From 2034b351903ca733d6473364e790e586dd9e0a2d Mon Sep 17 00:00:00 2001
From: rc-dbogle <dave.bogle@redcanary.com>
Date: Thu, 9 Feb 2023 15:10:20 -0800
Subject: [PATCH] Added two new tests to T1548.001 Fixed minor typo in chmod
 command

---
 atomics/T1548.001/T1548.001.yaml | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/atomics/T1548.001/T1548.001.yaml b/atomics/T1548.001/T1548.001.yaml
index 152b4d9d..0a66abdf 100644
--- a/atomics/T1548.001/T1548.001.yaml
+++ b/atomics/T1548.001/T1548.001.yaml
@@ -42,7 +42,7 @@ atomic_tests:
     command: |
       sudo touch #{file_to_setuid}
       sudo chown root #{file_to_setuid}
-      sudo chmod u+s #{file_to_setuid}
+      sudo chmod u+xs #{file_to_setuid}
     cleanup_command: |
       sudo rm #{file_to_setuid}
     name: sh
@@ -63,7 +63,7 @@ atomic_tests:
     command: |
       sudo touch #{file_to_setuid}
       sudo chown root #{file_to_setuid}
-      sudo chmod g+s #{file_to_setuid}
+      sudo chmod g+xs #{file_to_setuid}
     cleanup_command: |
       sudo rm #{file_to_setuid}
     name: sh
@@ -111,3 +111,23 @@ atomic_tests:
       rm #{file_to_setcap}
     name: sh
     elevation_required: true
+- name: Do reconnaissance for files that have the setuid bit set
+  auto_generated_guid: 8e36da01-cd29-45fd-be72-8a0fcaad4481
+  description: |
+    This test simulates a command that can be run to enumerate files that have the setuid bit set
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      find /usr/bin -perm -4000
+    name: sh
+- name: Do reconnaissance for files that have the setgid bit set
+  auto_generated_guid: 3fb46e17-f337-4c14-9f9a-a471946533e2
+  description: |
+    This test simulates a command that can be run to enumerate files that have the setgid bit set
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      find /usr/bin -perm -2000
+    name: sh
\ No newline at end of file