Generated docs from job=generate-docs branch=master [ci skip]
This commit is contained in:
Atomic Red Team doc generator
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@@ -38,6 +38,7 @@ defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS dev
|
||||
defense-evasion,T1564.008,Hide Artifacts: Email Hiding Rules,1,New-Inbox Rule to Hide E-mail in M365,30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9,powershell
|
||||
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
|
||||
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
|
||||
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,3,Password-Protected ZIP Payload Extraction and Execution,c2ca068a-eb1e-498f-9f93-3d554c455916,bash
|
||||
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
|
||||
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
|
||||
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
|
||||
@@ -555,6 +556,7 @@ defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in Po
|
||||
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
|
||||
defense-evasion,T1027,Obfuscated Files or Information,9,Snake Malware Encrypted crmlog file,7e47ee60-9dd1-4269-9c4f-97953b183268,powershell
|
||||
defense-evasion,T1027,Obfuscated Files or Information,10,Execution from Compressed JScript File,fad04df1-5229-4185-b016-fb6010cd87ac,command_prompt
|
||||
defense-evasion,T1027,Obfuscated Files or Information,11,Obfuscated PowerShell Command via Character Array,6683baf0-6e77-4f58-b114-814184ea8150,powershell
|
||||
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
|
||||
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
|
||||
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
|
||||
|
||||
|
@@ -18,6 +18,7 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",14,Chown through c script (freebsd),eb577a19-b730-4918-9b03-c5edcf51dc4e,sh
|
||||
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
|
||||
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
|
||||
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,3,Password-Protected ZIP Payload Extraction and Execution,c2ca068a-eb1e-498f-9f93-3d554c455916,bash
|
||||
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
|
||||
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
|
||||
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
|
||||
|
||||
|
@@ -12,6 +12,7 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
|
||||
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
|
||||
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
|
||||
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
|
||||
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,3,Password-Protected ZIP Payload Extraction and Execution,c2ca068a-eb1e-498f-9f93-3d554c455916,bash
|
||||
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
|
||||
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
|
||||
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
|
||||
|
||||
|
@@ -394,6 +394,7 @@ defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in Po
|
||||
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
|
||||
defense-evasion,T1027,Obfuscated Files or Information,9,Snake Malware Encrypted crmlog file,7e47ee60-9dd1-4269-9c4f-97953b183268,powershell
|
||||
defense-evasion,T1027,Obfuscated Files or Information,10,Execution from Compressed JScript File,fad04df1-5229-4185-b016-fb6010cd87ac,command_prompt
|
||||
defense-evasion,T1027,Obfuscated Files or Information,11,Obfuscated PowerShell Command via Character Array,6683baf0-6e77-4f58-b114-814184ea8150,powershell
|
||||
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
|
||||
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
|
||||
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
|
||||
|
||||
|
@@ -54,6 +54,7 @@
|
||||
- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
|
||||
- Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
|
||||
- Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
|
||||
- Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution [linux, macos]
|
||||
- [T1014 Rootkit](../../T1014/T1014.md)
|
||||
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
|
||||
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
|
||||
@@ -698,6 +699,7 @@
|
||||
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
|
||||
- Atomic Test #9: Snake Malware Encrypted crmlog file [windows]
|
||||
- Atomic Test #10: Execution from Compressed JScript File [windows]
|
||||
- Atomic Test #11: Obfuscated PowerShell Command via Character Array [windows]
|
||||
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
|
||||
- Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
|
||||
- Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
|
||||
- Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution [linux, macos]
|
||||
- [T1014 Rootkit](../../T1014/T1014.md)
|
||||
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
|
||||
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
|
||||
- Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
|
||||
- Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
|
||||
- Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution [linux, macos]
|
||||
- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -505,6 +505,7 @@
|
||||
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
|
||||
- Atomic Test #9: Snake Malware Encrypted crmlog file [windows]
|
||||
- Atomic Test #10: Execution from Compressed JScript File [windows]
|
||||
- Atomic Test #11: Obfuscated PowerShell Command via Character Array [windows]
|
||||
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
|
||||
|
||||
@@ -2048,7 +2048,6 @@ defense-evasion:
|
||||
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
|
||||
$bytes = [System.Convert]::FromBase64String($encodedString)
|
||||
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
|
||||
|
||||
#write the decoded eicar string to file
|
||||
$decodedString | Out-File T1027.013_decodedEicar.txt
|
||||
cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
|
||||
@@ -2066,15 +2065,58 @@ defense-evasion:
|
||||
command: |-
|
||||
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
|
||||
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
|
||||
|
||||
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
|
||||
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
|
||||
|
||||
#Write the decrypted eicar string to a file
|
||||
$decryptedString | out-file T1027.013_decryptedEicar.txt
|
||||
cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
- name: Password-Protected ZIP Payload Extraction and Execution
|
||||
auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
|
||||
description: |
|
||||
Extracts and executes a script from a password-protected ZIP archive.
