Try it using Invoke-Atomic

Process Injection: Portable Executable Injection

Description from ATT&CK

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017)

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.

Atomic Tests

Atomic Test #1 - Portable Executable Injection

This test injects a portable executable into a remote Notepad process memory using Portable Executable Injection and base-address relocation techniques. When successful, a message box will appear with the title "Warning" and the content "Atomic Red Team" after a few seconds.

Supported Platforms: windows

auto_generated_guid: 578025d5-faa9-4f6d-8390-aae739d503e1

Inputs:

Name Description Type Default Value
exe_binary PE binary path PathToAtomicsFolder\T1055.002\bin\RedInjection.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3

Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force

Cleanup Commands:

1

Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force

Dependencies: Run with powershell!

Description: Portable Executable to inject must exist at specified location (#{exe_binary})

Check Prereq Commands:

1
2

if (Test-Path "#{exe_binary}") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3

New-Item -Type Directory (split-path "#{exe_binary}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe" -OutFile "#{exe_binary}"

source