Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
30 lines
1.5 KiB
YAML
30 lines
1.5 KiB
YAML
attack_technique: T1055.002
|
|
display_name: 'Process Injection: Portable Executable Injection'
|
|
atomic_tests:
|
|
- name: Portable Executable Injection
|
|
auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d503e1
|
|
description: 'This test injects a portable executable into a remote Notepad process memory using Portable Executable Injection and base-address relocation techniques. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds.'
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
exe_binary:
|
|
description: PE binary
|
|
type: path
|
|
default: PathToAtomicsFolder\T1055.002\bin\RedInjection.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Portable Executable to inject must exist at specified location (#{exe_binary})
|
|
prereq_command: |
|
|
if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe" -OutFile "#{exe_binary}"
|
|
executor:
|
|
command: |-
|
|
Start-Process "#{exe_binary}"
|
|
Start-Sleep -Seconds 7
|
|
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
|
|
cleanup_command: 'Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force'
|
|
name: powershell
|
|
elevation_required: true |