adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62a85c12b51a6d903a8357cb91b555ff1b203fd3
atomic-red-team-gs/atomics/T1140/T1140.yaml
T
Hare Sudhan 62a85c12b5 FreeBSD changes (#2585) 
* freebsd changes

* renaming freebsd to linux
2023-11-06 17:41:43 -05:00

305 lines
12 KiB
YAML
Raw Blame History

attack_technique: T1140
display_name: Deobfuscate/Decode Files or Information
atomic_tests:
- name: Deobfuscate/Decode Files Or Information
auto_generated_guid: dc6fe391-69e6-4506-bd06-ea5eeb4082f8
description: |
Encode/Decode executable
Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder
supported_platforms:
- windows
input_arguments:
executable:
description: name of executable
type: path
default: C:\Windows\System32\calc.exe
executor:
command: |
certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe
cleanup_command: |
del %temp%\T1140_calc.txt >nul 2>&1
del %temp%\T1140_calc_decoded.exe >nul 2>&1
name: command_prompt
- name: Certutil Rename and Decode
auto_generated_guid: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94
description: |
Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
supported_platforms:
- windows
input_arguments:
executable:
description: name of executable/file to decode
type: path
default: C:\Windows\System32\calc.exe
executor:
command: |
copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -encode #{executable} %temp%\T1140_calc2.txt
%temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe
cleanup_command: |
del %temp%\tcm.tmp >nul 2>&1
del %temp%\T1140_calc2.txt >nul 2>&1
del %temp%\T1140_calc2_decoded.exe >nul 2>&1
name: command_prompt
- name: Base64 decoding with Python
auto_generated_guid: 356dc0e8-684f-4428-bb94-9313998ad608
description: |
Use Python to decode a base64-encoded text string and echo it to the console
supported_platforms:
- linux
- macos
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: /tmp/T1140.encoded
dependencies:
- description: |
Python must be present
prereq_command: |
which python3
get_prereq_command: |
echo "Please install Python 3"
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())"
- name: Base64 decoding with Perl
auto_generated_guid: 6604d964-b9f6-4d4b-8ce8-499829a14d0a
description: |
Use Perl to decode a base64-encoded text string and echo it to the console
supported_platforms:
- linux
- macos
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: /tmp/T1140.encoded
dependencies:
- description: |
Perl must be present
prereq_command: |
which perl
get_prereq_command: |
echo "Please install Perl"
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64(<STDIN>));'
echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));'
- name: Base64 decoding with shell utilities
auto_generated_guid: b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e
description: |
Use common shell utilities to decode a base64-encoded text string and echo it to the console
supported_platforms:
- linux
- macos
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: /tmp/T1140.encoded
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(echo '#{message}' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}
echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"
- name: Base64 decoding with shell utilities (freebsd)
auto_generated_guid: b6097712-c42e-4174-b8f2-4b1e1a5bbb3d
description: |
Use common shell utilities to decode a base64-encoded text string and echo it to the console
supported_platforms:
- linux
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: /tmp/T1140.encoded
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(echo '#{message}' | b64encode -r -)
printf $ENCODED | b64decode -r
echo $ENCODED | b64decode -r
echo $(echo $ENCODED) | b64decode -r
echo $ENCODED > #{encoded_file} && b64encode -r #{encoded_file}
echo $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r
- name: FreeBSD b64encode Shebang in CLI
auto_generated_guid: 18ee2002-66e8-4518-87c5-c0ec9c8299ac
description: |
Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.
supported_platforms:
- linux
input_arguments:
bash_encoded:
description: Encoded #!/bin/bash script
type: string
default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
dash_encoded:
description: Encoded #!/bin/dash script
type: string
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
fish_encoded:
description: Encoded #!/bin/fish script
type: string
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
sh_encoded:
description: Encoded #!/bin/sh script
type: string
default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
dependencies:
- description: |
b64decode must be present
prereq_command: |
which b64decode
get_prereq_command: |
echo "please install b64decode"
executor:
name: sh
elevation_required: false
command: |
echo #{bash_encoded} | b64decode -r | sh
echo #{dash_encoded} | b64decode -r | sh
echo #{fish_encoded} | b64decode -r | sh
echo #{sh_encoded} | b64decode -r | sh
- name: Hex decoding with shell utilities
auto_generated_guid: 005943f9-8dd5-4349-8b46-0313c0a9f973
description: |
Use common shell utilities to decode a hex-encoded text string and echo it to the console
supported_platforms:
- linux
- macos
input_arguments:
message:
description: Message to print to the screen
type: string
default: Hello from Atomic Red Team test T1140!
encoded_file:
description: File to temporarily save encoded text
type: path
default: /tmp/T1140.encoded
dependencies:
- description: |
xxd must be present
prereq_command: |
which xxd
get_prereq_command: |
echo "Please install xxd"
executor:
name: sh
elevation_required: false
command: |
ENCODED=$(echo '#{message}' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file}
echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
- name: Linux Base64 Encoded Shebang in CLI
auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
description: |
Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.
supported_platforms:
- linux
- macos
input_arguments:
bash_encoded:
description: Encoded #!/bin/bash script
type: string
default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
dash_encoded:
description: Encoded #!/bin/dash script
type: string
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
fish_encoded:
description: Encoded #!/bin/fish script
type: string
default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
sh_encoded:
description: Encoded #!/bin/sh script
type: string
default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
dependencies:
- description: |
base64 must be present
prereq_command: |
which base64
get_prereq_command: |
echo "please install base64"
executor:
name: sh
elevation_required: false
command: |
echo #{bash_encoded} | base64 -d | bash
echo #{dash_encoded} | base64 -d | bash
echo #{fish_encoded} | base64 -d | bash
echo #{sh_encoded} | base64 -d | bash
- name: 'XOR decoding and command execution using Python'
auto_generated_guid: c3b65cd5-ee51-4e98-b6a3-6cbdec138efc
description: An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim's machine. This test uses Python to decode and execute commands on the machine.
supported_platforms:
- linux
- macos
input_arguments:
xor_key:
description: 'Key used to decrypt the command '
type: string
default: waEHleblxiQjoxFJQaIMLdHKz
encrypted_command:
description: Encrypted command that will be executed
type: string
default: AAkqKQEM
dependency_executor_name: bash
dependencies:
- description: Python3 must be installed
prereq_command: which python3
get_prereq_command: echo "Install Python3"
executor:
command: "python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: \"\".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = \"#{encrypted_command}\"; key = \"#{xor_key}\"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'"
cleanup_command:
name: bash
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink