diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 97ae625d..f8c42019 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -114695,7 +114695,7 @@ impact: - name: Encrypt files using ccrypt (FreeBSD/Linux) auto_generated_guid: '08cbf59f-85da-4369-a5f4-049cffd7709f' description: 'Attempts to encrypt data on target systems as root to simulate - an inturruption authentication to target system. If root permissions are not + an interruption authentication to target system. If root permissions are not available then attempts to encrypt data within user''s home directory. ' @@ -114703,47 +114703,39 @@ impact: - linux input_arguments: cped_file_path: - description: path where you want your copied file to be + description: Path where you want your copied file to be type: path default: "/tmp/passwd" root_input_file_path: - description: path to the file that you want to be encrypted if you are root - user + description: Path the target file to be encrypted. File will be copied to + /tmp/ before encrypting type: path default: "/etc/passwd" - user_input_file_path: - description: path to file that you want to be encrypted if you are normal - user - type: path - default: "~/.bash_history" - impact_command: - description: command to show impact of encryption + pwd_for_encrypted_file: + description: Password to use for encryption type: string - default: sudo su + default: passwd dependency_executor_name: sh dependencies: - - description: 'Finds where ccencrypt and ccdecrypt is located and copies input - file + - description: 'Finds where ccencrypt and ccdecrypt are located ' prereq_command: | which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` - if [ $USER == "root" ]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi get_prereq_command: "(which pkg && pkg install -y ccript)||(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n" executor: name: sh elevation_required: false - command: 'if [ $USER == "root" ]; then $which_ccencrypt #{root_input_file_path}; - file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt - #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; - fi + command: | + which_ccencrypt=`which ccencrypt` + cp #{root_input_file_path} #{cped_file_path}; + $which_ccencrypt -T -K #{pwd_for_encrypted_file} #{cped_file_path} + cleanup_command: 'rm #{cped_file_path}.cpt ' - cleanup_command: "if [ $USER == \"root\" ]; then mv #{cped_file_path} #{root_input_file_path}; - else cp #{cped_file_path} #{user_input_file_path}; fi \n" - name: Encrypt files using openssl (FreeBSD/Linux) auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 description: 'Uses openssl to encrypt a file @@ -114785,6 +114777,7 @@ impact: name: sh elevation_required: false command: | + which_openssl=`which openssl` $which_openssl genrsa -out #{private_key_path} #{encryption_bit_size} $which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path} $which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path} diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index b7acc0e4..007faa80 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -69719,7 +69719,7 @@ impact: - name: Encrypt files using ccrypt (FreeBSD/Linux) auto_generated_guid: '08cbf59f-85da-4369-a5f4-049cffd7709f' description: 'Attempts to encrypt data on target systems as root to simulate - an inturruption authentication to target system. If root permissions are not + an interruption authentication to target system. If root permissions are not available then attempts to encrypt data within user''s home directory. ' @@ -69727,47 +69727,39 @@ impact: - linux input_arguments: cped_file_path: - description: path where you want your copied file to be + description: Path where you want your copied file to be type: path default: "/tmp/passwd" root_input_file_path: - description: path to the file that you want to be encrypted if you are root - user + description: Path the target file to be encrypted. File will be copied to + /tmp/ before encrypting type: path default: "/etc/passwd" - user_input_file_path: - description: path to file that you want to be encrypted if you are normal - user - type: path - default: "~/.bash_history" - impact_command: - description: command to show impact of encryption + pwd_for_encrypted_file: + description: Password to use for encryption type: string - default: sudo su + default: passwd dependency_executor_name: sh dependencies: - - description: 'Finds where ccencrypt and ccdecrypt is located and copies input - file + - description: 'Finds where ccencrypt and ccdecrypt are located ' prereq_command: | which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` - if [ $USER == "root" ]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi get_prereq_command: "(which pkg && pkg install -y ccript)||(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n" executor: name: sh elevation_required: false - command: 'if [ $USER == "root" ]; then $which_ccencrypt #{root_input_file_path}; - file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt - #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; - fi + command: | + which_ccencrypt=`which ccencrypt` + cp #{root_input_file_path} #{cped_file_path}; + $which_ccencrypt -T -K #{pwd_for_encrypted_file} #{cped_file_path} + cleanup_command: 'rm #{cped_file_path}.cpt ' - cleanup_command: "if [ $USER == \"root\" ]; then mv #{cped_file_path} #{root_input_file_path}; - else cp #{cped_file_path} #{user_input_file_path}; fi \n" - name: Encrypt files using openssl (FreeBSD/Linux) auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 description: 'Uses openssl to encrypt a file @@ -69809,6 +69801,7 @@ impact: name: sh elevation_required: false command: | + which_openssl=`which openssl` $which_openssl genrsa -out #{private_key_path} #{encryption_bit_size} $which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path} $which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path} diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index 6c768cc2..0a26b018 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -138,7 +138,7 @@ which_7z=`which 7z`
## Atomic Test #3 - Encrypt files using ccrypt (FreeBSD/Linux) -Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. +Attempts to encrypt data on target systems as root to simulate an interruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. **Supported Platforms:** Linux @@ -152,33 +152,33 @@ Attempts to encrypt data on target systems as root to simulate an inturruption a #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| cped_file_path | path where you want your copied file to be | path | /tmp/passwd| -| root_input_file_path | path to the file that you want to be encrypted if you are root user | path | /etc/passwd| -| user_input_file_path | path to file that you want to be encrypted if you are normal user | path | ~/.bash_history| -| impact_command | command to show impact of encryption | string | sudo su| +| cped_file_path | Path where you want your copied file to be | path | /tmp/passwd| +| root_input_file_path | Path the target file to be encrypted. File will be copied to /tmp/ before encrypting | path | /etc/passwd| +| pwd_for_encrypted_file | Password to use for encryption | string | passwd| #### Attack Commands: Run with `sh`! ```sh -if [ $USER == "root" ]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi +which_ccencrypt=`which ccencrypt` +cp #{root_input_file_path} #{cped_file_path}; +$which_ccencrypt -T -K #{pwd_for_encrypted_file} #{cped_file_path} ``` #### Cleanup Commands: ```sh -if [ $USER == "root" ]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi +rm #{cped_file_path}.cpt ``` #### Dependencies: Run with `sh`! -##### Description: Finds where ccencrypt and ccdecrypt is located and copies input file +##### Description: Finds where ccencrypt and ccdecrypt are located ##### Check Prereq Commands: ```sh which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` -if [ $USER == "root" ]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi ``` ##### Get Prereq Commands: ```sh @@ -217,6 +217,7 @@ Uses openssl to encrypt a file ```sh +which_openssl=`which openssl` $which_openssl genrsa -out #{private_key_path} #{encryption_bit_size} $which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path} $which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}