Generated docs from job=generate-docs branch=master [ci skip]

2023-06-16 03:55:19 +00:00
parent 6ce797c851
commit 0f229c0e42
10 changed files with 129 additions and 5 deletions
@@ -296,6 +296,7 @@ defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket
 defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
+defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
 defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
@@ -72,6 +72,7 @@ defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
+defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
@@ -409,6 +409,7 @@
 - [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
  - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
  - Atomic Test #2: Creating W32Time similar named service using sc [windows]
+  - Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
  - Atomic Test #1: Process Injection via C# [windows]
 - [T1647 Plist File Modification](../../T1647/T1647.md)
@@ -117,7 +117,8 @@
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.004 Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
+  - Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -45,7 +45,7 @@
 |  |  | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
+|  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) |  | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -15836,6 +15836,39 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: linux rename /proc/pid/comm using prctl
+      auto_generated_guid: f0e3aaea-5cd9-4db6-a077-631dd19b27a8
+      description: 'Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm
+        value to "totally_legit".  This will show up as process name in simple ''ps''
+        listings.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        exe_path:
+          description: Output Binary Path
+          type: path
+          default: "/tmp/T1036_004_prctl_rename"
+      dependency_executor_name: sh
+      dependencies:
+      - description: "#{exe_path} must be exist on system.\n"
+        prereq_command: 'stat #{exe_path}
+
+          '
+        get_prereq_command: 'cc -o #{exe_path} PathToAtomicsFolder/T1036.004/src/prctl_rename.c
+
+          '
+      executor:
+        name: sh
+        command: |
+          #{exe_path} & ps
+          TMP=`ps | grep totally_legit`
+          if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
+          exit 0
+        cleanup_command: 'rm -f #{exe_path}
+
+          '
  T1055.004:
    technique:
      x_mitre_platforms:
@@ -9952,7 +9952,40 @@ defense-evasion:
      - Administrator
      - SYSTEM
      identifier: T1036.004
-    atomic_tests: []
+    atomic_tests:
+    - name: linux rename /proc/pid/comm using prctl
+      auto_generated_guid: f0e3aaea-5cd9-4db6-a077-631dd19b27a8
+      description: 'Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm
+        value to "totally_legit".  This will show up as process name in simple ''ps''
+        listings.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        exe_path:
+          description: Output Binary Path
+          type: path
+          default: "/tmp/T1036_004_prctl_rename"
+      dependency_executor_name: sh
+      dependencies:
+      - description: "#{exe_path} must be exist on system.\n"
+        prereq_command: 'stat #{exe_path}
+
+          '
+        get_prereq_command: 'cc -o #{exe_path} PathToAtomicsFolder/T1036.004/src/prctl_rename.c
+
+          '
+      executor:
+        name: sh
+        command: |
+          #{exe_path} & ps
+          TMP=`ps | grep totally_legit`
+          if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
+          exit 0
+        cleanup_command: 'rm -f #{exe_path}
+
+          '
  T1055.004:
    technique:
      x_mitre_platforms:
@@ -10,6 +10,8 @@ Tasks or services contain other fields, such as a description, that adversaries

 - [Atomic Test #2 - Creating W32Time similar named service using sc](#atomic-test-2---creating-w32time-similar-named-service-using-sc)

+- [Atomic Test #3 - linux rename /proc/pid/comm using prctl](#atomic-test-3---linux-rename-procpidcomm-using-prctl)
+

 <br/>

@@ -76,4 +78,56 @@ sc delete win32times



+<br/>
+<br/>
+
+## Atomic Test #3 - linux rename /proc/pid/comm using prctl
+Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm value to "totally_legit".  This will show up as process name in simple 'ps' listings.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** f0e3aaea-5cd9-4db6-a077-631dd19b27a8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| exe_path | Output Binary Path | path | /tmp/T1036_004_prctl_rename|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+#{exe_path} & ps
+TMP=`ps | grep totally_legit`
+if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
+exit 0
+```
+
+#### Cleanup Commands:
+```sh
+rm -f #{exe_path}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: #{exe_path} must be exist on system.
+##### Check Prereq Commands:
+```sh
+stat #{exe_path}
+```
+##### Get Prereq Commands:
+```sh
+cc -o #{exe_path} PathToAtomicsFolder/T1036.004/src/prctl_rename.c
+```
+
+
+
+
 <br/>