adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-04-15 01:13:35 +00:00
parent 98ebdd67b3
commit c5b5aed916
10 changed files with 656 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+12
View File
@@ -482,6 +482,9 @@ defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account u
defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -679,6 +682,9 @@ privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root acco
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -976,6 +982,9 @@ persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using
persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
persistence,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
persistence,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
@@ -1566,6 +1575,9 @@ initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account us
initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
482 defense-evasion T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
483 defense-evasion T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
484 defense-evasion T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
485 defense-evasion T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
486 defense-evasion T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
487 defense-evasion T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
488 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 1 Lolbin Jsc.exe compile javascript to exe 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 command_prompt
489 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 2 Lolbin Jsc.exe compile javascript to dll 3fc9fea2-871d-414d-8ef6-02e85e322b80 command_prompt
490 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
682 privilege-escalation T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
683 privilege-escalation T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
684 privilege-escalation T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
685 privilege-escalation T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
686 privilege-escalation T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
687 privilege-escalation T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
688 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
689 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
690 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
982 persistence T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
983 persistence T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
984 persistence T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
985 persistence T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
986 persistence T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
987 persistence T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
988 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
989 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
990 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
1575 initial-access T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
1576 initial-access T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
1577 initial-access T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
1578 initial-access T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
1579 initial-access T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
1580 initial-access T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
1581 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
1582 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 1 Exfiltrate data HTTPS using curl windows 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 command_prompt
1583 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
atomics/Indexes/Indexes-CSV/linux-index.csv
+12
View File
@@ -98,6 +98,9 @@ defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Bi
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
@@ -145,6 +148,9 @@ persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local
persistence,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
persistence,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
persistence,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -177,6 +183,9 @@ privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
credential-access,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
@@ -302,6 +311,9 @@ execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python v
execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1059.006,Command and Scripting Interpreter: Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,bash
execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,10,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
98 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 2 Binary packed by UPX, with modified headers (linux) f06197f8-ff46-48c2-a0c6-afc1b50665e1 sh
99 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
100 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
101 defense-evasion T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
102 defense-evasion T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
103 defense-evasion T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
104 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
105 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
106 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
148 persistence T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
149 persistence T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
150 persistence T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
151 persistence T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
152 persistence T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
153 persistence T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
154 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
155 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
156 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
183 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
184 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
185 privilege-escalation T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
186 privilege-escalation T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
187 privilege-escalation T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
188 privilege-escalation T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
189 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
190 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
191 credential-access T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
311 execution T1059.006 Command and Scripting Interpreter: Python 3 Execute Python via Python executables (Linux) 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
312 execution T1059.006 Command and Scripting Interpreter: Python 4 Python pty module and spawn function used to spawn sh or bash 161d694c-b543-4434-85c3-c3a433e33792 bash
313 execution T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
314 initial-access T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
315 initial-access T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
316 initial-access T1078.003 Valid Accounts: Local Accounts 10 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
317 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
318 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
319 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
atomics/Indexes/Indexes-Markdown/index.md
+12
View File
@@ -694,6 +694,9 @@
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
- Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
@@ -1022,6 +1025,9 @@
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -1542,6 +1548,9 @@
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
@@ -2516,6 +2525,9 @@
- Atomic Test #5: Add a new/existing user to the admin group using dseditgroup utility - macOS [macos]
- Atomic Test #6: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Safetykatz [windows]
