Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -134,6 +134,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
 defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -39,6 +39,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
 defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
 defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
 defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,2,Copy and Delete Mailbox Data on Linux,25e2be0e-96f7-4417-bd16-a4a2500e3802,bash

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -39,6 +39,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
 defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,3,Copy and Delete Mailbox Data on macOS,3824130e-a6e4-4528-8091-3a52eeb540f6,bash
 defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,6,Copy and Modify Mailbox Data on macOS,8a0b1579-5a36-483a-9cde-0236983e1665,bash
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -190,6 +190,7 @@
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
   - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
+  - Atomic Test #8: XOR decoding and command execution using Python [linux, macos]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #1: Windows Disable LSA Protection [windows]
   - Atomic Test #2: Disable journal logging via systemctl utility [linux]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -61,6 +61,7 @@
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
   - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
+  - Atomic Test #8: XOR decoding and command execution using Python [linux, macos]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #2: Disable journal logging via systemctl utility [linux]
   - Atomic Test #3: Disable journal logging via sed utility [linux]

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -65,6 +65,7 @@
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
   - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
+  - Atomic Test #8: XOR decoding and command execution using Python [linux, macos]
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.008 Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md)

atomics/Indexes/index.yaml

@@ -7448,6 +7448,36 @@ defense-evasion:
           echo #{dash_encoded} | base64 -d | bash
           echo #{fish_encoded} | base64 -d | bash
           echo #{sh_encoded} | base64 -d | bash
+    - name: XOR decoding and command execution using Python
+      auto_generated_guid: c3b65cd5-ee51-4e98-b6a3-6cbdec138efc
+      description: An adversary can obfuscate malicious commands or payloads using
+        XOR and execute them on the victim's machine. This test uses Python to decode
+        and execute commands on the machine.
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        xor_key:
+          description: 'Key used to decrypt the command '
+          type: string
+          default: waEHleblxiQjoxFJQaIMLdHKz
+        encrypted_command:
+          description: Encrypted command that will be executed
+          type: string
+          default: AAkqKQEM
+      dependency_executor_name: bash
+      dependencies:
+      - description: Python3 must be installed
+        prereq_command: which python3
+        get_prereq_command: echo "Install Python3"
+      executor:
+        command: 'python3 -c ''import base64; import subprocess; xor_decrypt = lambda
+          text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
+          key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
+          key); subprocess.call(exec, shell=True)'''
+        cleanup_command: 
+        name: bash
+        elevation_required: false
   T1562:
     technique:
       modified: '2023-04-15T00:48:46.626Z'

atomics/Indexes/linux-index.yaml

@@ -4683,6 +4683,36 @@ defense-evasion:
           echo #{dash_encoded} | base64 -d | bash
           echo #{fish_encoded} | base64 -d | bash
           echo #{sh_encoded} | base64 -d | bash
+    - name: XOR decoding and command execution using Python
+      auto_generated_guid: c3b65cd5-ee51-4e98-b6a3-6cbdec138efc
+      description: An adversary can obfuscate malicious commands or payloads using
+        XOR and execute them on the victim's machine. This test uses Python to decode
+        and execute commands on the machine.
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        xor_key:
+          description: 'Key used to decrypt the command '
+          type: string
+          default: waEHleblxiQjoxFJQaIMLdHKz
+        encrypted_command:
+          description: Encrypted command that will be executed
+          type: string
+          default: AAkqKQEM
+      dependency_executor_name: bash
+      dependencies:
+      - description: Python3 must be installed
+        prereq_command: which python3
+        get_prereq_command: echo "Install Python3"
+      executor:
+        command: 'python3 -c ''import base64; import subprocess; xor_decrypt = lambda
+          text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
+          key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
+          key); subprocess.call(exec, shell=True)'''
+        cleanup_command: 
+        name: bash
+        elevation_required: false
   T1562:
     technique:
       modified: '2023-04-15T00:48:46.626Z'

atomics/Indexes/macos-index.yaml

@@ -4487,6 +4487,36 @@ defense-evasion:
           echo #{dash_encoded} | base64 -d | bash
           echo #{fish_encoded} | base64 -d | bash
           echo #{sh_encoded} | base64 -d | bash
+    - name: XOR decoding and command execution using Python
+      auto_generated_guid: c3b65cd5-ee51-4e98-b6a3-6cbdec138efc
+      description: An adversary can obfuscate malicious commands or payloads using
+        XOR and execute them on the victim's machine. This test uses Python to decode
+        and execute commands on the machine.
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        xor_key:
+          description: 'Key used to decrypt the command '
+          type: string
+          default: waEHleblxiQjoxFJQaIMLdHKz
+        encrypted_command:
+          description: Encrypted command that will be executed
+          type: string
+          default: AAkqKQEM
+      dependency_executor_name: bash
+      dependencies:
+      - description: Python3 must be installed
+        prereq_command: which python3
+        get_prereq_command: echo "Install Python3"
+      executor:
+        command: 'python3 -c ''import base64; import subprocess; xor_decrypt = lambda
+          text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
+          key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
+          key); subprocess.call(exec, shell=True)'''
+        cleanup_command: 
+        name: bash
+        elevation_required: false
   T1562:
     technique:
       modified: '2023-04-15T00:48:46.626Z'

atomics/T1140/T1140.md

@@ -22,6 +22,8 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp
 
 - [Atomic Test #7 - Linux Base64 Encoded Shebang in CLI](#atomic-test-7---linux-base64-encoded-shebang-in-cli)
 
+- [Atomic Test #8 - XOR decoding and command execution using Python](#atomic-test-8---xor-decoding-and-command-execution-using-python)
+
 
 <br/>
 
@@ -350,4 +352,50 @@ echo "please install base64"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - XOR decoding and command execution using Python
+An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim's machine. This test uses Python to decode and execute commands on the machine.
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** c3b65cd5-ee51-4e98-b6a3-6cbdec138efc
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| xor_key | Key used to decrypt the command | string | waEHleblxiQjoxFJQaIMLdHKz|
+| encrypted_command | Encrypted command that will be executed | string | AAkqKQEM|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Python3 must be installed
+##### Check Prereq Commands:
+```bash
+which python3
+```
+##### Get Prereq Commands:
+```bash
+echo "Install Python3"
+```
+
+
+
+
 <br/>