Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -180,6 +180,7 @@ defense-evasion,T1055,Process Injection,9,Remote Process Injection with Go using
 defense-evasion,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
 defense-evasion,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
 defense-evasion,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
+defense-evasion,T1055,Process Injection,13,UUID custom process Injection,0128e48e-8c1a-433a-a11a-a5304734f1e1,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
@@ -678,6 +679,7 @@ privilege-escalation,T1055,Process Injection,9,Remote Process Injection with Go
 privilege-escalation,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
 privilege-escalation,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
 privilege-escalation,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
+privilege-escalation,T1055,Process Injection,13,UUID custom process Injection,0128e48e-8c1a-433a-a11a-a5304734f1e1,powershell
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -104,6 +104,7 @@ defense-evasion,T1055,Process Injection,9,Remote Process Injection with Go using
 defense-evasion,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
 defense-evasion,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
 defense-evasion,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
+defense-evasion,T1055,Process Injection,13,UUID custom process Injection,0128e48e-8c1a-433a-a11a-a5304734f1e1,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
@@ -465,6 +466,7 @@ privilege-escalation,T1055,Process Injection,9,Remote Process Injection with Go
 privilege-escalation,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
 privilege-escalation,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
 privilege-escalation,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
+privilege-escalation,T1055,Process Injection,13,UUID custom process Injection,0128e48e-8c1a-433a-a11a-a5304734f1e1,powershell
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -230,6 +230,7 @@
   - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
   - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
   - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
+  - Atomic Test #13: UUID custom process Injection [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
@@ -898,6 +899,7 @@
   - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
   - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
   - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
+  - Atomic Test #13: UUID custom process Injection [windows]
 - [T1611 Escape to Host](../../T1611/T1611.md)
   - Atomic Test #1: Deploy container using nsenter container escape [containers]
   - Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -143,6 +143,7 @@
   - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
   - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
   - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
+  - Atomic Test #13: UUID custom process Injection [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
@@ -635,6 +636,7 @@
   - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
   - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
   - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
+  - Atomic Test #13: UUID custom process Injection [windows]
 - T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
   - Atomic Test #1: Shortcut Modification [windows]

atomics/Indexes/index.yaml

@@ -8681,7 +8681,46 @@ defense-evasion:
         name: powershell
         elevation_required: false
         command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
-        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: UUID custom process Injection
+      auto_generated_guid: '0128e48e-8c1a-433a-a11a-a5304734f1e1'
+      description: |
+        The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread
+
+        The injected shellcode will open a message box and a notepad.
+
+        Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
+        Concept from: http://ropgadget.com/posts/abusing_win_functions.html
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1055\bin\x64\uuid_injection.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to inject must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/uuid_injection.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |-
+          Start-Process "#{exe_binary}"
+          Start-Sleep -Seconds 7
+          Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1205:
     technique:
       modified: '2022-10-19T23:08:40.603Z'
@@ -35063,7 +35102,46 @@ privilege-escalation:
         name: powershell
         elevation_required: false
         command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
-        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: UUID custom process Injection
+      auto_generated_guid: '0128e48e-8c1a-433a-a11a-a5304734f1e1'
+      description: |
+        The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread
+
+        The injected shellcode will open a message box and a notepad.
+
+        Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
+        Concept from: http://ropgadget.com/posts/abusing_win_functions.html
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1055\bin\x64\uuid_injection.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to inject must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/uuid_injection.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |-
+          Start-Process "#{exe_binary}"
+          Start-Sleep -Seconds 7
+          Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1611:
     technique:
       modified: '2023-04-15T16:21:04.265Z'

atomics/Indexes/windows-index.yaml

@@ -6659,7 +6659,46 @@ defense-evasion:
         name: powershell
         elevation_required: false
         command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
-        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: UUID custom process Injection
+      auto_generated_guid: '0128e48e-8c1a-433a-a11a-a5304734f1e1'
+      description: |
+        The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread
+
+        The injected shellcode will open a message box and a notepad.
+
+        Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
+        Concept from: http://ropgadget.com/posts/abusing_win_functions.html
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1055\bin\x64\uuid_injection.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to inject must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/uuid_injection.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |-
+          Start-Process "#{exe_binary}"
+          Start-Sleep -Seconds 7
+          Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1205:
     technique:
       modified: '2022-10-19T23:08:40.603Z'
@@ -29141,7 +29180,46 @@ privilege-escalation:
         name: powershell
         elevation_required: false
         command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
-        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: UUID custom process Injection
+      auto_generated_guid: '0128e48e-8c1a-433a-a11a-a5304734f1e1'
+      description: |
+        The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread
+
+        The injected shellcode will open a message box and a notepad.
+
+        Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
+        Concept from: http://ropgadget.com/posts/abusing_win_functions.html
+      supported_platforms:
+      - windows
+      input_arguments:
+        exe_binary:
+          description: PE binary
+          type: path
+          default: PathToAtomicsFolder\T1055\bin\x64\uuid_injection.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Portable Executable to inject must exist at specified location
+          (#{exe_binary})
+
+          '
+        prereq_command: 'if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/uuid_injection.exe" -OutFile "#{exe_binary}"
+      executor:
+        command: |-
+          Start-Process "#{exe_binary}"
+          Start-Sleep -Seconds 7
+          Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1611:
     technique:
       modified: '2023-04-15T16:21:04.265Z'

atomics/T1055/T1055.md

@@ -32,6 +32,8 @@ More sophisticated samples may perform multiple process injections to segment mo
 
 - [Atomic Test #12 - Process Injection with Go using CreateThread WinAPI (Natively)](#atomic-test-12---process-injection-with-go-using-createthread-winapi-natively)
 
+- [Atomic Test #13 - UUID custom process Injection](#atomic-test-13---uuid-custom-process-injection)
+
 
 <br/>
 
@@ -623,4 +625,61 @@ Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #13 - UUID custom process Injection
+The UUIDs Process Injection code was first introduced by the NCC Group. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. In this new custom version of UUID injection, EnumSystemLocalesA is the only API called to execute the code. We used custom UuidToString and UuidFromString implementations to avoid using UuidFromStringA and RPCRT4.dll, thereby eliminating the static signatures. This technique also avoided the use of VirtualAlloc, WriteProcessMemory and CreateThread
+
+The injected shellcode will open a message box and a notepad.
+
+Reference to NCC Group: https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
+Concept from: http://ropgadget.com/posts/abusing_win_functions.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0128e48e-8c1a-433a-a11a-a5304734f1e1
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_binary | PE binary | path | PathToAtomicsFolder&#92;T1055&#92;bin&#92;x64&#92;uuid_injection.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process "#{exe_binary}"
+Start-Sleep -Seconds 7
+Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Portable Executable to inject must exist at specified location (#{exe_binary})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/uuid_injection.exe" -OutFile "#{exe_binary}"
+```
+
+
+
+
 <br/>