search

redcanaryco / atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK.
MIT License
9.83k stars 2.82k forks source link

Idea: new process injection technique #2518

Closed thomasxm closed 1 year ago

thomasxm commented 1 year ago

Use-cases

I have re-coded the dirty vanity techniques presented in BlackHat Europe 2022. The code can spawn a calculator or a notepad. I believe this could be a add-on to the process injection module. The dirty vanity can be run on Windows 10 and Windows 11 latest tested by me. Dirty vanity code is very stable without any errors or slow down the system, neither left any traces except logs. The order of the APIs being called made this technique evasive to majority of the anti-viruses I tested with.

Proposal

I can add this new technique to the atomic red teaming under process injection technique. Would this be something the atomic red teaming community interested? I don't want to do something maybe already be considered or not interested at all. Thank you.

References

Eliran Nissan Dirty Vanity: A New Approach to Code injection & EDR bypass, BlackHat Europe 2022 https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf

clr2of8 commented 1 year ago

Hey, I think this a great idea and we would love to have you contribute it. 💯