From 00972d1fc7cd0ef285234d6908f11b09b33f5f0b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 2 Dec 2019 16:54:49 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1124/T1124.md | 2 +- atomics/T1136/T1136.md | 37 ++++++++++++++++++++++++++++--------- atomics/index.yaml | 36 +++++++++++++++++++++++++++--------- 3 files changed, 56 insertions(+), 19 deletions(-) diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md index 27d4361a..04670a13 100644 --- a/atomics/T1124/T1124.md +++ b/atomics/T1124/T1124.md @@ -22,7 +22,7 @@ Identify the system time #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| computer_name | computer name to query | string | computer1| +| computer_name | computer name to query | string | localhost| #### Run it with `command_prompt`! ``` diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md index 003ce30b..18e7d6de 100644 --- a/atomics/T1136/T1136.md +++ b/atomics/T1136/T1136.md @@ -39,12 +39,16 @@ Create a user via useradd | username | Username of the user to create | String | evil_user| | comment | Comment to record when creating the user | String | Evil Account| -#### Run it with `bash`! +#### Run it with `bash`! Elevation Required (e.g. root or admin) ``` -useradd -M -N -r -s /bin/bash -c "#{comment}" #{username} +useradd -M -N -r -s /bin/bash -c evil_account #{username} ``` +#### Cleanup Commands: +``` +userdel #{username} +```

@@ -61,7 +65,7 @@ Creates a user on a MacOS system with dscl | username | Username of the user to create | String | evil_user| | realname | 'realname' to record when creating the user | String | Evil Account| -#### Run it with `bash`! +#### Run it with `bash`! Elevation Required (e.g. root or admin) ``` dscl . -create /Users/#{username} dscl . -create /Users/#{username} UserShell /bin/bash @@ -72,6 +76,10 @@ dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} ``` +#### Cleanup Commands: +``` +dscl . -delete /Users/#{username} +```

@@ -85,14 +93,18 @@ Creates a new user in a command prompt #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| username | Username of the user to create | String | Evil Account| +| username | Username of the user to create | String | T1136_CMD| #### Run it with `command_prompt`! Elevation Required (e.g. root or admin) ``` -net user /add #{username} +net user /add "#{username}" ``` +#### Cleanup Commands: +``` +net user /del "#{username}" +```

@@ -106,15 +118,18 @@ Creates a new user in PowerShell #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| username | Username of the user to create | String | Evil Account| +| username | Username of the user to create | String | T1136_PowerShell| #### Run it with `powershell`! Elevation Required (e.g. root or admin) ``` -New-LocalUser -Name #{username} -NoPassword -net user /add #{username} +New-LocalUser -Name "#{username}" -NoPassword ``` +#### Cleanup Commands: +``` +Remove-LocalUser -Name "#{username}" +```

@@ -131,12 +146,16 @@ Creates a new user in Linux and adds the user to the `root` group. This techniqu | username | Username of the user to create | String | butter| | password | Password of the user to create | String | BetterWithButter| -#### Run it with `bash`! +#### Run it with `bash`! Elevation Required (e.g. root or admin) ``` useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username} echo "#{password}" | passwd --stdin #{username} ``` +#### Cleanup Commands: +``` +userdel #{username} +```
diff --git a/atomics/index.yaml b/atomics/index.yaml index c072ea49..92d07922 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -1302,7 +1302,11 @@ persistence: default: Evil Account executor: name: bash - command: 'useradd -M -N -r -s /bin/bash -c "#{comment}" #{username} + elevation_required: true + command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} + +' + cleanup_command: 'userdel #{username} ' - name: Create a user account on a MacOS system @@ -1322,6 +1326,7 @@ persistence: default: Evil Account executor: name: bash + elevation_required: true command: | dscl . -create /Users/#{username} dscl . -create /Users/#{username} UserShell /bin/bash @@ -1329,6 +1334,9 @@ persistence: dscl . -create /Users/#{username} UniqueID "1010" dscl . -create /Users/#{username} PrimaryGroupID 80 dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} + cleanup_command: 'dscl . -delete /Users/#{username} + +' - name: Create a new user in a command prompt description: 'Creates a new user in a command prompt @@ -1339,11 +1347,14 @@ persistence: username: description: Username of the user to create type: String - default: Evil Account + default: T1136_CMD executor: name: command_prompt elevation_required: true - command: 'net user /add #{username} + command: 'net user /add "#{username}" + +' + cleanup_command: 'net user /del "#{username}" ' - name: Create a new user in PowerShell @@ -1356,13 +1367,16 @@ persistence: username: description: Username of the user to create type: String - default: Evil Account + default: T1136_PowerShell executor: name: powershell elevation_required: true - command: | - New-LocalUser -Name #{username} -NoPassword - net user /add #{username} + command: 'New-LocalUser -Name "#{username}" -NoPassword + +' + cleanup_command: 'Remove-LocalUser -Name "#{username}" + +' - name: Create a new user in Linux with `root` UID and GID. description: 'Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. @@ -1381,9 +1395,13 @@ persistence: default: BetterWithButter executor: name: bash - command: |- + elevation_required: true + command: | useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username} echo "#{password}" | passwd --stdin #{username} + cleanup_command: 'userdel #{username} + +' T1038: technique: x_mitre_permissions_required: @@ -17981,7 +17999,7 @@ discovery: computer_name: description: computer name to query type: string - default: computer1 + default: localhost executor: name: command_prompt elevation_required: false