diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md
index 8fc773ce..6f98eef1 100644
--- a/atomics/T1055/T1055.md
+++ b/atomics/T1055/T1055.md
@@ -27,15 +27,13 @@ Malware commonly utilizes process injection to access system resources through w
- [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe)
-- [Atomic Test #2 - Process Injection via PowerSploit](#atomic-test-2---process-injection-via-powersploit)
+- [Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-2---shared-library-injection-via-etcldsopreload)
-- [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
+- [Atomic Test #3 - Shared Library Injection via LD_PRELOAD](#atomic-test-3---shared-library-injection-via-ld_preload)
-- [Atomic Test #4 - Shared Library Injection via LD_PRELOAD](#atomic-test-4---shared-library-injection-via-ld_preload)
+- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
-- [Atomic Test #5 - Process Injection via C#](#atomic-test-5---process-injection-via-c)
-
-- [Atomic Test #6 - svchost writing a file to a UNC path](#atomic-test-6---svchost-writing-a-file-to-a-unc-path)
+- [Atomic Test #5 - svchost writing a file to a UNC path](#atomic-test-5---svchost-writing-a-file-to-a-unc-path)
@@ -43,7 +41,7 @@ Malware commonly utilizes process injection to access system resources through w
## Atomic Test #1 - Process Injection via mavinject.exe
Windows 10 Utility To Inject DLLS.
-Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
+Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
**Supported Platforms:** Windows
@@ -86,41 +84,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
-## Atomic Test #2 - Process Injection via PowerSploit
-PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
-
-Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| dll_payload | DLL to Inject | Path | T1055.dll|
-| process_id | PID of input_arguments | Integer | (get-process spoolsv).id|
-
-
-#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
-
-
-```powershell
-$mypid = #{process_id}
-Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload
-This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
+## Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload
+This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
@@ -150,7 +115,7 @@ echo #{path_to_shared_library} > /etc/ld.so.preload
-## Atomic Test #4 - Shared Library Injection via LD_PRELOAD
+## Atomic Test #3 - Shared Library Injection via LD_PRELOAD
This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout.
@@ -181,7 +146,7 @@ LD_PRELOAD=#{path_to_shared_library} ls
-## Atomic Test #5 - Process Injection via C#
+## Atomic Test #4 - Process Injection via C#
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
@@ -218,9 +183,9 @@ Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 tec
-## Atomic Test #6 - svchost writing a file to a UNC path
+## Atomic Test #5 - svchost writing a file to a UNC path
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
-Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
+Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
**Supported Platforms:** Windows
diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md
index ddaac82b..3d1d809b 100644
--- a/atomics/T1218/T1218.md
+++ b/atomics/T1218/T1218.md
@@ -232,6 +232,8 @@ msiexec.exe /q /i "#{msi_payload}"
## Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL
Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
+By default, if the src folder is not in place, it will download the 64 bit version.
**Supported Platforms:** Windows
@@ -241,7 +243,7 @@ Execute arbitrary DLL file stored locally. Commonly seen in application installa
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll|
+| dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\x64\T1218.dll|
#### Attack Commands: Run with `command_prompt`!
@@ -255,7 +257,7 @@ msiexec.exe /y "#{dll_payload}"
#### Dependencies: Run with `powershell`!
-##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
+##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
##### Check Prereq Commands:
```powershell
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
@@ -263,7 +265,7 @@ if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
```
diff --git a/atomics/index.md b/atomics/index.md
index 60f9c277..bc14e541 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -345,11 +345,10 @@
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- - Atomic Test #2: Process Injection via PowerSploit [windows]
- - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- - Atomic Test #5: Process Injection via C# [windows]
- - Atomic Test #6: svchost writing a file to a UNC path [windows]
+ - Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
+ - Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
+ - Atomic Test #4: Process Injection via C# [windows]
+ - Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -462,11 +461,10 @@
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- - Atomic Test #2: Process Injection via PowerSploit [windows]
- - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
- - Atomic Test #5: Process Injection via C# [windows]
- - Atomic Test #6: svchost writing a file to a UNC path [windows]
+ - Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
+ - Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
+ - Atomic Test #4: Process Injection via C# [windows]
+ - Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 5f19917a..6eae74f0 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -11111,9 +11111,10 @@ defense-evasion:
identifier: T1055
atomic_tests:
- name: Process Injection via mavinject.exe
- description: "Windows 10 Utility To Inject DLLS.\n\nUpon successful execution,
- powershell.exe will download T1055.dll to disk. Powershell will then spawn
- mavinject.exe to perform process injection in T1055.dll. \n"
+ description: |
+ Windows 10 Utility To Inject DLLS.
+
+ Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
supported_platforms:
- windows
input_arguments:
@@ -11138,33 +11139,11 @@ defense-evasion:
command: |
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING #{dll_payload}
- - name: Process Injection via PowerSploit
- description: |
- PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
-
- Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
- supported_platforms:
- - windows
- input_arguments:
- dll_payload:
- description: DLL to Inject
- type: Path
- default: T1055.dll
- process_id:
- description: PID of input_arguments
- type: Integer
- default: "(get-process spoolsv).id"
- executor:
- name: powershell
- elevation_required: true
- command: |
- $mypid = #{process_id}
- Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
- name: Shared Library Injection via /etc/ld.so.preload
description: "This test adds a shared library to the `ld.so.preload` list to
execute and intercept API calls. This technique was used by threat actor Rocke
- during the exploitation of Linux web servers. This requires the `glibc` package.
