Add T1055.015 listPlanting test

atomics/T1055.015/T1055.015.md

@@ -0,0 +1,65 @@
+# T1055.002 - Process Injection: Portable Executable Injection
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1055/002)
+<blockquote>Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. 
+
+PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) 
+
+Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Portable Executable Injection](#atomic-test-1---portable-executable-injection)
+
+
+<br/>
+
+## Atomic Test #1 - Portable Executable Injection
+This test injects a portable executable into a remote Notepad process memory using Portable Executable Injection and base-address relocation techniques. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 578025d5-faa9-4f6d-8390-aae739d503e1
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_binary | PE binary | path | PathToAtomicsFolder&#92;T1055.002&#92;bin&#92;RedInjection.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process "#{exe_binary}"
+Start-Sleep -Seconds 7
+Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Portable Executable to inject must exist at specified location (#{exe_binary})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe" -OutFile "#{exe_binary}"
+```
+
+
+
+
+<br/>

atomics/T1055.015/T1055.015.yaml

@@ -0,0 +1,29 @@
+attack_technique: T1055.015
+display_name: 'Process Injection: ListPlanting'
+atomic_tests:
+- name: Process injection ListPlanting
+  description: 'This test injects shellcode into a remote RegEdit process using the ListPlanting technique. ListPlanting exploits Window with ListView control. Code write to memory with NtWriteVirtualMemory. The shellcode is executed via PostMessage. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds. Notepad will open following the appearance of the message box.'
+  supported_platforms:
+  - windows
+  input_arguments:
+    exe_binary:
+      description: PE binary
+      type: path
+      default: PathToAtomicsFolder\T1055.015\bin\ListPlanting.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Injector ListPlanting.exe must exist at specified location (#{exe_binary})
+    prereq_command: |
+      if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.015/bin/ListPlanting.exe" -OutFile "#{exe_binary}"
+  executor:
+    command: |-
+      Start-Process "#{exe_binary}"
+      Start-Sleep -Seconds 7
+      Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+    cleanup_command: 'Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force'
+    name: powershell
+    elevation_required: true

atomics/T1055.015/src/build.bat

@@ -0,0 +1 @@
+cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /listPlanting.c /link /OUT:ListPlanting.exe.exe /SUBSYSTEM:CONSOLE /MACHINE:x64