Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -309,6 +309,7 @@ defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
 defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
+defense-evasion,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -626,6 +627,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
+privilege-escalation,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
 privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -214,6 +214,7 @@ defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
+defense-evasion,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -437,6 +438,7 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
+privilege-escalation,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -430,7 +430,8 @@
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1612 Build Image on Host](../../T1612/T1612.md)
   - Atomic Test #1: Build Image On Host [containers]
-- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1055.002 Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md)
+  - Atomic Test #1: Portable Executable Injection [windows]
 - T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -922,7 +923,8 @@
 - T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
-- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1055.002 Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md)
+  - Atomic Test #1: Portable Executable Injection [windows]
 - [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
   - Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
   - Atomic Test #2: Add macOS LoginItem using Applescript [macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -309,7 +309,8 @@
   - Atomic Test #4: Execute LNK file from ISO [windows]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1055.002 Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md)
+  - Atomic Test #1: Portable Executable Injection [windows]
 - T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -668,7 +669,8 @@
 - T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
-- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1055.002 Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md)
+  - Atomic Test #1: Portable Executable Injection [windows]
 - [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
   - Atomic Test #1: Named pipe client impersonation [windows]
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]

atomics/Indexes/Matrices/matrix.md

@@ -64,7 +64,7 @@
 |  |  | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
+|  |  | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
 |  |  | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
 |  |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
@@ -121,7 +121,7 @@
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [IIS Components](../../T1505.004/T1505.004.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Build Image on Host](../../T1612/T1612.md) |  |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution](../../T1546/T1546.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution](../../T1546/T1546.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Authentication Package](../../T1547.002/T1547.002.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -49,7 +49,7 @@
 |  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Process Injection](../../T1055/T1055.md) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
@@ -95,7 +95,7 @@
 |  |  | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) |  | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) |  |  |  |  |  |  |  |
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [BITS Jobs](../../T1197/T1197.md) |  | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |

atomics/Indexes/azure-ad-index.yaml

@@ -8625,7 +8625,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -8668,6 +8668,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -21558,7 +21559,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -21601,6 +21602,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/containers-index.yaml

@@ -8600,7 +8600,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -8643,6 +8643,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -21670,7 +21671,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -21713,6 +21714,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/google-workspace-index.yaml

@@ -8529,7 +8529,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -8572,6 +8572,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -21424,7 +21425,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -21467,6 +21468,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/iaas-index.yaml

@@ -8529,7 +8529,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -8572,6 +8572,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -21366,7 +21367,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -21409,6 +21410,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/iaas_aws-index.yaml

@@ -8529,7 +8529,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -8572,6 +8572,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -21670,7 +21671,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -21713,6 +21714,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/iaas_azure-index.yaml

@@ -8529,7 +8529,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -8572,6 +8572,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -21525,7 +21526,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -21568,6 +21569,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/iaas_gcp-index.yaml

@@ -8529,7 +8529,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -8572,6 +8572,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -21524,7 +21525,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -21567,6 +21568,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/index.yaml

@@ -16780,7 +16780,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -16823,7 +16823,42 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-    atomic_tests: []
+      identifier: T1055.002
+    atomic_tests:
+    - name: Portable Executable Injection
+      auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d503e1
+      description: This test injects a portable executable into a remote Notepad process
+        memory using Portable Executable Injection and base-address relocation techniques.
+        When successful, a message box will appear with the title "Warning" and the
+        content "Atomic Red Team" after a few seconds.
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to inject must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path #{exe_binary}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |-
+          Start-Process $PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
+          Start-Sleep -Seconds 7
+          Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1218.012:
     technique:
       x_mitre_platforms:
@@ -38654,7 +38689,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -38697,7 +38732,42 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-    atomic_tests: []
+      identifier: T1055.002
+    atomic_tests:
+    - name: Portable Executable Injection
+      auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d503e1
+      description: This test injects a portable executable into a remote Notepad process
+        memory using Portable Executable Injection and base-address relocation techniques.
+        When successful, a message box will appear with the title "Warning" and the
+        content "Atomic Red Team" after a few seconds.
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to inject must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path #{exe_binary}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |-
+          Start-Process $PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
+          Start-Sleep -Seconds 7
+          Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1547.015:
     technique:
       x_mitre_platforms:

atomics/Indexes/linux-index.yaml

@@ -10545,7 +10545,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -10588,6 +10588,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -24703,7 +24704,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -24746,6 +24747,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/macos-index.yaml

@@ -9928,7 +9928,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -9971,6 +9971,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -23870,7 +23871,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -23913,6 +23914,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/office-365-index.yaml