- \n\nUpon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
+ during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon
+ successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
\n"
supported_platforms:
- linux
@@ -11219,10 +11198,9 @@ defense-evasion:
name: command_prompt
command: ".\\bin\\#{exe_binary}\n"
- name: svchost writing a file to a UNC path
- description: "svchost.exe writing a non-Microsoft Office file to a file with
- a UNC path.\nUpon successful execution, this will rename cmd.exe as svchost.exe
- and move it to `c:\\`, then execute svchost.exe with output to a txt file.
- \n"
+ description: |
+ svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
+ Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
supported_platforms:
- windows
executor:
@@ -12145,24 +12123,24 @@ defense-evasion:
'
- name: Msiexec.exe - Execute Arbitrary DLL
- description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
- installation.
-
-'
+ description: |
+ Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+ Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
+ By default, if the src folder is not in place, it will download the 64 bit version.
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to execute
type: Path
- default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+ default: PathToAtomicsFolder\T1218\src\x64\T1218.dll
dependency_executor_name: powershell
dependencies:
- - description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
+ - description: T1218.dll must exist on disk at specified location (#{dll_payload})
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
- Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
executor:
name: command_prompt
command: 'msiexec.exe /y "#{dll_payload}"
@@ -14975,9 +14953,10 @@ privilege-escalation:
identifier: T1055
atomic_tests:
- name: Process Injection via mavinject.exe
- description: "Windows 10 Utility To Inject DLLS.\n\nUpon successful execution,
- powershell.exe will download T1055.dll to disk. Powershell will then spawn
- mavinject.exe to perform process injection in T1055.dll. \n"
+ description: |
+ Windows 10 Utility To Inject DLLS.
+
+ Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
supported_platforms:
- windows
input_arguments:
@@ -15002,33 +14981,11 @@ privilege-escalation:
command: |
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING #{dll_payload}
- - name: Process Injection via PowerSploit
- description: |
- PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
-
- Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
- supported_platforms:
- - windows
- input_arguments:
- dll_payload:
- description: DLL to Inject
- type: Path
- default: T1055.dll
- process_id:
- description: PID of input_arguments
- type: Integer
- default: "(get-process spoolsv).id"
- executor:
- name: powershell
- elevation_required: true
- command: |
- $mypid = #{process_id}
- Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
- name: Shared Library Injection via /etc/ld.so.preload
description: "This test adds a shared library to the `ld.so.preload` list to
execute and intercept API calls. This technique was used by threat actor Rocke
- during the exploitation of Linux web servers. This requires the `glibc` package.
- \n\nUpon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
+ during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon
+ successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
\n"
supported_platforms:
- linux
@@ -15083,10 +15040,9 @@ privilege-escalation:
name: command_prompt
command: ".\\bin\\#{exe_binary}\n"
- name: svchost writing a file to a UNC path
- description: "svchost.exe writing a non-Microsoft Office file to a file with
- a UNC path.\nUpon successful execution, this will rename cmd.exe as svchost.exe
- and move it to `c:\\`, then execute svchost.exe with output to a txt file.
- \n"
+ description: |
+ svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
+ Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
supported_platforms:
- windows
executor:
@@ -24411,24 +24367,24 @@ execution:
'
- name: Msiexec.exe - Execute Arbitrary DLL
- description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
- installation.
-
-'
+ description: |
+ Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+ Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
+ By default, if the src folder is not in place, it will download the 64 bit version.
supported_platforms:
- windows
input_arguments:
dll_payload:
description: DLL to execute
type: Path
- default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+ default: PathToAtomicsFolder\T1218\src\x64\T1218.dll
dependency_executor_name: powershell
dependencies:
- - description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
+ - description: T1218.dll must exist on disk at specified location (#{dll_payload})
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
- Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
executor:
name: command_prompt
command: 'msiexec.exe /y "#{dll_payload}"
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index a87e3a4c..b698d0ab 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -186,8 +186,8 @@
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+ - Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
+ - Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](./T1014/T1014.md)
@@ -329,8 +329,8 @@
# privilege-escalation
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
- - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+ - Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
+ - Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 69467812..b31ad7c8 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -143,9 +143,8 @@
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- - Atomic Test #2: Process Injection via PowerSploit [windows]
- - Atomic Test #5: Process Injection via C# [windows]
- - Atomic Test #6: svchost writing a file to a UNC path [windows]
+ - Atomic Test #4: Process Injection via C# [windows]
+ - Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -238,9 +237,8 @@
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- - Atomic Test #2: Process Injection via PowerSploit [windows]
- - Atomic Test #5: Process Injection via C# [windows]
- - Atomic Test #6: svchost writing a file to a UNC path [windows]
+ - Atomic Test #4: Process Injection via C# [windows]
+ - Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]