From 96f7ca5f9bfdd1c1c07b7e4629be0543d3bb709f Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Sun, 26 Jun 2022 00:13:54 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/linux-index.csv   |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/linux-index.md   |  1 +
 atomics/Indexes/index.yaml                    | 37 +++++++++++++++
 atomics/T1059.006/T1059.006.md                | 46 +++++++++++++++++++
 6 files changed, 87 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index c2ba1b23..482b0528 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -618,6 +618,7 @@ execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-
 execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
+execution,T1059.006,Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,bash
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index f48802bb..ffb5b9a9 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -277,6 +277,7 @@ execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-
 execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
+execution,T1059.006,Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,bash
 execution,T1053.002,At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 initial-access,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
 exfiltration,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index b18ab96f..46af6a54 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1009,6 +1009,7 @@
   - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
   - Atomic Test #2: Execute Python via scripts (Linux) [linux]
   - Atomic Test #3: Execute Python via Python executables (Linux) [linux]
+  - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
 - T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
   - Atomic Test #1: Create and Execute Batch Script [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 7f5c835a..c396351c 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -834,6 +834,7 @@
   - Atomic Test #1: Execute shell script via python's command mode arguement [linux]
   - Atomic Test #2: Execute Python via scripts (Linux) [linux]
   - Atomic Test #3: Execute Python via Python executables (Linux) [linux]
+  - Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
 - T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.005 Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 7a05b3c3..3263a033 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -44968,6 +44968,43 @@ execution:
         cleanup_command: 'rm #{python_binary_name} #{python_script_name} #{payload_file_name}
 
           '
+    - name: Python pty module and spawn function used to spawn sh or bash
+      auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
+      description: 'ID T1059.006. Adversaries may abuse Python commands and scripts
+        for execution. Python is a very popular scripting/programming language, with
+        capabilities to perform many functions. Python can be executed interactively
+        from the command-line (via the python.exe interpreter) or via scripts (.py)
+        that can be written and distributed to different systems. Python code can
+        also be compiled into binary executables.Python comes with many built-in packages
+        to interact with the underlying system, such as file operations and device
+        I/O. Adversaries can use these libraries to download and execute commands
+        or other scripts as well as perform various malicious behaviors.Zero-Day Exploitation
+        of Atlassian Confluence [CVE-2022-26134] Unauthenticated RCE vulnerability
+        - Critical severity. As per Volexity, bash shells were launched by the Confluence
+        web application process. It had spawned a bash process which spawned a Python
+        process that in turn spawned a bash shell. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
+
+        '
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'Verify if python is in the environment variable path and attempt
+          to import requests library.
+
+          '
+        prereq_command: "which_python=$(which python || which python3 || which python2);
+          $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?
+          \         \n"
+        get_prereq_command: 'pip install requests
+
+          '
+      executor:
+        command: |-
+          python -c "import pty;pty.spawn('/bin/sh')"
+          exit
+          python -c "import pty;pty.spawn('/bin/bash')"
+          exit
+        name: bash
   T1569:
     technique:
       x_mitre_platforms:
diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md
index 06cbfea2..0dd01c8c 100644
--- a/atomics/T1059.006/T1059.006.md
+++ b/atomics/T1059.006/T1059.006.md
@@ -12,6 +12,8 @@ Python comes with many built-in packages to interact with the underlying system,
 
 - [Atomic Test #3 - Execute Python via Python executables (Linux)](#atomic-test-3---execute-python-via-python-executables-linux)
 
+- [Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash](#atomic-test-4---python-pty-module-and-spawn-function-used-to-spawn-sh-or-bash)
+
 
 <br/>
 
@@ -198,4 +200,48 @@ pip install requests
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Python pty module and spawn function used to spawn sh or bash
+ID T1059.006. Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.Zero-Day Exploitation of Atlassian Confluence [CVE-2022-26134] Unauthenticated RCE vulnerability - Critical severity. As per Volexity, bash shells were launched by the Confluence web application process. It had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 161d694c-b543-4434-85c3-c3a433e33792
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+python -c "import pty;pty.spawn('/bin/sh')"
+exit
+python -c "import pty;pty.spawn('/bin/bash')"
+exit
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Verify if python is in the environment variable path and attempt to import requests library.
+##### Check Prereq Commands:
+```bash
+which_python=$(which python || which python3 || which python2); $which_python -V
+$which_python -c 'import requests' 2>/dev/null; echo $?
+```
+##### Get Prereq Commands:
+```bash
+pip install requests
+```
+
+
+
+
 <br/>