Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1082,6 +1082,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compress
 collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
+collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
 collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -153,6 +153,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compress
 collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
+collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
 collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -130,6 +130,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compress
 collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
+collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
 collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash

atomics/Indexes/Indexes-Markdown/index.md

@@ -1726,6 +1726,7 @@
   - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
   - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
   - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
+  - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #1: Screencapture [macos]
   - Atomic Test #2: Screencapture (silent) [macos]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -355,6 +355,7 @@
   - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
   - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
   - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
+  - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #3: X Windows Capture [linux]
   - Atomic Test #4: Capture Linux Desktop using Import Tool [linux]

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -357,6 +357,7 @@
   - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
   - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
   - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
+  - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #1: Screencapture [macos]
   - Atomic Test #2: Screencapture (silent) [macos]

atomics/Indexes/index.yaml

@@ -76286,6 +76286,44 @@ collection:
         cleanup_command: 'rm -Rf #{test_folder}
 
           '
+    - name: Encrypts collected data with AES-256 and Base64
+      auto_generated_guid: a743e3a6-e8b2-4a30-abe7-ca85d201b5d3
+      description: "An adversary may compress all the collected data, encrypt and
+        send them to a C2 server using base64 encoding. \nThis atomic test tries to
+        emulate the behaviour of the FLEXIROOT backdoor to archive the collected data.
+        FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer
+        the encrypted data to the C2 server. \nIn this test, standard zip compression
+        and the OpenSSL library are used to encrypt the compressed data.\nhttps://attack.mitre.org/versions/v7/software/S0267/"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        input_folder:
+          description: Path to the folder used to store the test files
+          type: path
+          default: "/tmp/t1560"
+        input_file:
+          description: Name of the compressed and encrypted files
+          type: string
+          default: t1560_data
+        enc_pass:
+          description: Password used to encrypt the data
+          type: string
+          default: atomic_enc_pass
+      dependency_executor_name: bash
+      dependencies:
+      - description: The folder and test files must exist
+        prereq_command: 'if [ ! -d #{input_folder} ]; then exit 1; else exit 0; fi;'
+        get_prereq_command: 'if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder};
+          cd #{input_folder}; touch {a..z}.data; fi;'
+      executor:
+        command: "zip -r  #{input_folder}/#{input_file}.zip #{input_folder}\nopenssl
+          enc -aes-256-cbc -pass pass:#{enc_pass} -p -in #{input_folder}/#{input_file}.zip
+          -out #{input_folder}/#{input_file}.enc \ncat #{input_folder}/#{input_file}.enc
+          | base64"
+        cleanup_command: 'rm -rf #{input_folder}'
+        name: bash
+        elevation_required: false
   T1113:
     technique:
       modified: '2023-03-30T21:01:39.967Z'

atomics/Indexes/linux-index.yaml

@@ -51320,6 +51320,44 @@ collection:
         cleanup_command: 'rm -Rf #{test_folder}
 
           '
+    - name: Encrypts collected data with AES-256 and Base64
+      auto_generated_guid: a743e3a6-e8b2-4a30-abe7-ca85d201b5d3
+      description: "An adversary may compress all the collected data, encrypt and
+        send them to a C2 server using base64 encoding. \nThis atomic test tries to
+        emulate the behaviour of the FLEXIROOT backdoor to archive the collected data.
+        FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer
+        the encrypted data to the C2 server. \nIn this test, standard zip compression
+        and the OpenSSL library are used to encrypt the compressed data.\nhttps://attack.mitre.org/versions/v7/software/S0267/"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        input_folder:
+          description: Path to the folder used to store the test files
+          type: path
+          default: "/tmp/t1560"
+        input_file:
+          description: Name of the compressed and encrypted files
+          type: string
+          default: t1560_data
+        enc_pass:
+          description: Password used to encrypt the data
+          type: string
+          default: atomic_enc_pass
+      dependency_executor_name: bash
+      dependencies:
+      - description: The folder and test files must exist
+        prereq_command: 'if [ ! -d #{input_folder} ]; then exit 1; else exit 0; fi;'
+        get_prereq_command: 'if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder};
+          cd #{input_folder}; touch {a..z}.data; fi;'
+      executor:
+        command: "zip -r  #{input_folder}/#{input_file}.zip #{input_folder}\nopenssl
+          enc -aes-256-cbc -pass pass:#{enc_pass} -p -in #{input_folder}/#{input_file}.zip
+          -out #{input_folder}/#{input_file}.enc \ncat #{input_folder}/#{input_file}.enc
+          | base64"
+        cleanup_command: 'rm -rf #{input_folder}'
+        name: bash
+        elevation_required: false
   T1113:
     technique:
       modified: '2023-03-30T21:01:39.967Z'

atomics/Indexes/macos-index.yaml

@@ -49511,6 +49511,44 @@ collection:
         cleanup_command: 'rm -Rf #{test_folder}
 
