Generate docs from job=validate_atomics_generate_docs branch=master

2018-10-21 17:39:45 +00:00
parent 8cfecaf347
commit 13665af6ef
5 changed files with 127 additions and 0 deletions
@@ -22,6 +22,12 @@ Contributors: Itzik Kotler, SafeBreach</blockquote>

 - [Atomic Test #1 - Private Keys](#atomic-test-1---private-keys)

+- [Atomic Test #2 - Discover Private SSH Keys](#atomic-test-2---discover-private-ssh-keys)
+
+- [Atomic Test #3 - Copy Private SSH Keys with CP](#atomic-test-3---copy-private-ssh-keys-with-cp)
+
+- [Atomic Test #4 - Copy Private SSH Keys with rsync](#atomic-test-4---copy-private-ssh-keys-with-rsync)
+

 <br/>

@@ -39,3 +45,62 @@ echo "ATOMICREDTEAM" > %windir%\cert.key
 dir c:\ /b /s .key | findstr /e .key
 ```
 <br/>
+<br/>
+
+## Atomic Test #2 - Discover Private SSH Keys
+Discover private SSH keys on a macOS or Linux system.
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt|
+
+#### Run it with `sh`!
+```
+find / -name id_rsa >> #{output_file}
+find / -name id_dsa >> #{output_file}
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - Copy Private SSH Keys with CP
+Copy private SSH keys on a Linux system to a staging folder using the `cp` command.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
+
+#### Run it with `sh`!
+```
+mkdir #{output_folder}
+find / -name id_rsa -exec cp --parents {} #{output_folder} \;
+find / -name id_dsa -exec cp --parents {} #{output_folder} \;
+```
+<br/>
+<br/>
+
+## Atomic Test #4 - Copy Private SSH Keys with rsync
+Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command.
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
+
+#### Run it with `sh`!
+```
+mkdir #{output_folder}
+find / -name id_rsa -exec rsync -R {} #{output_folder} \;
+find / -name id_dsa -exec rsync -R {} #{output_folder} \;
+```
+<br/>
@@ -452,6 +452,9 @@
 - T1174 Password Filter DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1145 Private Keys](./T1145/T1145.md)
  - Atomic Test #1: Private Keys [windows]
+  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+  - Atomic Test #3: Copy Private SSH Keys with CP [linux]
+  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
 - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1167 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -12647,6 +12647,60 @@ credential-access:
        command: |
          echo "ATOMICREDTEAM" > %windir%\cert.key
          dir c:\ /b /s .key | findstr /e .key
+    - name: Discover Private SSH Keys
+      description: 'Discover private SSH keys on a macOS or Linux system.
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        output_file:
+          description: Output file containing locations of SSH key files
+          type: path
+          default: "/tmp/keyfile_locations.txt"
+      executor:
+        name: sh
+        command: |
+          find / -name id_rsa >> #{output_file}
+          find / -name id_dsa >> #{output_file}
+    - name: Copy Private SSH Keys with CP
+      description: 'Copy private SSH keys on a Linux system to a staging folder using
+        the `cp` command.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_folder:
+          description: Output folder containing copies of SSH private key files
+          type: path
+          default: "/tmp/art-staging"
+      executor:
+        name: sh
+        command: |
+          mkdir #{output_folder}
+          find / -name id_rsa -exec cp --parents {} #{output_folder} \;
+          find / -name id_dsa -exec cp --parents {} #{output_folder} \;
+    - name: Copy Private SSH Keys with rsync
+      description: 'Copy private SSH keys on a Linux or macOS system to a staging
+        folder using the `rsync` command.
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        output_folder:
+          description: Output folder containing copies of SSH private key files
+          type: path
+          default: "/tmp/art-staging"
+      executor:
+        name: sh
+        command: |
+          mkdir #{output_folder}
+          find / -name id_rsa -exec rsync -R {} #{output_folder} \;
+          find / -name id_dsa -exec rsync -R {} #{output_folder} \;
 execution:
  T1155:
    technique:
@@ -114,6 +114,9 @@
 - [T1040 Network Sniffing](./T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux [linux]
 - [T1145 Private Keys](./T1145/T1145.md)
+  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+  - Atomic Test #3: Copy Private SSH Keys with CP [linux]
+  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
 - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

 # defense-evasion
@@ -173,6 +173,8 @@
 - [T1040 Network Sniffing](./T1040/T1040.md)
  - Atomic Test #2: Packet Capture MacOS [macos]
 - [T1145 Private Keys](./T1145/T1145.md)
+  - Atomic Test #2: Discover Private SSH Keys [macos, linux]
+  - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
 - T1167 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)