Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1055/T1055.md

@@ -31,7 +31,9 @@ Malware commonly utilizes process injection to access system resources through w
 
 - [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
 
-- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
+- [Atomic Test #4 - Shared Library Injection via LD_PRELOAD](#atomic-test-4---shared-library-injection-via-ld_preload)
+
+- [Atomic Test #5 - Process Injection via C#](#atomic-test-5---process-injection-via-c)
 
 
 <br/>
@@ -89,9 +91,9 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| path_to_shared_library | Path to a shared library object | Path | /tmp/evil_module.so|
+| path_to_shared_library | Path to a shared library object | Path | ../bin/T1055.so|
 
-#### Run it with `bash`! 
+#### Run it with `bash`!  Elevation Required (e.g. root or admin) 
 ```
 echo #{path_to_shared_library} > /etc/ld.so.preload
 ```
@@ -101,7 +103,28 @@ echo #{path_to_shared_library} > /etc/ld.so.preload
 <br/>
 <br/>
 
-## Atomic Test #4 - Process Injection via C#
+## Atomic Test #4 - Shared Library Injection via LD_PRELOAD
+This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path_to_shared_library | Path to a shared library object | Path | /opt/AtomicRedTeam/atomics/T1055/bin/T1055.so|
+
+#### Run it with `bash`! 
+```
+LD_PRELOAD=#{path_to_shared_library} ls
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Process Injection via C#
 Process Injection using C#
 reference: https://github.com/pwndizzle/c-sharp-memory-injection
 Excercises Five Techniques

atomics/index.md

@@ -314,7 +314,8 @@
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
   - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #5: Process Injection via C# [windows]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -413,7 +414,8 @@
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
   - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #5: Process Injection via C# [windows]
 - T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053 Scheduled Task](./T1053/T1053.md)
   - Atomic Test #1: At.exe Scheduled task [windows]

atomics/index.yaml

@@ -9435,11 +9435,31 @@ defense-evasion:
         path_to_shared_library:
           description: Path to a shared library object
           type: Path
-          default: "/tmp/evil_module.so"
+          default: "../bin/T1055.so"
       executor:
         name: bash
+        elevation_required: true
         command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
 
+'
+    - name: Shared Library Injection via LD_PRELOAD
+      description: 'This test injects a shared object library via the LD_PRELOAD environment
+        variable to execute. This technique was used by threat actor Rocke during
+        the exploitation of Linux web servers. This requires the `glibc` package.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_shared_library:
+          description: Path to a shared library object
+          type: Path
+          default: "/opt/AtomicRedTeam/atomics/T1055/bin/T1055.so"
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'LD_PRELOAD=#{path_to_shared_library} ls
+
 '
     - name: Process Injection via C#
       description: |
@@ -12518,11 +12538,31 @@ privilege-escalation:
         path_to_shared_library:
           description: Path to a shared library object
           type: Path
-          default: "/tmp/evil_module.so"
+          default: "../bin/T1055.so"
       executor:
         name: bash
+        elevation_required: true
         command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
 
+'
+    - name: Shared Library Injection via LD_PRELOAD
+      description: 'This test injects a shared object library via the LD_PRELOAD environment
+        variable to execute. This technique was used by threat actor Rocke during
+        the exploitation of Linux web servers. This requires the `glibc` package.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_shared_library:
+          description: Path to a shared library object
+          type: Path
+          default: "/opt/AtomicRedTeam/atomics/T1055/bin/T1055.so"
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'LD_PRELOAD=#{path_to_shared_library} ls
+
 '
     - name: Process Injection via C#
       description: |

atomics/linux-index.md

@@ -184,6 +184,7 @@
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
+  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1014 Rootkit](./T1014/T1014.md)
@@ -325,6 +326,7 @@
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
+  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
 - [T1166 Setuid and Setgid](./T1166/T1166.md)
   - Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
   - Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]

atomics/windows-index.md

@@ -109,7 +109,7 @@
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
-  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #5: Process Injection via C# [windows]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -188,7 +188,7 @@
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
-  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #5: Process Injection via C# [windows]
 - T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053 Scheduled Task](./T1053/T1053.md)
   - Atomic Test #1: At.exe Scheduled task [windows]