2 New Atomic - npm installation and At execution (#3199)

Co-authored-by: Hare Sudhan <code@0x6c.dev>
2025-10-06 08:57:17 -07:00
parent e2115e52c0
commit 2006f34c95
2 changed files with 65 additions and 0 deletions
@@ -54,3 +54,37 @@ atomic_tests:
    elevation_required: false
    command: |-
      echo "#{at_command}" | at #{time_spec}
+- name: At - Schedule a job via kubectl in a Pod
+  description: |
+    Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
+    and submits a job with `at`. The pod is deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    image_name:
+      description: Name of the image
+      type: string
+      default: ubuntu
+    pod_name:
+      description: K8s pod name to execute the command in
+      type: string
+      default: atomic-at-schedule
+    time_spec:
+      description: Time specification of when the command should run
+      type: string
+      default: now + 1 minute
+    at_command:
+      description: The command to be run
+      type: string
+      default: echo Hello from Atomic Red Team
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"
@@ -0,0 +1,31 @@
+attack_technique: T1195.002
+display_name: Compromise Software Supply Chain
+atomic_tests:
+- name: Simulate npm package installation on a Linux system
+  description: |
+    Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
+  supported_platforms:
+    - containers
+    - linux
+  input_arguments:
+    image_name:
+      description: Name of the image
+      type: string
+      default: node:18
+    pod_name:
+      description: Name of the pod
+      type: string
+      default: atomic-npm-install
+    package_name:
+      description: NPM package to install
+      type: string
+      default: tinycolor
+  dependencies:
+    - description: kubectl must be installed and configured
+      get_prereq_command: echo "kubectl must be installed"
+      prereq_command: which kubectl
+  executor:
+      name: bash
+      elevation_required: false
+      command: |
+        kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"