|
||||
This technique is commonly used by malware families like Emotet and QBot to deliver payloads
|
||||
via email attachments where the password is provided in the message body.
|
||||
The encrypted ZIP evades static file analysis until extracted at runtime.
|
||||
Upon successful execution, displays confirmation and system information.
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
zip_password:
|
||||
description: Password used to protect the ZIP archive
|
||||
type: String
|
||||
default: infected
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: 'zip and unzip must be installed
|
||||
|
||||
'
|
||||
prereq_command: 'which zip && which unzip
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo "Install zip and unzip using your package manager
|
||||
(apt-get, yum, or brew)"
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |
|
||||
echo '#!/bin/bash' > /tmp/art_payload.sh
|
||||
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
|
||||
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
|
||||
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
|
||||
echo 'uname -a' >> /tmp/art_payload.sh
|
||||
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
|
||||
rm /tmp/art_payload.sh
|
||||
echo "Encrypted ZIP created. Extracting with password..."
|
||||
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
|
||||
echo "Executing extracted payload:"
|
||||
bash /tmp/art_payload.sh
|
||||
cleanup_command: |
|
||||
rm -f /tmp/art_payload.sh
|
||||
rm -f /tmp/art_encrypted.zip
|
||||
name: bash
|
||||
T1014:
|
||||
technique:
|
||||
type: attack-pattern
|
||||
@@ -23857,6 +23899,22 @@ defense-evasion:
|
||||
|
||||
'
|
||||
name: command_prompt
|
||||
- name: Obfuscated PowerShell Command via Character Array
|
||||
auto_generated_guid: 6683baf0-6e77-4f58-b114-814184ea8150
|
||||
description: "Spawns a child PowerShell process using character array obfuscation.
|
||||
\nBoth the PowerShell binary name and executed command are constructed \nfrom
|
||||
ASCII values at runtime to evade string-based detection.\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
|
||||
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
|
||||
& (-join $ps) "-Command" (-join $cmd)
|
||||
cleanup_command: |
|
||||
taskkill /f /im calculator.exe >nul 2>nul
|
||||
taskkill /f /im CalculatorApp.exe >nul 2>nul
|
||||
name: powershell
|
||||
T1556.006:
|
||||
technique:
|
||||
type: attack-pattern
|
||||
|
||||
@@ -1529,7 +1529,6 @@ defense-evasion:
|
||||
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
|
||||
$bytes = [System.Convert]::FromBase64String($encodedString)
|
||||
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
|
||||
|
||||
#write the decoded eicar string to file
|
||||
$decodedString | Out-File T1027.013_decodedEicar.txt
|
||||
cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
|
||||
@@ -1547,15 +1546,58 @@ defense-evasion:
|
||||
command: |-
|
||||
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
|
||||
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
|
||||
|
||||
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
|
||||
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
|
||||
|
||||
#Write the decrypted eicar string to a file
|
||||
$decryptedString | out-file T1027.013_decryptedEicar.txt
|
||||
cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
- name: Password-Protected ZIP Payload Extraction and Execution
|
||||
auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
|
||||
description: |
|
||||
Extracts and executes a script from a password-protected ZIP archive.
|
||||
This technique is commonly used by malware families like Emotet and QBot to deliver payloads
|
||||
via email attachments where the password is provided in the message body.
|
||||
The encrypted ZIP evades static file analysis until extracted at runtime.
|
||||
Upon successful execution, displays confirmation and system information.
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
zip_password:
|
||||
description: Password used to protect the ZIP archive
|
||||
type: String
|
||||
default: infected
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: 'zip and unzip must be installed
|
||||
|
||||
'
|
||||
prereq_command: 'which zip && which unzip
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo "Install zip and unzip using your package manager
|
||||
(apt-get, yum, or brew)"
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |
|
||||
echo '#!/bin/bash' > /tmp/art_payload.sh
|
||||
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
|
||||
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
|
||||
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
|
||||
echo 'uname -a' >> /tmp/art_payload.sh
|
||||
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
|
||||
rm /tmp/art_payload.sh
|
||||
echo "Encrypted ZIP created. Extracting with password..."
|
||||
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
|
||||
echo "Executing extracted payload:"
|
||||
bash /tmp/art_payload.sh
|
||||
cleanup_command: |
|
||||
rm -f /tmp/art_payload.sh
|
||||
rm -f /tmp/art_encrypted.zip
|
||||
name: bash
|
||||
T1014:
|
||||
technique:
|
||||
type: attack-pattern
|
||||
|
||||
@@ -1328,7 +1328,6 @@ defense-evasion:
|
||||
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
|
||||
$bytes = [System.Convert]::FromBase64String($encodedString)
|
||||
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
|
||||
|
||||
#write the decoded eicar string to file
|
||||
$decodedString | Out-File T1027.013_decodedEicar.txt
|
||||
cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
|
||||
@@ -1346,15 +1345,58 @@ defense-evasion:
|
||||
command: |-
|
||||
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
|
||||
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
|
||||
|
||||
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
|
||||
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
|
||||
|
||||
#Write the decrypted eicar string to a file
|
||||
$decryptedString | out-file T1027.013_decryptedEicar.txt
|
||||
cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
- name: Password-Protected ZIP Payload Extraction and Execution
|
||||
auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
|
||||
description: |
|
||||
Extracts and executes a script from a password-protected ZIP archive.
|
||||
This technique is commonly used by malware families like Emotet and QBot to deliver payloads
|
||||
via email attachments where the password is provided in the message body.
|
||||
The encrypted ZIP evades static file analysis until extracted at runtime.
|
||||
Upon successful execution, displays confirmation and system information.
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
zip_password:
|
||||
description: Password used to protect the ZIP archive
|
||||
type: String
|
||||
default: infected
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: 'zip and unzip must be installed
|
||||
|
||||
'
|
||||
prereq_command: 'which zip && which unzip
|
||||
|
||||
'
|
||||
get_prereq_command: 'echo "Install zip and unzip using your package manager
|
||||
(apt-get, yum, or brew)"
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |
|
||||
echo '#!/bin/bash' > /tmp/art_payload.sh
|
||||
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
|
||||
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
|
||||
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
|
||||
echo 'uname -a' >> /tmp/art_payload.sh
|
||||
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
|
||||
rm /tmp/art_payload.sh
|
||||
echo "Encrypted ZIP created. Extracting with password..."
|
||||
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
|
||||
echo "Executing extracted payload:"
|
||||
bash /tmp/art_payload.sh
|
||||
cleanup_command: |
|
||||
rm -f /tmp/art_payload.sh
|
||||
rm -f /tmp/art_encrypted.zip
|
||||
name: bash
|
||||
T1014:
|
||||
technique:
|
||||
type: attack-pattern
|
||||
|
||||
@@ -1523,7 +1523,6 @@ defense-evasion:
|
||||
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
|
||||
$bytes = [System.Convert]::FromBase64String($encodedString)
|
||||
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
|
||||
|
||||
#write the decoded eicar string to file
|
||||
$decodedString | Out-File T1027.013_decodedEicar.txt
|
||||
cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
|
||||
@@ -1541,10 +1540,8 @@ defense-evasion:
|
||||
command: |-
|
||||
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
|
||||
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
|
||||
|
||||
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
|
||||
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
|
||||
|
||||
#Write the decrypted eicar string to a file
|
||||
$decryptedString | out-file T1027.013_decryptedEicar.txt
|
||||
cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
|
||||
@@ -19688,6 +19685,22 @@ defense-evasion:
|
||||
|
||||
'
|
||||
name: command_prompt
|
||||
- name: Obfuscated PowerShell Command via Character Array
|
||||
auto_generated_guid: 6683baf0-6e77-4f58-b114-814184ea8150
|
||||
description: "Spawns a child PowerShell process using character array obfuscation.
|
||||
\nBoth the PowerShell binary name and executed command are constructed \nfrom
|
||||
ASCII values at runtime to evade string-based detection.\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
|
||||
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
|
||||
& (-join $ps) "-Command" (-join $cmd)
|
||||
cleanup_command: |
|
||||
taskkill /f /im calculator.exe >nul 2>nul
|
||||
taskkill /f /im CalculatorApp.exe >nul 2>nul
|
||||
name: powershell
|
||||
T1556.006:
|
||||
technique:
|
||||
type: attack-pattern
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
|
||||
- [Atomic Test #1: Decode Eicar File and Write to File](#atomic-test-1-decode-eicar-file-and-write-to-file)
|
||||
- [Atomic Test #2: Decrypt Eicar File and Write to File](#atomic-test-2-decrypt-eicar-file-and-write-to-file)
|
||||
- [Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution](#atomic-test-3-password-protected-zip-payload-extraction-and-execution)
|
||||
|
||||
### Atomic Test #1: Decode Eicar File and Write to File
|
||||
|
||||
@@ -33,7 +34,6 @@ Decode the eicar value, and write it to file, for AV/EDR to try to catch.
|
||||
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
|
||||
$bytes = [System.Convert]::FromBase64String($encodedString)
|
||||
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
|
||||
|
||||
#write the decoded eicar string to file
|
||||
$decodedString | Out-File T1027.013_decodedEicar.txt
|
||||
```
|
||||
@@ -56,10 +56,8 @@ Decrypt the eicar value, and write it to file, for AV/EDR to try to catch.
|
||||
```powershell
|
||||
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
|
||||
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
|
||||
|
||||
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
|
||||
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
|
||||
|
||||
#Write the decrypted eicar string to a file
|
||||
$decryptedString | out-file T1027.013_decryptedEicar.txt
|
||||
```
|
||||
@@ -69,3 +67,60 @@ $decryptedString | out-file T1027.013_decryptedEicar.txt
|
||||
```powershell
|
||||
Just delete the resulting T1027.013_decryptedEicar.txt file.
|
||||
```
|
||||
### Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution
|
||||
|
||||
Extracts and executes a script from a password-protected ZIP archive.
|
||||
This technique is commonly used by malware families like Emotet and QBot to deliver payloads
|
||||
via email attachments where the password is provided in the message body.
|
||||
The encrypted ZIP evades static file analysis until extracted at runtime.
|
||||
Upon successful execution, displays confirmation and system information.
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
**auto_generated_guid:** `c2ca068a-eb1e-498f-9f93-3d554c455916`
|
||||
|
||||
#### Inputs
|
||||
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| zip_password | Password used to protect the ZIP archive | String | infected|
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
```bash
|
||||
echo '#!/bin/bash' > /tmp/art_payload.sh
|
||||
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
|
||||
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
|
||||
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
|
||||
echo 'uname -a' >> /tmp/art_payload.sh
|
||||
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
|
||||
rm /tmp/art_payload.sh
|
||||
echo "Encrypted ZIP created. Extracting with password..."
|
||||
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
|
||||
echo "Executing extracted payload:"
|
||||
bash /tmp/art_payload.sh
|
||||
```
|
||||
|
||||
#### Cleanup Commands
|
||||
|
||||
```bash
|
||||
rm -f /tmp/art_payload.sh
|
||||
rm -f /tmp/art_encrypted.zip
|
||||
```
|
||||
|
||||
#### Dependencies: Run with `bash`!
|
||||
|
||||
##### Description: zip and unzip must be installed
|
||||
|
||||
###### Check Prereq Commands
|
||||
|
||||
```bash
|
||||
which zip && which unzip
|
||||
```
|
||||
|
||||
###### Get Prereq Commands
|
||||
|
||||
```bash
|
||||
echo "Install zip and unzip using your package manager (apt-get, yum, or brew)"
|
||||
```
|
||||
|
||||
|
||||
@@ -37,6 +37,7 @@ atomic_tests:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
- name: Password-Protected ZIP Payload Extraction and Execution
|
||||
auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
|
||||
description: |
|
||||
Extracts and executes a script from a password-protected ZIP archive.
|
||||
This technique is commonly used by malware families like Emotet and QBot to deliver payloads
|
||||
|
||||
@@ -24,6 +24,7 @@
|
||||
- [Atomic Test #8: Obfuscated Command Line using special Unicode characters](#atomic-test-8-obfuscated-command-line-using-special-unicode-characters)
|
||||
- [Atomic Test #9: Snake Malware Encrypted crmlog file](#atomic-test-9-snake-malware-encrypted-crmlog-file)
|
||||
- [Atomic Test #10: Execution from Compressed JScript File](#atomic-test-10-execution-from-compressed-jscript-file)
|
||||
- [Atomic Test #11: Obfuscated PowerShell Command via Character Array](#atomic-test-11-obfuscated-powershell-command-via-character-array)
|
||||
|
||||
### Atomic Test #1: Decode base64 Data into Script
|
||||
|
||||
@@ -334,3 +335,27 @@ Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayload
|
||||
Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\" -Force
|
||||
```
|
||||
|
||||
### Atomic Test #11: Obfuscated PowerShell Command via Character Array
|
||||
|
||||
Spawns a child PowerShell process using character array obfuscation.
|
||||
Both the PowerShell binary name and executed command are constructed
|
||||
from ASCII values at runtime to evade string-based detection.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
**auto_generated_guid:** `6683baf0-6e77-4f58-b114-814184ea8150`
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
```powershell
|
||||
$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
|
||||
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
|
||||
& (-join $ps) "-Command" (-join $cmd)
|
||||
```
|
||||
|
||||
#### Cleanup Commands
|
||||
|
||||
```powershell
|
||||
taskkill /f /im calculator.exe >nul 2>nul
|
||||
taskkill /f /im CalculatorApp.exe >nul 2>nul
|
||||
```
|
||||
|
||||
@@ -247,6 +247,7 @@ atomic_tests:
|
||||
taskkill /f /im calculator.exe >nul 2>nul
|
||||
name: command_prompt
|
||||
- name: Obfuscated PowerShell Command via Character Array
|
||||
auto_generated_guid: 6683baf0-6e77-4f58-b114-814184ea8150
|
||||
description: |
|
||||
Spawns a child PowerShell process using character array obfuscation.
|
||||
Both the PowerShell binary name and executed command are constructed
|
||||
|
||||
@@ -1798,3 +1798,5 @@ a58c066d-f2f0-42a2-ab70-30af73f89e66
|
||||
f57cb283-c131-4e2f-8a6c-363d575748b2
|
||||
c7be89f7-5d06-4321-9f90-8676a77e0502
|
||||
4608bc1b-e682-466b-a7d7-dbd76760db31
|
||||
6683baf0-6e77-4f58-b114-814184ea8150
|
||||
c2ca068a-eb1e-498f-9f93-3d554c455916
|
||||
|
||||
Reference in New Issue
Block a user