Mr B0b
45 lines
1.4 KiB
YAML
45 lines
1.4 KiB
YAML
---
|
|
attack_technique: T1502
|
|
display_name: Parent PID Spoofing
|
|
|
|
atomic_tests:
|
|
- name: Parent PID Spoofing using PowerShell
|
|
description: |
|
|
This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
|
|
Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
parent_process_name:
|
|
description: Name of the parent process
|
|
type: string
|
|
default: "explorer"
|
|
dll_path:
|
|
description: Path of the dll to inject
|
|
type: string
|
|
default: $PathToAtomicsFolder\T1502\bin\calc.dll
|
|
dll_process_name:
|
|
description: Name of the created process from the injected dll
|
|
type: string
|
|
default: "calculator"
|
|
spawnto_process_path:
|
|
description: Path of the process to spawn
|
|
type: string
|
|
default: C:\Program Files\Internet Explorer\iexplore.exe
|
|
spawnto_process_name:
|
|
description: Name of the process to spawn
|
|
type: string
|
|
default: "iexplore"
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
. $PathToAtomicsFolder\T1502\src\PPID-Spoof.ps1
|
|
$ppid=Get-Process #{parent_process_name} | select -expand id
|
|
PPID-Spoof -ppid $ppid -spawnto "#{spawnto_process_path}" -dllpath "#{dll_path}"
|
|
cleanup_command: |
|
|
Stop-Process -Name "#{dll_process_name}"
|
|
Stop-Process -Name "#{spawnto_process_name}" |