Skip to content

Quark types

Jump to bottom
Adam Mashinchi edited this page Feb 24, 2022 · 3 revisions

A list of available quark types with examples.

Contents

chmod, fchmod, fchmodat

Change the access permissions of a file.

Usage

"chmod" : { "path" : "<file>", "mode" : "<mode>" }

Details

  • mode must be a octal-formatted string.

Example atom

{
    "name" : "CHMOD-EXISTING-FILE",
    "chmod" : { "path" : "/tmp/cr.path.test", "mode" : "600" },
    "fchmod" : { "path" : "/tmp/cr.descriptor.test", "mode" : "060" },
    "fchmodat" : { "path" : "/tmp/cr.at.test", "mode" : "606"  }
}

chown, fchown, fchownat, lchown

Change the ownership of a file.

Usage

"chown" : { "path" : "<path>", "user" : "<user>", "group" : "<group>" }

Details

  • user and group are strings and must encode valid names or numbers.
  • You might need elevated permissions to change file ownership.

Example atom

{
    "name" : "CHOWN-EXISTING-FILE",
    "chown" : { "path" : "/tmp/cr.path.test", "user" : "1000", "group" : "nogroup" },
    "fchown" : { "path" : "/tmp/cr.descriptor.test", "user" : "1000", "group" : "nogroup"  },
    "fchownat" : { "path" : "/tmp/cr.at.test", "user" : "1000", "group" : "nogroup"  },
    "lchown" : { "path" : "/tmp/cr.link.test", "user" : "1000", "group" : "nogroup"  }
}

connect

Establish a network connection and send 512 random bytes.

Usage

"connect" : { "method": "<method>", "protocol": "<protocol>", "address": "<address>", "port": <port> }

Details

  • method must be socketcall or syscall.
    • socketcall uses the socketcall ABI.
    • syscall uses the socket, connect, and send system calls for TCP connections, and the socket and sendto system calls for UDP connections.
  • protocol must be tcp4, tcp6, udp4, or udp6.
  • address must be a valid DNS, IPV4, or IPV6 address.
  • port must be a valid port number.

Example atom

{
    "name" : "C2-BEACON",
    "fork-and-rename" : [ "crontab" ],
    "connect" : { "method": "socketcall", "protocol": "tcp4", "address": "google.com", "port": 443 }
}

copy

Copy a file.

Usage

"copy" : [ "<file>", "<destination>" ]

Details

  • If destination exists, the reaction overwrites it.
  • copy can't operate on directories.

Example atom

{
    "name" : "LINUX-SHM-DIR-EXECUTION",
    "copy" : [ "/proc/self/exe", "/dev/shm/chain_reactor" ],
    "execve" : [ "/dev/shm/chain_reactor", "exit" ],
    "remove" : [ "/dev/shm/chain_reactor" ]
}

execve, execveat

Execute a program with command-line arguments.

Usage

"execve" : [ "<program>", "<arg1>", "<arg2>", ..., "<argN>" ]

Details

  • Chain Reactor includes PATH in its search for program.
  • Chain Reactor redirects the standard input, output, and error to /dev/null.
  • The reaction pauses until the process created by execve or execveat terminates.
  • Note: execveat requires Linux kernel version 3.19 or higher.

Example atom

{
    "name" : "NIX-WHOIS-TRANSFER",
    "execve" : [ "whois", "-h", "redcanary.com", "-p", "443", "iioo" ],
    "execveat" : [ "whois", "-h", "redcanary.com", "-p", "443", "iioo" ]
}

file-append

Append data to an existing file.

Usage

"file-append" : { "path" : "<file>", data : "<payload>", backup-and-revert : <boolean>  }

Details

  • payload can be a string or a path to a file.
    • If payload is a string, all escape sequences are converted to binary.
    • Any files included as part of the payload are read at compilation time and baked into the reaction executable.
  • If backup-and-revert is true, Chain Reactor creates a backup of the file specified by file.

Example atom

{
    "name" : "PERSIST_CRONTAB",
    "file-append" : { "path" : "/etc/crontab", data : "\n1 *	* * *	root   /var/www/malware-r-us/userkit\n", backup-and-revert : true  },
}

file-create

Create a file with data.

Usage

"file-create" : { "path" : "<file>", data : "<payload>", backup-and-revert : <boolean> }

Details

  • payload can be a string or a path to a file.
    • If payload is a string, all escape sequences are converted to binary.
    • Any files included as part of the payload are read at compilation time and baked into the reaction executable.
  • If backup-and-revert is true, Chain Reactor creates a backup of the file specified by file.

Example atom

{
    "name" : "TOUCH-TMP-TRUNCATE-IF-EXISTS",
    "file-create" : { "path" : "/tmp/cr.test", data : "Hello World!\n", backup-and-revert : false  },
    "file-create" : { "path" : "/etc/passwd", data : "/etc/passwd", backup-and-revert : true }
}

file-touch

Create an empty file.

Usage

"file-touch" : { "path" : "<file>" }

Details

  • If file already exists, file-touch does nothing.

Example atom

{
    "name" : "TOUCH-TMP-NEW-FILE",
    "file-touch" : { "path" : "/tmp/cr.test" }
}

fork-and-rename

Execute Chain Reactor under a different name.

Usage

"fork-and-rename" : [ "<name>", "<arg1>", "<arg2>", ..., "<argN>" ]

Details

  • The reaction creates a new process, copies the Chain Reactor executable to a temporary directory, and runs the executable as name.
  • Subsequent quarks execute in the new process.
  • You can use fork-and-rename repeatedly to create multiple child processes.

Example atom

{
    "name" : "NIX-WHOIS-TRANSFER-FAKE",
    "fork-and-rename" : [ "whois", "-h", "redcanary.com", "-p", "443", "iioo" ],
    "connect" : { "method": "socketcall", "protocol": "tcp4", "address": "redcanary.com", "port": 443 }
}

listen

Listen for a network connection.

Usage

"listen" : { "method": "<method>", "protocol": "<protocol>, "address": "<address>", "port": <port> }

Details

  • Chain Reactor forks and performs an implicit connect to simulate a network connection.
  • You might need elevated permissions to listen for a network connection.
  • method must be socketcall or syscall.
    • socketcall uses the socketcall ABI.
    • syscall uses the socket, bind, listen, accept4, and recv system calls for TCP connections, and the socket, bind, and recv system calls for UDP connections.
  • protocol must be tcp4, tcp6, udp4, or udp6.
  • address must be 0.0.0.0, ::/0, 127.0.0.1, or ::1/128.
  • port must be a valid port number.

Example atom

{
    "name" : "C2-BIND",
    "fork-and-rename" : [ "crontab" ],
    "listen" : { "method": "socketcall", "protocol": "udp4", "address": "0.0.0.0", "port": 443 }
}

remove

Delete any number of files or directories.

Usage

"remove" : [ "<path1>", "<path2>", ..., "<pathN>" ]

Details

  • remove doesn't generate errors.
  • Caution: Deletion is permanent. Exercise the same caution with remove as with rm -rf.

Example atom

{
    "name" : "LINUX-SHM-DIR-EXECUTION",
    "copy" : [ "/proc/self/exe", "/dev/shm/chain_reactor" ],
    "execve" : [ "/dev/shm/chain_reactor", "exit" ],
    "remove" : [ "/dev/shm/chain_reactor" ]
}

sleep

Sleep for a specified number of seconds.

Usage

"sleep" : <integer>

Example atom

{
    "name" : "SLEEP-FOR-TEN-SECONDS",
    "sleep" : 10
}

Questions? Get connected to the community on the Atomic Red Team Slack channel

Clone this wiki locally