T1055.002 - Process Injection: Portable Executable Injection

Description from ATT&CK

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.

Atomic Tests


Atomic Test #1 - Portable Executable Injection

This test injects a portable executable into a remote Notepad process memory using Portable Executable Injection and base-address relocation techniques. When successful, a message box will appear with the title “Warning” and the content “Atomic Red Team” after a few seconds.

Supported Platforms: Windows

auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d503e1

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | exe_binary | PE binary | path | PathToAtomicsFolder\T1055.002\bin\RedInjection.exe|

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
2
3
Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force

Cleanup Commands:

1
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force

Dependencies: Run with
1
powershell
!

Description: Portable Executable to inject must exist at specified location (#{exe_binary})
Check Prereq Commands:
1
if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe" -OutFile "#{exe_binary}"