T1129 - Server Software Component
Description from ATT&CK (opens in a new tab)
Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API (opens in a new tab)).
Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.
The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in
dlfcn.h
in functions such asdlopen
anddlsym
. Although macOS can execute.so
files, common practice uses.dylib
files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in
NTDLL.dll
and is part of the Windows Native API (opens in a new tab) which is called from functions likeLoadLibrary
at run time.(Citation: Microsoft DLL)
Atomic Tests
Atomic Test #1 - ESXi - Install a custom VIB on an ESXi host
An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs). Reference (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: 7f843046-abf2-443f-b880-07a83cf968ec
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
vm_host | Specify the host name of the ESXi Server | string | atomic.local |
vm_user | Specify the privilege user account on ESXi Server | string | root |
vm_pass | Specify the privilege user password on ESXi Server | string | pass |
plink_file | Path to plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe |
pscp_file | Path to Pscp | path | PathToAtomicsFolder\..\ExternalPayloads\pscp.exe |
vib_install | Path to script with commands to install the vib | path | PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibinstall.txt |
vib_remove | Path to script with commands to remove the vib | path | PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibremove.txt |
vib_file | Path to the dummy vib | path | PathToAtomicsFolder\..\atomics\T1129\src\atomicvibes.vib |
Attack Commands: Run with command_prompt
!
#{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"
Cleanup Commands:
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_remove}"
Dependencies: Run with powershell
!
Description: Check if plink and pscp are available.
Check Prereq Commands:
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
if (Test-Path "#{pscp_file}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\plink.exe"
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"