Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -121,6 +121,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
 defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -37,6 +37,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -27,6 +27,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
+defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -171,6 +171,7 @@
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
+  - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - [T1562 Impair Defenses](../../T1562/T1562.md)
   - Atomic Test #1: Windows Disable LSA Protection [windows]
 - [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -54,6 +54,7 @@
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
+  - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -48,6 +48,7 @@
   - Atomic Test #4: Base64 decoding with Perl [linux, macos]
   - Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
   - Atomic Test #6: Hex decoding with shell utilities [linux, macos]
+  - Atomic Test #7: Linux Base64 Encoded Shebang in CLI [linux, macos]
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -6799,6 +6799,53 @@ defense-evasion:
           echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
           echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
           echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+    - name: Linux Base64 Encoded Shebang in CLI
+      auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+      description: "Using Linux Base64 Encoded shell scripts that have Shebang in
+        them. This is commonly how attackers obfuscate passing and executing a shell
+        script. \n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        bash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        dash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        zsh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3pzaAplY2hvICJodHRwczovL3d3dy55b3V0dWJlLmNvbS9AYXRvbWljc29uYWZyaWRheSBGVFciCg==
+        fish_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        sh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+      dependencies:
+      - description: 'base64 must be present
+
+          '
+        prereq_command: 'which base64
+
+          '
+        get_prereq_command: 'echo "please install base64"
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo #{bash_encoded} | base64 -d | bash
+          echo #{dash_encoded} | base64 -d | bash
+          echo #{fish_encoded} | base64 -d | bash
+          echo #{sh_encoded} | base64 -d | bash
   T1562:
     technique:
       x_mitre_platforms:

atomics/Indexes/linux-index.yaml

@@ -4192,6 +4192,53 @@ defense-evasion:
           echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
           echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
           echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+    - name: Linux Base64 Encoded Shebang in CLI
+      auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+      description: "Using Linux Base64 Encoded shell scripts that have Shebang in
+        them. This is commonly how attackers obfuscate passing and executing a shell
+        script. \n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        bash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        dash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        zsh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3pzaAplY2hvICJodHRwczovL3d3dy55b3V0dWJlLmNvbS9AYXRvbWljc29uYWZyaWRheSBGVFciCg==
+        fish_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        sh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+      dependencies:
+      - description: 'base64 must be present
+
+          '
+        prereq_command: 'which base64
+
+          '
+        get_prereq_command: 'echo "please install base64"
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo #{bash_encoded} | base64 -d | bash
+          echo #{dash_encoded} | base64 -d | bash
+          echo #{fish_encoded} | base64 -d | bash
+          echo #{sh_encoded} | base64 -d | bash
   T1562:
     technique:
       x_mitre_platforms:

atomics/Indexes/macos-index.yaml

@@ -3845,6 +3845,53 @@ defense-evasion:
           echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
           echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
           echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
+    - name: Linux Base64 Encoded Shebang in CLI
+      auto_generated_guid: 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+      description: "Using Linux Base64 Encoded shell scripts that have Shebang in
+        them. This is commonly how attackers obfuscate passing and executing a shell
+        script. \n"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        bash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        dash_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        zsh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3pzaAplY2hvICJodHRwczovL3d3dy55b3V0dWJlLmNvbS9AYXRvbWljc29uYWZyaWRheSBGVFciCg==
+        fish_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=
+        sh_encoded:
+          description: Encoded
+          type: string
+          default: IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK
+      dependencies:
+      - description: 'base64 must be present
+
+          '
+        prereq_command: 'which base64
+
+          '
+        get_prereq_command: 'echo "please install base64"
+
+          '
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          echo #{bash_encoded} | base64 -d | bash
+          echo #{dash_encoded} | base64 -d | bash
+          echo #{fish_encoded} | base64 -d | bash
+          echo #{sh_encoded} | base64 -d | bash
   T1562:
     technique:
       x_mitre_platforms:

atomics/T1140/T1140.md

@@ -20,6 +20,8 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp
 
 - [Atomic Test #6 - Hex decoding with shell utilities](#atomic-test-6---hex-decoding-with-shell-utilities)
 
+- [Atomic Test #7 - Linux Base64 Encoded Shebang in CLI](#atomic-test-7---linux-base64-encoded-shebang-in-cli)
+
 
 <br/>
 
@@ -297,4 +299,56 @@ echo "Please install xxd"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - Linux Base64 Encoded Shebang in CLI
+Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script.
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** 3a15c372-67c1-4430-ac8e-ec06d641ce4d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| bash_encoded | Encoded | string | IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
+| dash_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
+| zsh_encoded | Encoded | string | IyEvYmluL3pzaAplY2hvICJodHRwczovL3d3dy55b3V0dWJlLmNvbS9AYXRvbWljc29uYWZyaWRheSBGVFciCg==|
+| fish_encoded | Encoded | string | IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=|
+| sh_encoded | Encoded | string | IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo #{bash_encoded} | base64 -d | bash
+echo #{dash_encoded} | base64 -d | bash
+echo #{fish_encoded} | base64 -d | bash
+echo #{sh_encoded} | base64 -d | bash
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: base64 must be present
+##### Check Prereq Commands:
+```sh
+which base64
+```
+##### Get Prereq Commands:
+```sh
+echo "please install base64"
+```
+
+
+
+
 <br/>