From fb702afdeff200afb196d88d817520d70db837fd Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 23 Mar 2020 20:57:21 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1055/T1055.md   |  57 ++++-----------------
 atomics/T1218/T1218.md   |   8 +--
 atomics/index.md         |  18 +++----
 atomics/index.yaml       | 108 ++++++++++++---------------------------
 atomics/linux-index.md   |   8 +--
 atomics/windows-index.md |  10 ++--
 6 files changed, 64 insertions(+), 145 deletions(-)

diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md
index 8fc773ce..6f98eef1 100644
--- a/atomics/T1055/T1055.md
+++ b/atomics/T1055/T1055.md
@@ -27,15 +27,13 @@ Malware commonly utilizes process injection to access system resources through w
 
 - [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe)
 
-- [Atomic Test #2 - Process Injection via PowerSploit](#atomic-test-2---process-injection-via-powersploit)
+- [Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-2---shared-library-injection-via-etcldsopreload)
 
-- [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
+- [Atomic Test #3 - Shared Library Injection via LD_PRELOAD](#atomic-test-3---shared-library-injection-via-ld_preload)
 
-- [Atomic Test #4 - Shared Library Injection via LD_PRELOAD](#atomic-test-4---shared-library-injection-via-ld_preload)
+- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
 
-- [Atomic Test #5 - Process Injection via C#](#atomic-test-5---process-injection-via-c)
-
-- [Atomic Test #6 - svchost writing a file to a UNC path](#atomic-test-6---svchost-writing-a-file-to-a-unc-path)
+- [Atomic Test #5 - svchost writing a file to a UNC path](#atomic-test-5---svchost-writing-a-file-to-a-unc-path)
 
 
 <br/>
@@ -43,7 +41,7 @@ Malware commonly utilizes process injection to access system resources through w
 ## Atomic Test #1 - Process Injection via mavinject.exe
 Windows 10 Utility To Inject DLLS.
 
-Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. 
+Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
 
 **Supported Platforms:** Windows
 
@@ -86,41 +84,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>
 
-## Atomic Test #2 - Process Injection via PowerSploit
-PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
-
-Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| dll_payload | DLL to Inject | Path | T1055.dll|
-| process_id | PID of input_arguments | Integer | (get-process spoolsv).id|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$mypid = #{process_id}
-Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload
-This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. 
+## Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload
+This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
 
 Upon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload. 
 
@@ -150,7 +115,7 @@ echo #{path_to_shared_library} > /etc/ld.so.preload
 <br/>
 <br/>
 
-## Atomic Test #4 - Shared Library Injection via LD_PRELOAD
+## Atomic Test #3 - Shared Library Injection via LD_PRELOAD
 This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
 
 Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout.
@@ -181,7 +146,7 @@ LD_PRELOAD=#{path_to_shared_library} ls
 <br/>
 <br/>
 
-## Atomic Test #5 - Process Injection via C#
+## Atomic Test #4 - Process Injection via C#
 Process Injection using C#
 reference: https://github.com/pwndizzle/c-sharp-memory-injection
 Excercises Five Techniques
@@ -218,9 +183,9 @@ Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 tec
 <br/>
 <br/>
 
-## Atomic Test #6 - svchost writing a file to a UNC path
+## Atomic Test #5 - svchost writing a file to a UNC path
 svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
-Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file. 
+Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
 
 **Supported Platforms:** Windows
 
diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md
index ddaac82b..3d1d809b 100644
--- a/atomics/T1218/T1218.md
+++ b/atomics/T1218/T1218.md
@@ -232,6 +232,8 @@ msiexec.exe /q /i "#{msi_payload}"
 
 ## Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL
 Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
+By default, if the src folder is not in place, it will download the 64 bit version.
 