@@ -8529,7 +8529,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -8572,6 +8572,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -21496,7 +21497,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -21539,6 +21540,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/saas-index.yaml

@@ -8529,7 +8529,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -8572,6 +8572,7 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1218.012:
     technique:
@@ -21366,7 +21367,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -21409,6 +21410,7 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
+      identifier: T1055.002
     atomic_tests: []
   T1547.015:
     technique:

atomics/Indexes/windows-index.yaml

@@ -14152,7 +14152,7 @@ defense-evasion:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -14195,7 +14195,42 @@ defense-evasion:
       - Application control
       x_mitre_permissions_required:
       - User
-    atomic_tests: []
+      identifier: T1055.002
+    atomic_tests:
+    - name: Portable Executable Injection
+      auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d503e1
+      description: This test injects a portable executable into a remote Notepad process
+        memory using Portable Executable Injection and base-address relocation techniques.
+        When successful, a message box will appear with the title "Warning" and the
+        content "Atomic Red Team" after a few seconds.
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to inject must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path #{exe_binary}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |-
+          Start-Process $PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
+          Start-Sleep -Seconds 7
+          Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1218.012:
     technique:
       x_mitre_platforms:
@@ -33304,7 +33339,7 @@ privilege-escalation:
           Retrieved December 7, 2017.'
         source_name: Elastic Process Injection July 2017
       modified: '2021-10-18T12:21:11.178Z'
-      name: Portable Executable Injection
+      name: 'Process Injection: Portable Executable Injection'
       description: "Adversaries may inject portable executables (PE) into processes
         in order to evade process-based defenses as well as possibly elevate privileges.
         PE injection is a method of executing arbitrary code in the address space
@@ -33347,7 +33382,42 @@ privilege-escalation:
       - Application control
       x_mitre_permissions_required:
       - User
-    atomic_tests: []
+      identifier: T1055.002
+    atomic_tests:
+    - name: Portable Executable Injection
+      auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d503e1
+      description: This test injects a portable executable into a remote Notepad process
+        memory using Portable Executable Injection and base-address relocation techniques.
+        When successful, a message box will appear with the title "Warning" and the
+        content "Atomic Red Team" after a few seconds.
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to inject must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path #{exe_binary}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |-
+          Start-Process $PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
+          Start-Sleep -Seconds 7
+          Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1547.015:
     technique:
       x_mitre_platforms:

atomics/T1055.002/T1055.002.md

@@ -1,35 +1,39 @@
 # T1055.002 - Process Injection: Portable Executable Injection
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/002)
-<blockquote>Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.
+<blockquote>Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. 
 
-PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> <code>and WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Ten process injection techniques: A technical survey of common and trending process injection techniques July 2017)
+PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) 
 
-Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.
+Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. </blockquote>
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Portable Executable Injection](#atomic-test-1---portable-executable-injection-via-c)
+- [Atomic Test #1 - Portable Executable Injection](#atomic-test-1---portable-executable-injection)
 
 
 <br/>
 
-## Atomic Test #1 - Portable Executable Injection via C
-This test injects a portable executable into a remote Notepad process memory using Portable Executable Injection and base-address relocation techniques. Upon successful execution, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds.
+## Atomic Test #1 - Portable Executable Injection
+This test injects a portable executable into a remote Notepad process memory using Portable Executable Injection and base-address relocation techniques. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds.
 
 **Supported Platforms:** Windows
 
 
-**auto_generated_guid:** 578025d5-faa9-4f6d-8390-aae123d503e1
+**auto_generated_guid:** 578025d5-faa9-4f6d-8390-aae739d503e1
+
+
+
 
 
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| exe_binary | Output Binary | path | PathToAtomicsFolder&#92;T1055.002&#92;bin&#92;RedInjection.exe|
+| exe_binary | PE binary | path | PathToAtomicsFolder&#92;T1055.002&#92;bin&#92;RedInjection.exe|
 
 
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
 
-#### Attack Commands: Run with `powershell`! 
 ```powershell
 Start-Process $PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
 Start-Sleep -Seconds 7
@@ -41,13 +45,14 @@ Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
 Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
 ```
 
+
+
 #### Dependencies:  Run with `powershell`!
-##### Description: #{exe_binary} must be exist on system.
+##### Description: Portable Executable to inject must exist at specified location (#{exe_binary})
 ##### Check Prereq Commands:
 ```powershell
 if (Test-Path #{exe_binary}) {exit 0} else {exit 1}
 ```
-
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
@@ -55,4 +60,6 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 ```
 
 
+
+
 <br/>