullOrEmpty
+
+            $Result.TechniqueID                 | Should -BeExactly $ExpectedTechniqueID
+            $Result.TestSuccess                 | Should -BeTrue
+            $Result.TestGuid                    | Should -BeExactly $FixedTestGuid
+            $Result.TestCommand                 | Should -Not -BeNullOrEmpty
+            $Result.Variant                     | Should -match 'Kernel32!ReadProcessMemory'
+            $Result.SourceUser                  | Should -Not -BeNullOrEmpty
+            $Result.SourceExecutableFilePath    | Should -match 'powershell.exe'
+            $Result.SourceExecutableFileHash    | Should -Not -BeNullOrEmpty
+            $Result.SourceProcessId             | Should -Not -BeNullOrEmpty
+            $Result.GrantedRights               | Should -Match 'AllAccess'
+            $Result.TargetExecutableFilePath    | Should -Match 'lsass.exe'
+            $Result.TargetExecutableFileHash    | Should -Not -BeNullOrEmpty
+            $Result.TargetProcessId             | Should -Not -BeNullOrEmpty
+            $Result.DumpFile                    | Should -BeNullOrEmpty
+
+            $Result
+        }
+
+    }
+}