           '
+    - name: Encrypts collected data with AES-256 and Base64
+      auto_generated_guid: a743e3a6-e8b2-4a30-abe7-ca85d201b5d3
+      description: "An adversary may compress all the collected data, encrypt and
+        send them to a C2 server using base64 encoding. \nThis atomic test tries to
+        emulate the behaviour of the FLEXIROOT backdoor to archive the collected data.
+        FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer
+        the encrypted data to the C2 server. \nIn this test, standard zip compression
+        and the OpenSSL library are used to encrypt the compressed data.\nhttps://attack.mitre.org/versions/v7/software/S0267/"
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        input_folder:
+          description: Path to the folder used to store the test files
+          type: path
+          default: "/tmp/t1560"
+        input_file:
+          description: Name of the compressed and encrypted files
+          type: string
+          default: t1560_data
+        enc_pass:
+          description: Password used to encrypt the data
+          type: string
+          default: atomic_enc_pass
+      dependency_executor_name: bash
+      dependencies:
+      - description: The folder and test files must exist
+        prereq_command: 'if [ ! -d #{input_folder} ]; then exit 1; else exit 0; fi;'
+        get_prereq_command: 'if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder};
+          cd #{input_folder}; touch {a..z}.data; fi;'
+      executor:
+        command: "zip -r  #{input_folder}/#{input_file}.zip #{input_folder}\nopenssl
+          enc -aes-256-cbc -pass pass:#{enc_pass} -p -in #{input_folder}/#{input_file}.zip
+          -out #{input_folder}/#{input_file}.enc \ncat #{input_folder}/#{input_file}.enc
+          | base64"
+        cleanup_command: 'rm -rf #{input_folder}'
+        name: bash
+        elevation_required: false
   T1113:
     technique:
       modified: '2023-03-30T21:01:39.967Z'

atomics/T1560.001/T1560.001.md

@@ -26,6 +26,8 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi
 
 - [Atomic Test #8 - Data Encrypted with zip and gpg symmetric](#atomic-test-8---data-encrypted-with-zip-and-gpg-symmetric)
 
+- [Atomic Test #9 - Encrypts collected data with AES-256 and Base64](#atomic-test-9---encrypts-collected-data-with-aes-256-and-base64)
+
 
 <br/>
 
@@ -438,4 +440,60 @@ if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Encrypts collected data with AES-256 and Base64
+An adversary may compress all the collected data, encrypt and send them to a C2 server using base64 encoding. 
+This atomic test tries to emulate the behaviour of the FLEXIROOT backdoor to archive the collected data. FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer the encrypted data to the C2 server. 
+In this test, standard zip compression and the OpenSSL library are used to encrypt the compressed data.
+https://attack.mitre.org/versions/v7/software/S0267/
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** a743e3a6-e8b2-4a30-abe7-ca85d201b5d3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_folder | Path to the folder used to store the test files | path | /tmp/t1560|
+| input_file | Name of the compressed and encrypted files | string | t1560_data|
+| enc_pass | Password used to encrypt the data | string | atomic_enc_pass|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+zip -r  #{input_folder}/#{input_file}.zip #{input_folder}
+openssl enc -aes-256-cbc -pass pass:#{enc_pass} -p -in #{input_folder}/#{input_file}.zip -out #{input_folder}/#{input_file}.enc 
+cat #{input_folder}/#{input_file}.enc | base64
+```
+
+#### Cleanup Commands:
+```bash
+rm -rf #{input_folder}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: The folder and test files must exist
+##### Check Prereq Commands:
+```bash
+if [ ! -d #{input_folder} ]; then exit 1; else exit 0; fi;
+```
+##### Get Prereq Commands:
+```bash
+if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder}; touch {a..z}.data; fi;
+```
+
+
+
+
 <br/>