Atomic Red Team GUID generator
93 lines
4.3 KiB
YAML
93 lines
4.3 KiB
YAML
attack_technique: T1055.004
|
|
display_name: 'Process Injection: Asynchronous Procedure Call'
|
|
atomic_tests:
|
|
- name: Process Injection via C#
|
|
auto_generated_guid: 611b39b7-e243-4c81-87a4-7145a90358b1
|
|
description: |
|
|
Process Injection using C#
|
|
reference: https://github.com/pwndizzle/c-sharp-memory-injection
|
|
Excercises Five Techniques
|
|
1. Process injection
|
|
2. ApcInjectionAnyProcess
|
|
3. ApcInjectionNewProcess
|
|
4. IatInjection
|
|
5. ThreadHijack
|
|
Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
exe_binary:
|
|
description: Output Binary
|
|
type: path
|
|
default: PathToAtomicsFolder\T1055.004\bin\T1055.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
#{exe_binary} must be exist on system.
|
|
prereq_command: |
|
|
if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.004/bin/T1055.exe" -OutFile "#{exe_binary}"
|
|
executor:
|
|
command: |
|
|
"#{exe_binary}"
|
|
name: command_prompt
|
|
- name: EarlyBird APC Queue Injection in Go
|
|
auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
|
|
description: |
|
|
Creates a process in a suspended state and calls QueueUserAPC WinAPI to add a UserAPC to the child process that points to allocated shellcode.
|
|
ResumeThread is called which then calls NtTestAlert to execute the created UserAPC which then executes the shellcode.
|
|
This technique allows for the early execution of shellcode and potentially before AV/EDR can hook functions to support detection.
|
|
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
|
|
- References:
|
|
- https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/
|
|
- https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
spawn_process_path:
|
|
description: Path of the binary to spawn
|
|
type: string
|
|
default: C:\Windows\System32\werfault.exe
|
|
spawn_process_name:
|
|
description: Name of the process to spawn
|
|
type: string
|
|
default: werfault
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}" -debug
|
|
cleanup_command: |
|
|
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
|
|
Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
|
|
- name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
|
|
auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
|
|
description: |
|
|
Uses the undocumented NtQueueAPCThreadEx WinAPI to create a "Special User APC" in the current thread of the current process to execute shellcode.
|
|
Since the shellcode is loaded and executed in the current process it is considered local shellcode execution.
|
|
|
|
Steps taken with this technique
|
|
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
|
|
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
|
|
3. Change the memory page permissions to Execute/Read with VirtualProtect
|
|
4. Get a handle to the current thread
|
|
5. Execute the shellcode in the current thread by creating a Special User APC through the NtQueueApcThreadEx function
|
|
|
|
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)
|
|
- References:
|
|
- https://repnz.github.io/posts/apc/user-apc/
|
|
- https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html
|
|
- https://0x00sec.org/t/process-injection-apc-injection/24608
|
|
- https://twitter.com/aionescu/status/992264290924032005
|
|
- http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
$PathToAtomicsFolder\T1055.004\bin\x64\NtQueueApcThreadEx.exe -debug
|
|
cleanup_command: |
|
|
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue |