Generated docs from job=generate-docs branch=master [ci skip]

2022-06-26 00:13:54 +00:00
parent d0d95fe8ad
commit 96f7ca5f9b
6 changed files with 87 additions and 0 deletions
@@ -618,6 +618,7 @@ execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-
 execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
+execution,T1059.006,Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,bash
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
@@ -277,6 +277,7 @@ execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-
 execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
+execution,T1059.006,Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,bash
 execution,T1053.002,At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 initial-access,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
 exfiltration,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
@@ -1009,6 +1009,7 @@
  - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
  - Atomic Test #2: Execute Python via scripts (Linux) [linux]
  - Atomic Test #3: Execute Python via Python executables (Linux) [linux]
+  - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
 - T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
  - Atomic Test #1: Create and Execute Batch Script [windows]
@@ -834,6 +834,7 @@
  - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
  - Atomic Test #2: Execute Python via scripts (Linux) [linux]
  - Atomic Test #3: Execute Python via Python executables (Linux) [linux]
+  - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
 - T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.005 Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -44968,6 +44968,43 @@ execution:
        cleanup_command: 'rm #{python_binary_name} #{python_script_name} #{payload_file_name}

          '
+    - name: Python pty module and spawn function used to spawn sh or bash
+      auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
+      description: 'ID T1059.006. Adversaries may abuse Python commands and scripts
+        for execution. Python is a very popular scripting/programming language, with
+        capabilities to perform many functions. Python can be executed interactively
+        from the command-line (via the python.exe interpreter) or via scripts (.py)
+        that can be written and distributed to different systems. Python code can
+        also be compiled into binary executables.Python comes with many built-in packages
+        to interact with the underlying system, such as file operations and device
+        I/O. Adversaries can use these libraries to download and execute commands
+        or other scripts as well as perform various malicious behaviors.Zero-Day Exploitation
+        of Atlassian Confluence [CVE-2022-26134] Unauthenticated RCE vulnerability
+        - Critical severity. As per Volexity, bash shells were launched by the Confluence
+        web application process. It had spawned a bash process which spawned a Python
+        process that in turn spawned a bash shell. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
+
+        '
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'Verify if python is in the environment variable path and attempt
+          to import requests library.
+
+          '
+        prereq_command: "which_python=$(which python || which python3 || which python2);
+          $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?
+          \         \n"
+        get_prereq_command: 'pip install requests
+
+          '
+      executor:
+        command: |-
+          python -c "import pty;pty.spawn('/bin/sh')"
+          exit
+          python -c "import pty;pty.spawn('/bin/bash')"
+          exit
+        name: bash
  T1569:
    technique:
      x_mitre_platforms:
@@ -12,6 +12,8 @@ Python comes with many built-in packages to interact with the underlying system,

 - [Atomic Test #3 - Execute Python via Python executables (Linux)](#atomic-test-3---execute-python-via-python-executables-linux)

+- [Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash](#atomic-test-4---python-pty-module-and-spawn-function-used-to-spawn-sh-or-bash)
+

 <br/>

@@ -198,4 +200,48 @@ pip install requests



+<br/>
+<br/>
+
+## Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash
+ID T1059.006. Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.Zero-Day Exploitation of Atlassian Confluence [CVE-2022-26134] Unauthenticated RCE vulnerability - Critical severity. As per Volexity, bash shells were launched by the Confluence web application process. It had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 161d694c-b543-4434-85c3-c3a433e33792
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+python -c "import pty;pty.spawn('/bin/sh')"
+exit
+python -c "import pty;pty.spawn('/bin/bash')"
+exit
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Verify if python is in the environment variable path and attempt to import requests library.
+##### Check Prereq Commands:
+```bash
+which_python=$(which python || which python3 || which python2); $which_python -V
+$which_python -c 'import requests' 2>/dev/null; echo $?
+```
+##### Get Prereq Commands:
+```bash
+pip install requests
+```
+
+
+
+
 <br/>