diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md
index b27d09f9..41dd24a0 100644
--- a/atomics/T1055/T1055.md
+++ b/atomics/T1055/T1055.md
@@ -31,7 +31,9 @@ Malware commonly utilizes process injection to access system resources through w
- [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
-- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
+- [Atomic Test #4 - Shared Library Injection via LD_PRELOAD](#atomic-test-4---shared-library-injection-via-ld_preload)
+
+- [Atomic Test #5 - Process Injection via C#](#atomic-test-5---process-injection-via-c)
@@ -89,9 +91,9 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| path_to_shared_library | Path to a shared library object | Path | /tmp/evil_module.so|
+| path_to_shared_library | Path to a shared library object | Path | ../bin/T1055.so|
-#### Run it with `bash`!
+#### Run it with `bash`! Elevation Required (e.g. root or admin)
```
echo #{path_to_shared_library} > /etc/ld.so.preload
```
@@ -101,7 +103,28 @@ echo #{path_to_shared_library} > /etc/ld.so.preload
-## Atomic Test #4 - Process Injection via C#
+## Atomic Test #4 - Shared Library Injection via LD_PRELOAD
+This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| path_to_shared_library | Path to a shared library object | Path | /opt/AtomicRedTeam/atomics/T1055/bin/T1055.so|
+
+#### Run it with `bash`!
+```
+LD_PRELOAD=#{path_to_shared_library} ls
+```
+
+
+
+
+
+
+## Atomic Test #5 - Process Injection via C#
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
diff --git a/atomics/index.md b/atomics/index.md
index e7bb54bb..ecaf8c73 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -314,7 +314,8 @@
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- - Atomic Test #4: Process Injection via C# [windows]
+ - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+ - Atomic Test #5: Process Injection via C# [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -413,7 +414,8 @@
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- - Atomic Test #4: Process Injection via C# [windows]
+ - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+ - Atomic Test #5: Process Injection via C# [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index aa7b0c91..8a77097e 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -9435,11 +9435,31 @@ defense-evasion:
path_to_shared_library:
description: Path to a shared library object
type: Path
- default: "/tmp/evil_module.so"
+ default: "../bin/T1055.so"
executor:
name: bash
+ elevation_required: true
command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
+'
+ - name: Shared Library Injection via LD_PRELOAD
+ description: 'This test injects a shared object library via the LD_PRELOAD environment
+ variable to execute. This technique was used by threat actor Rocke during
+ the exploitation of Linux web servers. This requires the `glibc` package.
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ path_to_shared_library:
+ description: Path to a shared library object
+ type: Path
+ default: "/opt/AtomicRedTeam/atomics/T1055/bin/T1055.so"
+ executor:
+ name: bash
+ elevation_required: false
+ command: 'LD_PRELOAD=#{path_to_shared_library} ls
+
'
- name: Process Injection via C#
description: |
@@ -12518,11 +12538,31 @@ privilege-escalation:
path_to_shared_library:
description: Path to a shared library object
type: Path
- default: "/tmp/evil_module.so"
+ default: "../bin/T1055.so"
executor:
name: bash
+ elevation_required: true
command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
+'
+ - name: Shared Library Injection via LD_PRELOAD
+ description: 'This test injects a shared object library via the LD_PRELOAD environment
+ variable to execute. This technique was used by threat actor Rocke during
+ the exploitation of Linux web servers. This requires the `glibc` package.
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ path_to_shared_library:
+ description: Path to a shared library object
+ type: Path
+ default: "/opt/AtomicRedTeam/atomics/T1055/bin/T1055.so"
+ executor:
+ name: bash
+ elevation_required: false
+ command: 'LD_PRELOAD=#{path_to_shared_library} ls
+
'
- name: Process Injection via C#
description: |
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 35553248..6d0e784f 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -184,6 +184,7 @@
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
+ - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](./T1014/T1014.md)
@@ -325,6 +326,7 @@
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
+ - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index afd244f5..a2681a31 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -109,7 +109,7 @@
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- - Atomic Test #4: Process Injection via C# [windows]
+ - Atomic Test #5: Process Injection via C# [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -188,7 +188,7 @@
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Process Injection via PowerSploit [windows]
- - Atomic Test #4: Process Injection via C# [windows]
+ - Atomic Test #5: Process Injection via C# [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]