diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 0f7b6146..7e4e8a50 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -46036,19 +46036,9 @@ execution: ' - name: Python pty module and spawn function used to spawn sh or bash auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792 - description: 'ID T1059.006. Adversaries may abuse Python commands and scripts - for execution. Python is a very popular scripting/programming language, with - capabilities to perform many functions. Python can be executed interactively - from the command-line (via the python.exe interpreter) or via scripts (.py) - that can be written and distributed to different systems. Python code can - also be compiled into binary executables.Python comes with many built-in packages - to interact with the underlying system, such as file operations and device - I/O. Adversaries can use these libraries to download and execute commands - or other scripts as well as perform various malicious behaviors.Zero-Day Exploitation - of Atlassian Confluence [CVE-2022-26134] Unauthenticated RCE vulnerability - - Critical severity. As per Volexity, bash shells were launched by the Confluence - web application process. It had spawned a bash process which spawned a Python - process that in turn spawned a bash shell. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence + description: 'Uses the Python spawn function to spawn a sh shell followed by + a bash shell. Per Volexity, this technique was observed in exploitation of + Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence ' supported_platforms: diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md index 731d8401..7818238e 100644 --- a/atomics/T1059.006/T1059.006.md +++ b/atomics/T1059.006/T1059.006.md @@ -204,7 +204,7 @@ pip install requests
## Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash -ID T1059.006. Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.Zero-Day Exploitation of Atlassian Confluence [CVE-2022-26134] Unauthenticated RCE vulnerability - Critical severity. As per Volexity, bash shells were launched by the Confluence web application process. It had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence +Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence **Supported Platforms:** Linux