From b1f1cdeb0e7bdfcc04a2e504f2987570e9ed3f09 Mon Sep 17 00:00:00 2001
From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com>
Date: Fri, 17 Aug 2018 10:54:04 -0600
Subject: [PATCH] T1093

---
 atomics/T1093/T1093.yaml     | 26 ++++++++++++++++++++++++++
 bin/atomics/T1093/T1093.yaml |  0
 2 files changed, 26 insertions(+)
 create mode 100644 atomics/T1093/T1093.yaml
 create mode 100644 bin/atomics/T1093/T1093.yaml

diff --git a/atomics/T1093/T1093.yaml b/atomics/T1093/T1093.yaml
new file mode 100644
index 00000000..3eaf0722
--- /dev/null
+++ b/atomics/T1093/T1093.yaml
@@ -0,0 +1,26 @@
+---
+attack_technique: T1093
+display_name: Process Hollowing
+
+atomic_tests:
+- name: Basic Hollow No ParentID Manipulation
+  description: |
+    Using Start-Hollow.ps1
+    https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1
+    Notes
+
+  supported_platforms:
+    - windows
+  input_arguments:
+    hollow:
+      description: This is the payload to inject
+      type: string
+      default: C:\Windows\System32\cmd.exe
+    sponsor:
+       description: This is the host of the payload
+       type: string
+       default: C:\Windows\System32\notepad.exe
+  executor:
+    name: powershell
+    command: |
+      Start-Hollow -Hollow #{hollow} -Sponsor #{sponsor}
diff --git a/bin/atomics/T1093/T1093.yaml b/bin/atomics/T1093/T1093.yaml
new file mode 100644
index 00000000..e69de29b