Try it using Invoke-Atomic

Hijack Execution Flow: DLL Side-Loading

Description from ATT&CK

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary

GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened.

Supported Platforms: windows

auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040

Inputs:

Name Description Type Default Value
process_name Name of the created process String calculator.exe
gup_executable GUP is an open source signed binary used by Notepad++ for software updates Path PathToAtomicsFolder\T1574.002\bin\GUP.exe

Attack Commands: Run with command_prompt!

1
2
#{gup_executable}

Cleanup Commands:

1
2
taskkill /F /IM #{process_name} >nul 2>&1

Dependencies: Run with powershell!

Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})

Check Prereq Commands:

1
2
if (Test-Path #{gup_executable}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"

source