From 5b8e894e6155e3855c378e104bd67fa2a1e64162 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Tue, 5 Nov 2019 19:01:25 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1055/T1055.md   | 31 ++++++++++++++++++++++++----
 atomics/index.md         |  6 ++++--
 atomics/index.yaml       | 44 ++++++++++++++++++++++++++++++++++++++--
 atomics/linux-index.md   |  2 ++
 atomics/windows-index.md |  4 ++--
 5 files changed, 77 insertions(+), 10 deletions(-)

diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md
index b27d09f9..41dd24a0 100644
--- a/atomics/T1055/T1055.md
+++ b/atomics/T1055/T1055.md
@@ -31,7 +31,9 @@ Malware commonly utilizes process injection to access system resources through w
 
 - [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
 
-- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
+- [Atomic Test #4 - Shared Library Injection via LD_PRELOAD](#atomic-test-4---shared-library-injection-via-ld_preload)
+
+- [Atomic Test #5 - Process Injection via C#](#atomic-test-5---process-injection-via-c)
 
 
 <br/>
@@ -89,9 +91,9 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| path_to_shared_library | Path to a shared library object | Path | /tmp/evil_module.so|
+| path_to_shared_library | Path to a shared library object | Path | ../bin/T1055.so|
 
-#### Run it with `bash`! 
+#### Run it with `bash`!  Elevation Required (e.g. root or admin) 
 ```
 echo #{path_to_shared_library} > /etc/ld.so.preload
 ```
@@ -101,7 +103,28 @@ echo #{path_to_shared_library} > /etc/ld.so.preload
 <br/>
 <br/>
 
-## Atomic Test #4 - Process Injection via C#
+## Atomic Test #4 - Shared Library Injection via LD_PRELOAD
+This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| path_to_shared_library | Path to a shared library object | Path | /opt/AtomicRedTeam/atomics/T1055/bin/T1055.so|
+
+#### Run it with `bash`! 
+```
+LD_PRELOAD=#{path_to_shared_library} ls
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Process Injection via C#
 Process Injection using C#
 reference: https://github.com/pwndizzle/c-sharp-memory-injection
 Excercises Five Techniques
diff --git a/atomics/index.md b/atomics/index.md
index e7bb54bb..ecaf8c73 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -314,7 +314,8 @@
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
   - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #5: Process Injection via C# [windows]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -413,7 +414,8 @@
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
   - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #5: Process Injection via C# [windows]
 - T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053 Scheduled Task](./T1053/T1053.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index aa7b0c91..8a77097e 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -9435,11 +9435,31 @@ defense-evasion:
         path_to_shared_library:
           description: Path to a shared library object
           type: Path
-          default: "/tmp/evil_module.so"
+          default: "../bin/T1055.so"
       executor:
         name: bash
+        elevation_required: true
         command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
 
+'
+    - name: Shared Library Injection via LD_PRELOAD
+      description: 'This test injects a shared object library via the LD_PRELOAD environment
+        variable to execute. This technique was used by threat actor Rocke during
+        the exploitation of Linux web servers. This requires the `glibc` package.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_shared_library:
+          description: Path to a shared library object
+          type: Path
+          default: "/opt/AtomicRedTeam/atomics/T1055/bin/T1055.so"
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'LD_PRELOAD=#{path_to_shared_library} ls
+
 '
     - name: Process Injection via C#
       description: |
@@ -12518,11 +12538,31 @@ privilege-escalation:
         path_to_shared_library:
           description: Path to a shared library object
           type: Path
-          default: "/tmp/evil_module.so"
+          default: "../bin/T1055.so"
       executor:
         name: bash
+        elevation_required: true
         command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
 
+'
+    - name: Shared Library Injection via LD_PRELOAD
+      description: 'This test injects a shared object library via the LD_PRELOAD environment
+        variable to execute. This technique was used by threat actor Rocke during
+        the exploitation of Linux web servers. This requires the `glibc` package.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        path_to_shared_library:
+          description: Path to a shared library object
+          type: Path
+          default: "/opt/AtomicRedTeam/atomics/T1055/bin/T1055.so"
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'LD_PRELOAD=#{path_to_shared_library} ls
+
 '
     - name: Process Injection via C#
       description: |
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 35553248..6d0e784f 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -184,6 +184,7 @@
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
+  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1014 Rootkit](./T1014/T1014.md)
@@ -325,6 +326,7 @@
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
+  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
 - [T1166 Setuid and Setgid](./T1166/T1166.md)
   - Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
   - Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index afd244f5..a2681a31 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -109,7 +109,7 @@
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
-  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #5: Process Injection via C# [windows]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -188,7 +188,7 @@
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]
-  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #5: Process Injection via C# [windows]
 - T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053 Scheduled Task](./T1053/T1053.md)
   - Atomic Test #1: At.exe Scheduled task [windows]