diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4e260d04..7a05b3c3 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -18025,19 +18025,35 @@ defense-evasion: atomic_tests: - name: Decode base64 Data into Script auto_generated_guid: f45df6be-2e1e-4136-a384-8f18ab3826fb - description: | - Creates a base64-encoded data file and decodes it into an executable shell script - - Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`. + description: "Creates a base64-encoded data file and decodes it into an executable + shell script\n\nUpon successful execution, sh will execute art.sh, which is + a base64 encoded command, that echoes `Hello from the Atomic Red Team` \nand + uname -v\n" supported_platforms: - macos - linux + input_arguments: + shell_command: + description: command to encode + type: String + default: echo Hello from the Atomic Red Team && uname -v + dependency_executor_name: sh + dependencies: + - description: 'encode the command into base64 file + + ' + prereq_command: 'exit 1 + + ' + get_prereq_command: 'echo "#{shell_command}" | base64 > /tmp/encoded.dat + + ' executor: command: | - sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat" cat /tmp/encoded.dat | base64 -d > /tmp/art.sh chmod +x /tmp/art.sh /tmp/art.sh + cleanup_command: "rm /tmp/encoded.dat \nrm /tmp/art.sh\n" name: sh - name: Execute base64-encoded PowerShell auto_generated_guid: a50d5a97-2531-499e-a1de-5544c74432c6 diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index d2f93d4f..d62ef1f3 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -32,7 +32,8 @@ Adversaries may also obfuscate commands executed from payloads or directly via a ## Atomic Test #1 - Decode base64 Data into Script Creates a base64-encoded data file and decodes it into an executable shell script -Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`. +Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` +and uname -v **Supported Platforms:** macOS, Linux @@ -43,20 +44,41 @@ Upon successful execution, sh will execute art.sh, which is a base64 encoded com +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| shell_command | command to encode | String | echo Hello from the Atomic Red Team && uname -v| + #### Attack Commands: Run with `sh`! ```sh -sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat" cat /tmp/encoded.dat | base64 -d > /tmp/art.sh chmod +x /tmp/art.sh /tmp/art.sh ``` +#### Cleanup Commands: +```sh +rm /tmp/encoded.dat +rm /tmp/art.sh +``` +#### Dependencies: Run with `sh`! +##### Description: encode the command into base64 file +##### Check Prereq Commands: +```sh +exit 1 +``` +##### Get Prereq Commands: +```sh +echo "#{shell_command}" | base64 > /tmp/encoded.dat +``` + +