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
# exfiltration
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/linux-index.md
+16 -4
View File
@@ -178,7 +178,10 @@
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
@@ -320,7 +323,10 @@
- Atomic Test #2: At - Schedule a job [linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
# privilege-escalation
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -389,7 +395,10 @@
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #2: At - Schedule a job [linux]
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
# credential-access
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -717,7 +726,10 @@
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #8: Create local account (Linux) [linux]
- Atomic Test #9: Reactivate a locked/expired account (Linux) [linux]
- Atomic Test #10: Login as nobody (Linux) [linux]
# exfiltration
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Matrices/linux-matrix.md
+4 -4
View File
@@ -20,7 +20,7 @@
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -35,7 +35,7 @@
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | [OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | [OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
@@ -51,7 +51,7 @@
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
| | | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
@@ -80,5 +80,5 @@
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/index.yaml
+236
View File
@@ -27794,6 +27794,65 @@ defense-evasion:
safedump -consoleoutput -noninteractive
name: powershell
elevation_required: true
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh
--shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody)
nobody\nsu nobody\nwhoami\nexit\n"
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
T1211:
technique:
x_mitre_platforms:
@@ -43383,6 +43442,65 @@ privilege-escalation:
safedump -consoleoutput -noninteractive
name: powershell
elevation_required: true
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh
--shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody)
nobody\nsu nobody\nwhoami\nexit\n"
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
T1574.012:
technique:
x_mitre_platforms:
@@ -68149,6 +68267,65 @@ persistence:
safedump -consoleoutput -noninteractive
name: powershell
elevation_required: true
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh
--shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody)
nobody\nsu nobody\nwhoami\nexit\n"
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
T1574.012:
technique:
x_mitre_platforms:
@@ -106273,6 +106450,65 @@ initial-access:
safedump -consoleoutput -noninteractive
name: powershell
elevation_required: true
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh
--shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody)
nobody\nsu nobody\nwhoami\nexit\n"
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
exfiltration:
T1567:
technique:
atomics/Indexes/linux-index.yaml
+240 -4
View File
@@ -17462,7 +17462,66 @@ defense-evasion:
- Administrator
- User
identifier: T1078.003
atomic_tests: []
atomic_tests:
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh
--shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody)
nobody\nsu nobody\nwhoami\nexit\n"
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
T1211:
technique:
x_mitre_platforms:
@@ -28186,7 +28245,66 @@ privilege-escalation:
- Administrator
- User
identifier: T1078.003
atomic_tests: []
atomic_tests:
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh
--shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody)
nobody\nsu nobody\nwhoami\nexit\n"
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
T1574.012:
technique:
x_mitre_platforms:
@@ -45425,7 +45543,66 @@ persistence:
- Administrator
- User
identifier: T1078.003
atomic_tests: []
atomic_tests:
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh
--shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody)
nobody\nsu nobody\nwhoami\nexit\n"
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
T1574.012:
technique:
x_mitre_platforms:
@@ -71522,7 +71699,66 @@ initial-access:
- Administrator
- User
identifier: T1078.003
atomic_tests: []
atomic_tests:
- name: Create local account (Linux)
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
description: 'An adversary may wish to create an account with admin privileges
to work with. In this test we create a "art" user with the password art, switch
to art, execute whoami, exit and delete the art user.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Reactivate a locked/expired account (Linux)
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
description: "A system administrator may have locked and expired a user account
rather than deleting it. \"the user is coming back, at some stage\" An adversary
may reactivate a inactive account in an attempt to appear legitimate. \n\nIn
this test we create a \"art\" user with the password art, lock and expire
the account, try to su to art and fail, unlock and renew the account, su successfully,
then delete the account.\n"
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: |
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit
cleanup_command: "userdel -r art \n"
- name: Login as nobody (Linux)
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
description: 'An adversary may try to re-purpose a system account to appear
legitimate. In this test change the login shell of the nobody account, change
its password to nobody, su to nobody, exit, then reset nobody''s shell to
/usr/sbin/nologin.
'
supported_platforms:
- linux
executor:
name: bash
elevation_required: true
command: "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh
--shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody)
nobody\nsu nobody\nwhoami\nexit\n"
cleanup_command: "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep
nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n"
exfiltration:
T1567:
technique:
atomics/T1078.003/T1078.003.md
+122
View File
@@ -20,6 +20,12 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
- [Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz](#atomic-test-7---winpwn---loot-local-credentials---safetykatz)
- [Atomic Test #8 - Create local account (Linux)](#atomic-test-8---create-local-account-linux)
- [Atomic Test #9 - Reactivate a locked/expired account (Linux)](#atomic-test-9---reactivate-a-lockedexpired-account-linux)
- [Atomic Test #10 - Login as nobody (Linux)](#atomic-test-10---login-as-nobody-linux)
<br/>
@@ -257,4 +263,120 @@ safedump -consoleoutput -noninteractive
<br/>
<br/>
## Atomic Test #8 - Create local account (Linux)
An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
**Supported Platforms:** Linux
**auto_generated_guid:** 02a91c34-8a5b-4bed-87af-501103eb5357
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
su art
whoami
exit
```
#### Cleanup Commands:
```bash
userdel -r art
```
<br/>
<br/>
## Atomic Test #9 - Reactivate a locked/expired account (Linux)
A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate.
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
**Supported Platforms:** Linux
**auto_generated_guid:** d2b95631-62d7-45a3-aaef-0972cea97931
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su art
whoami
exit
```
#### Cleanup Commands:
```bash
userdel -r art
```
<br/>
<br/>
## Atomic Test #10 - Login as nobody (Linux)
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin.
**Supported Platforms:** Linux
**auto_generated_guid:** 3d2cd093-ee05-41bd-a802-59ee5c301b85
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
cat /etc/passwd |grep nobody
# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
chsh --shell /bin/bash nobody
usermod --password $(openssl passwd -1 nobody) nobody
su nobody
whoami
exit
```
#### Cleanup Commands:
```bash
chsh --shell /usr/sbin/nologin nobody
cat /etc/passwd |grep nobody
# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
```
<br/>