 **Supported Platforms:** Windows
 
@@ -241,7 +243,7 @@ Execute arbitrary DLL file stored locally. Commonly seen in application installa
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;Win32&#92;T1218-2.dll|
+| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;x64&#92;T1218.dll|
 
 
 #### Attack Commands: Run with `command_prompt`! 
@@ -255,7 +257,7 @@ msiexec.exe /y "#{dll_payload}"
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
+##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
 ##### Check Prereq Commands:
 ```powershell
 if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
@@ -263,7 +265,7 @@ if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
 ```
 
 
diff --git a/atomics/index.md b/atomics/index.md
index 60f9c277..bc14e541 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -345,11 +345,10 @@
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
-  - Atomic Test #2: Process Injection via PowerSploit [windows]
-  - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
-  - Atomic Test #5: Process Injection via C# [windows]
-  - Atomic Test #6: svchost writing a file to a UNC path [windows]
+  - Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
+  - Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #5: svchost writing a file to a UNC path [windows]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -462,11 +461,10 @@
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
-  - Atomic Test #2: Process Injection via PowerSploit [windows]
-  - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
-  - Atomic Test #5: Process Injection via C# [windows]
-  - Atomic Test #6: svchost writing a file to a UNC path [windows]
+  - Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
+  - Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #5: svchost writing a file to a UNC path [windows]
 - T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053 Scheduled Task](./T1053/T1053.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 5f19917a..6eae74f0 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -11111,9 +11111,10 @@ defense-evasion:
       identifier: T1055
     atomic_tests:
     - name: Process Injection via mavinject.exe
-      description: "Windows 10 Utility To Inject DLLS.\n\nUpon successful execution,
-        powershell.exe will download T1055.dll to disk. Powershell will then spawn
-        mavinject.exe to perform process injection in T1055.dll. \n"
+      description: |
+        Windows 10 Utility To Inject DLLS.
+
+        Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
       supported_platforms:
       - windows
       input_arguments:
@@ -11138,33 +11139,11 @@ defense-evasion:
         command: |
           $mypid = #{process_id}
           mavinject $mypid /INJECTRUNNING #{dll_payload}
-    - name: Process Injection via PowerSploit
-      description: |
-        PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
-
-        Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
-      supported_platforms:
-      - windows
-      input_arguments:
-        dll_payload:
-          description: DLL to Inject
-          type: Path
-          default: T1055.dll
-        process_id:
-          description: PID of input_arguments
-          type: Integer
-          default: "(get-process spoolsv).id"
-      executor:
-        name: powershell
-        elevation_required: true
-        command: |
-          $mypid = #{process_id}
-          Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
     - name: Shared Library Injection via /etc/ld.so.preload
       description: "This test adds a shared library to the `ld.so.preload` list to
         execute and intercept API calls. This technique was used by threat actor Rocke
-        during the exploitation of Linux web servers. This requires the `glibc` package.
-        \n\nUpon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
+        during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon
+        successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
         \n"
       supported_platforms:
       - linux
@@ -11219,10 +11198,9 @@ defense-evasion:
         name: command_prompt
         command: ".\\bin\\#{exe_binary}\n"
     - name: svchost writing a file to a UNC path
-      description: "svchost.exe writing a non-Microsoft Office file to a file with
-        a UNC path.\nUpon successful execution, this will rename cmd.exe as svchost.exe
-        and move it to `c:\\`, then execute svchost.exe with output to a txt file.
-        \n"
+      description: |
+        svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
+        Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
       supported_platforms:
       - windows
       executor:
@@ -12145,24 +12123,24 @@ defense-evasion:
 
