Hare Sudhan
131 lines
4.9 KiB
YAML
131 lines
4.9 KiB
YAML
attack_technique: T1546.004
|
|
display_name: 'Event Triggered Execution: .bash_profile .bashrc and .shrc'
|
|
atomic_tests:
|
|
- name: Add command to .bash_profile
|
|
auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f
|
|
description: |
|
|
Adds a command to the .bash_profile file of the current user
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
input_arguments:
|
|
command_to_add:
|
|
description: Command to add to the .bash_profile file
|
|
type: string
|
|
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
|
executor:
|
|
command: |
|
|
echo '#{command_to_add}' >> ~/.bash_profile
|
|
cleanup_command: |
|
|
head -n '-2' ~/.bash_profile > /tmp/T1546.004
|
|
mv /tmp/T1546.004 ~/.bash_profile
|
|
name: sh
|
|
- name: Add command to .bashrc
|
|
auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f
|
|
description: |
|
|
Adds a command to the .bashrc file of the current user
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
input_arguments:
|
|
command_to_add:
|
|
description: Command to add to the .bashrc file
|
|
type: string
|
|
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
|
executor:
|
|
command: |
|
|
echo '#{command_to_add}' >> ~/.bashrc
|
|
cleanup_command: |
|
|
head -n '-2' ~/.bashrc > /tmp/T1546.004
|
|
mv /tmp/T1546.004 ~/.bashrc
|
|
name: sh
|
|
- name: Add command to .shrc
|
|
auto_generated_guid: 41502021-591a-4649-8b6e-83c9192aff53
|
|
description: |
|
|
Adds a command to the .shrc file of the current user
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
command_to_add:
|
|
description: Command to add to the .shrc file
|
|
type: string
|
|
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
|
executor:
|
|
command: |
|
|
echo '#{command_to_add}' >> ~/.shrc
|
|
cleanup_command: |
|
|
head -n '-2' ~/.shrc > /tmp/T1546.004
|
|
mv /tmp/T1546.004 ~/.shrc
|
|
name: sh
|
|
- name: Append to the system shell profile
|
|
auto_generated_guid: 694b3cc8-6a78-4d35-9e74-0123d009e94b
|
|
description: |
|
|
An adversary may wish to establish persistence by executing malicious commands from the systems /etc/profile every time "any" user logs in.
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
text_to_append:
|
|
description: Text to append to the /etc/profile file
|
|
type: string
|
|
default: "# Hello from Atomic Red Team T1546.004"
|
|
executor:
|
|
elevation_required: true
|
|
name: sh
|
|
command: |
|
|
echo '#{text_to_append}' >> /etc/profile
|
|
cleanup_command: |
|
|
sed -i "s/# Atomic Red Team was here! T1546.004//" /etc/profile
|
|
- name: Append commands user shell profile
|
|
auto_generated_guid: bbdb06bc-bab6-4f5b-8232-ba3fbed51d77
|
|
description: |
|
|
An adversary may wish to establish persistence by executing malicious commands from the users ~/.profile every time the "user" logs in.
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
text_to_append:
|
|
description: Text to append to the ~/.profile file
|
|
type: string
|
|
default: "# Atomic Red Team was here... T1546.004"
|
|
executor:
|
|
elevation_required: false
|
|
name: sh
|
|
command: |
|
|
echo '#{text_to_append}' >> ~/.profile
|
|
cleanup_command: |
|
|
sed -i "s/# Atomic Red Team was here... T1546.004//" ~/.profile
|
|
- name: System shell profile scripts
|
|
auto_generated_guid: 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4
|
|
description: |
|
|
An adversary may wish to establish persistence by adding commands into any of the script files in the /etc/profile.d/ directory, which are executed every time "any" user logs in.
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
text_to_append:
|
|
description: Text to append to the /etc/profile.d/bash_completion.sh file
|
|
type: string
|
|
default: "# Atomic Red Team was here... T1546.004"
|
|
executor:
|
|
elevation_required: true
|
|
name: sh
|
|
command: |
|
|
echo '#{text_to_append}' >> /etc/profile.d/bash_completion.sh
|
|
cleanup_command: |
|
|
sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_completion.sh
|
|
- name: Create/Append to .bash_logout
|
|
auto_generated_guid: 37ad2f24-7c53-4a50-92da-427a4ad13f58
|
|
description: |
|
|
The Bash shell runs ~/.bash_logout "if it exists" to run commands on user logout. An adversary may create or append to a .bash_logout to clear history, start processes etc. Note the ~/.bash_logout is only run if you explicitly exit or log out of an "interactive login shell session" i.e. via the console, SSH, /bin/bash -l or su -l <username>.
|
|
|
|
This test creates the art user, logs in, creates a .bash_logout which will echo some text into the art.txt file on logout and logs out and the /home/art/art.txt is created.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
elevation_required: true
|
|
command: |
|
|
useradd --create-home --shell /bin/bash art
|
|
su --login art
|
|
echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
|
|
cleanup_command: |
|
|
userdel -fr art
|