Generate docs from job=validate_atomics_generate_docs branch=ProcessHolllowingT1093

atomics/T1093/T1093.md

@@ -0,0 +1,42 @@
+# T1093 - Process Hollowing
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1093)
+<blockquote>Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Engame Process Injection July 2017)
+
+Detection: Monitoring API calls may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls that unmap process memory, such as ZwUnmapViewOfSection or NtUnmapViewOfSection, and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique. (Citation: Engame Process Injection July 2017)
+
+Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.
+
+Platforms: Windows
+
+Data Sources: Process monitoring, API monitoring
+
+Defense Bypassed: Process whitelisting, Anti-virus, Whitelisting by file name or path, Signature-based detection
+
+Permissions Required: User</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Basic Hollow No ParentID Manipulation](#atomic-test-1---basic-hollow-no-parentid-manipulation)
+
+
+<br/>
+
+## Atomic Test #1 - Basic Hollow No ParentID Manipulation
+Using Start-Hollow.ps1
+https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1
+Notes
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| hollow | This is the payload to inject | string | C:\Windows\System32\cmd.exe|
+| sponsor | This is the host of the payload | string | C:\Windows\System32\notepad.exe|
+
+#### Run it with `powershell`!
+```
+Start-Hollow -Hollow #{hollow} -Sponsor #{sponsor}
+```
+<br/>

atomics/T1093/T1093.yaml

@@ -0,0 +1,26 @@
+---
+attack_technique: T1093
+display_name: Process Hollowing
+
+atomic_tests:
+- name: Basic Hollow No ParentID Manipulation
+  description: |
+    Using Start-Hollow.ps1
+    https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1
+    Notes
+
+  supported_platforms:
+    - windows
+  input_arguments:
+    hollow:
+      description: This is the payload to inject
+      type: string
+      default: C:\Windows\System32\cmd.exe
+    sponsor:
+       description: This is the host of the payload
+       type: string
+       default: C:\Windows\System32\notepad.exe
+  executor:
+    name: powershell
+    command: |
+      Start-Hollow -Hollow #{hollow} -Sponsor #{sponsor}

atomics/index.md

@@ -225,7 +225,8 @@
   - Atomic Test #1: Plist Modification [macos]
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1093 Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1093 Process Hollowing](./T1093/T1093.md)
+  - Atomic Test #1: Basic Hollow No ParentID Manipulation [windows]
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]

atomics/matrix.md

@@ -43,7 +43,7 @@
 |  |  | [Re-opened Applications](./T1164/T1164.md) |  | [Plist Modification](./T1150/T1150.md) |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Start Folder](./T1060/T1060.md) |  | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Process Hollowing](./T1093/T1093.md) |  |  |  |  |  |  |
 |  |  | [Scheduled Task](./T1053/T1053.md) |  | [Process Injection](./T1055/T1055.md) |  |  |  |  |  |  |
 |  |  | Screensaver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Security Support Provider [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Regsvcs/Regasm](./T1121/T1121.md) |  |  |  |  |  |  |

atomics/windows-index.md

@@ -62,7 +62,8 @@
   - Atomic Test #2: Remove Network Share PowerShell [windows]
 - T1027 Obfuscated Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1093 Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1093 Process Hollowing](./T1093/T1093.md)
+  - Atomic Test #1: Basic Hollow No ParentID Manipulation [windows]
 - [T1055 Process Injection](./T1055/T1055.md)
   - Atomic Test #1: Process Injection via mavinject.exe [windows]
   - Atomic Test #2: Process Injection via PowerSploit [windows]

atomics/windows-matrix.md

@@ -34,7 +34,7 @@
 |  |  | [Scheduled Task](./T1053/T1053.md) |  | [Network Share Connection Removal](./T1126/T1126.md) |  |  |  |  |  |  |
 |  |  | Screensaver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Obfuscated Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Security Support Provider [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Process Hollowing](./T1093/T1093.md) |  |  |  |  |  |  |
 |  |  | Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Process Injection](./T1055/T1055.md) |  |  |  |  |  |  |
 |  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Regsvcs/Regasm](./T1121/T1121.md) |  |  |  |  |  |  |