From 2006f34c95fc56da61ec34b732a8b2ba0aa745ff Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Oct 2025 08:57:17 -0700 Subject: [PATCH] 2 New Atomic - npm installation and At execution (#3199) Co-authored-by: Hare Sudhan --- atomics/T1053.002/T1053.002.yaml | 34 ++++++++++++++++++++++++++++++++ atomics/T1195.002/T1195.002.yaml | 31 +++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 atomics/T1195.002/T1195.002.yaml diff --git a/atomics/T1053.002/T1053.002.yaml b/atomics/T1053.002/T1053.002.yaml index c2bbc343..71c2f15e 100644 --- a/atomics/T1053.002/T1053.002.yaml +++ b/atomics/T1053.002/T1053.002.yaml @@ -54,3 +54,37 @@ atomic_tests: elevation_required: false command: |- echo "#{at_command}" | at #{time_spec} +- name: At - Schedule a job via kubectl in a Pod + description: | + Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon, + and submits a job with `at`. The pod is deleted after execution. + supported_platforms: + - containers + input_arguments: + image_name: + description: Name of the image + type: string + default: ubuntu + pod_name: + description: K8s pod name to execute the command in + type: string + default: atomic-at-schedule + time_spec: + description: Time specification of when the command should run + type: string + default: now + 1 minute + at_command: + description: The command to be run + type: string + default: echo Hello from Atomic Red Team + dependencies: + - description: kubectl must be installed and configured + get_prereq_command: | + echo "kubectl must be installed manually" + prereq_command: | + which kubectl + executor: + name: bash + elevation_required: false + command: | + kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l" diff --git a/atomics/T1195.002/T1195.002.yaml b/atomics/T1195.002/T1195.002.yaml new file mode 100644 index 00000000..59b6e0d6 --- /dev/null +++ b/atomics/T1195.002/T1195.002.yaml @@ -0,0 +1,31 @@ +attack_technique: T1195.002 +display_name: Compromise Software Supply Chain +atomic_tests: +- name: Simulate npm package installation on a Linux system + description: | + Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution. + supported_platforms: + - containers + - linux + input_arguments: + image_name: + description: Name of the image + type: string + default: node:18 + pod_name: + description: Name of the pod + type: string + default: atomic-npm-install + package_name: + description: NPM package to install + type: string + default: tinycolor + dependencies: + - description: kubectl must be installed and configured + get_prereq_command: echo "kubectl must be installed" + prereq_command: which kubectl + executor: + name: bash + elevation_required: false + command: | + kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"