 '
     - name: Msiexec.exe - Execute Arbitrary DLL
-      description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
-        installation.
-
-'
+      description: |
+        Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+        Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
+        By default, if the src folder is not in place, it will download the 64 bit version.
       supported_platforms:
       - windows
       input_arguments:
         dll_payload:
           description: DLL to execute
           type: Path
-          default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+          default: PathToAtomicsFolder\T1218\src\x64\T1218.dll
       dependency_executor_name: powershell
       dependencies:
-      - description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
+      - description: T1218.dll must exist on disk at specified location (#{dll_payload})
         prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}'
         get_prereq_command: |-
           New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
       executor:
         name: command_prompt
         command: 'msiexec.exe /y "#{dll_payload}"
@@ -14975,9 +14953,10 @@ privilege-escalation:
       identifier: T1055
     atomic_tests:
     - name: Process Injection via mavinject.exe
-      description: "Windows 10 Utility To Inject DLLS.\n\nUpon successful execution,
-        powershell.exe will download T1055.dll to disk. Powershell will then spawn
-        mavinject.exe to perform process injection in T1055.dll. \n"
+      description: |
+        Windows 10 Utility To Inject DLLS.
+
+        Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
       supported_platforms:
       - windows
       input_arguments:
@@ -15002,33 +14981,11 @@ privilege-escalation:
         command: |
           $mypid = #{process_id}
           mavinject $mypid /INJECTRUNNING #{dll_payload}
-    - name: Process Injection via PowerSploit
-      description: |
-        PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
-
-        Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
-      supported_platforms:
-      - windows
-      input_arguments:
-        dll_payload:
-          description: DLL to Inject
-          type: Path
-          default: T1055.dll
-        process_id:
-          description: PID of input_arguments
-          type: Integer
-          default: "(get-process spoolsv).id"
-      executor:
-        name: powershell
-        elevation_required: true
-        command: |
-          $mypid = #{process_id}
-          Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
     - name: Shared Library Injection via /etc/ld.so.preload
       description: "This test adds a shared library to the `ld.so.preload` list to
         execute and intercept API calls. This technique was used by threat actor Rocke
-        during the exploitation of Linux web servers. This requires the `glibc` package.
-        \n\nUpon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
+        during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon
+        successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
         \n"
       supported_platforms:
       - linux
@@ -15083,10 +15040,9 @@ privilege-escalation:
         name: command_prompt
         command: ".\\bin\\#{exe_binary}\n"
     - name: svchost writing a file to a UNC path
-      description: "svchost.exe writing a non-Microsoft Office file to a file with
-        a UNC path.\nUpon successful execution, this will rename cmd.exe as svchost.exe
-        and move it to `c:\\`, then execute svchost.exe with output to a txt file.
-        \n"
+      description: |
+        svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
+        Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
       supported_platforms:
       - windows
       executor:
@@ -24411,24 +24367,24 @@ execution:
 
 '
     - name: Msiexec.exe - Execute Arbitrary DLL
-      description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
-        installation.
-
-'
+      description: |
+        Execute arbitrary DLL file stored locally. Commonly seen in application installation.
+        Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
+        By default, if the src folder is not in place, it will download the 64 bit version.
       supported_platforms:
       - windows
       input_arguments:
         dll_payload:
           description: DLL to execute
           type: Path
-          default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
+          default: PathToAtomicsFolder\T1218\src\x64\T1218.dll
       dependency_executor_name: powershell
       dependencies:
-      - description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
+      - description: T1218.dll must exist on disk at specified location (#{dll_payload})
         prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}'
         get_prereq_command: |-
           New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
       executor:
         name: command_prompt
         command: 'msiexec.exe /y "#{dll_payload}"
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index a87e3a4c..b698d0ab 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -186,8 +186,8 @@
   - Atomic Test #1: Decode base64 Data into Script [macos, linux]
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1055 Process Injection](./T1055/T1055.md)
-  - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
+  - Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1014 Rootkit](./T1014/T1014.md)
@@ -329,8 +329,8 @@
 # privilege-escalation
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1055 Process Injection](./T1055/T1055.md)
-  - Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
-  - Atomic Test #4: Shared Library Injection via LD_PRELOAD [linux]
+  - Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
+  - Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
 - [T1166 Setuid and Setgid](./T1166/T1166.md)
   - Atomic Test #1: Make and modify binary from C source [macos, linux]
   - Atomic Test #2: Set a SetUID flag on file [macos, linux]
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 69467812..b31ad7c8 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -143,9 +143,8 @@
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
-  - Atomic Test #2: Process Injection via PowerSploit [windows]
-  - Atomic Test #5: Process Injection via C# [windows]
-  - Atomic Test #6: svchost writing a file to a UNC path [windows]
+  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #5: svchost writing a file to a UNC path [windows]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
@@ -238,9 +237,8 @@
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
-  - Atomic Test #2: Process Injection via PowerSploit [windows]
-  - Atomic Test #5: Process Injection via C# [windows]
-  - Atomic Test #6: svchost writing a file to a UNC path [windows]
+  - Atomic Test #4: Process Injection via C# [windows]
+  - Atomic Test #5: svchost writing a file to a UNC path [windows]
 - T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053 Scheduled Task](./T1053/T1053.md)
   - Atomic Test #1: At.exe Scheduled task [windows]