atomic-red-team-gs/atomics/T1548.001/T1548.001.yaml

attack_technique: T1548.001
display_name: 'Abuse Elevation Control Mechanism: Setuid and Setgid'
atomic_tests:
- name: Make and modify binary from C source
  auto_generated_guid: 896dfe97-ae43-4101-8e96-9a7996555d80
  description: |
    Make, change owner, and change file attributes on a C source code file
  supported_platforms:
  - macos
  - linux
  input_arguments:
    payload:
      description: hello.c payload
      type: path
      default: PathToAtomicsFolder/T1548.001/src/hello.c
  executor:
    command: |
      cp #{payload} /tmp/hello.c
      sudo chown root /tmp/hello.c
      sudo make /tmp/hello
      sudo chown root /tmp/hello
      sudo chmod u+s /tmp/hello
      /tmp/hello
    cleanup_command: |
      sudo rm /tmp/hello
      sudo rm /tmp/hello.c
    name: sh
    elevation_required: true
- name: Make and modify binary from C source (freebsd)
  auto_generated_guid: dd580455-d84b-481b-b8b0-ac96f3b1dc4c
  description: |
    Make, change owner, and change file attributes on a C source code file
  supported_platforms:
  - linux
  input_arguments:
    payload:
      description: hello.c payload
      type: path
      default: PathToAtomicsFolder/T1548.001/src/hello.c
  executor:
    command: |
      cp #{payload} /tmp/hello.c
      chown root /tmp/hello.c
      make /tmp/hello
      chown root /tmp/hello
      chmod u+s /tmp/hello
      /tmp/hello
    cleanup_command: |
      rm /tmp/hello
      rm /tmp/hello.c
    name: sh
    elevation_required: true
- name: Set a SetUID flag on file
  auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79
  description: |
    This test sets the SetUID flag on a file in FreeBSD.
  supported_platforms:
  - macos
  - linux
  input_arguments:
    file_to_setuid:
      description: Path of file to set SetUID flag
      type: path
      default: /tmp/evilBinary
  executor:
    command: |
      sudo touch #{file_to_setuid}
      sudo chown root #{file_to_setuid}
      sudo chmod u+xs #{file_to_setuid}
    cleanup_command: |
      sudo rm #{file_to_setuid}
    name: sh
    elevation_required: true
- name: Set a SetUID flag on file (freebsd)
  auto_generated_guid: 9be9b827-ff47-4e1b-bef8-217db6fb7283
  description: |
    This test sets the SetUID flag on a file in FreeBSD.
  supported_platforms:
  - linux
  input_arguments:
    file_to_setuid:
      description: Path of file to set SetUID flag
      type: path
      default: /tmp/evilBinary
  executor:
    command: |
      touch #{file_to_setuid}
      chown root #{file_to_setuid}
      chmod u+xs #{file_to_setuid}
    cleanup_command: |
      rm #{file_to_setuid}
    name: sh
    elevation_required: true
- name: Set a SetGID flag on file
  auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c
  description: |
    This test sets the SetGID flag on a file in Linux and macOS.
  supported_platforms:
  - macos
  - linux
  input_arguments:
    file_to_setuid:
      description: Path of file to set SetGID flag
      type: path
      default: /tmp/evilBinary
  executor:
    command: |
      sudo touch #{file_to_setuid}
      sudo chown root #{file_to_setuid}
      sudo chmod g+xs #{file_to_setuid}
    cleanup_command: |
      sudo rm #{file_to_setuid}
    name: sh
    elevation_required: true
- name: Set a SetGID flag on file (freebsd)
  auto_generated_guid: 1f73af33-62a8-4bf1-bd10-3bea931f2c0d
  description: |
    This test sets the SetGID flag on a file in FreeBSD.
  supported_platforms:
  - linux
  input_arguments:
    file_to_setuid:
      description: Path of file to set SetGID flag
      type: path
      default: /tmp/evilBinary
  executor:
    command: |
      touch #{file_to_setuid}
      chown root #{file_to_setuid}
      chmod g+xs #{file_to_setuid}
    cleanup_command: |
      rm #{file_to_setuid}
    name: sh
    elevation_required: true
- name: Make and modify capabilities of a binary
  auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072
  description: |
    Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file.
    The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`.
    Without being owned by root, the binary can set the UID to 0.
  supported_platforms:
  - linux
  input_arguments:
    payload:
      description: cap.c payload
      type: path
      default: PathToAtomicsFolder/T1548.001/src/cap.c
  executor:
    command: |
      cp #{payload} /tmp/cap.c
      make /tmp/cap
      sudo setcap cap_setuid=ep /tmp/cap
      /tmp/cap
    cleanup_command: |
      rm /tmp/cap
      rm /tmp/cap.c
    name: sh
    elevation_required: true
- name: Provide the SetUID capability to a file
  auto_generated_guid: 1ac3272f-9bcf-443a-9888-4b1d3de785c1
  description: |
    This test gives a file the capability to set UID without using flags.
  supported_platforms:
  - linux
  input_arguments:
    file_to_setcap:
      description: Path of file to provide the SetUID capability
      type: path
      default: /tmp/evilBinary
  executor:
    command: |
      touch #{file_to_setcap}
      sudo setcap cap_setuid=ep #{file_to_setcap}
    cleanup_command: |
      rm #{file_to_setcap}
    name: sh
    elevation_required: true
- name: Do reconnaissance for files that have the setuid bit set
  auto_generated_guid: 8e36da01-cd29-45fd-be72-8a0fcaad4481
  description: |
    This test simulates a command that can be run to enumerate files that have the setuid bit set
  supported_platforms:
  - linux
  executor:
    command: |
      find /usr/bin -perm -4000
    name: sh
- name: Do reconnaissance for files that have the setgid bit set
  auto_generated_guid: 3fb46e17-f337-4c14-9f9a-a471946533e2
  description: |
    This test simulates a command that can be run to enumerate files that have the setgid bit set
  supported_platforms:
  - linux
  executor:
    command: |
      find /usr/bin -perm -2000
    name: sh