T1546.004 Create/Append to .bash_logout

atomics/T1546.004/T1546.004.yaml

@@ -93,3 +93,21 @@ atomic_tests:
       echo '#{text_to_append}' >> /etc/profile.d/bash_completion.sh
     cleanup_command: |
       sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_completion.sh
+- name: Create/Append to .bash_logout
+  description: |
+    The Bash shell runs ~/.bash_logout "if it exists" to run commands on user logout. An adversary may create or append to a .bash_logout to clear history, start processes etc. Note the ~/.bash_logout is only run if you explicitly exit or log out of an "interactive login shell session" i.e. via the console, SSH, /bin/bash -l or su -l <username>. 
+
+    This test creates the art user, logs in, creates a .bash_logout which will echo some text into the art.txt file on logout and logs out and the /home/art/art.txt is created.
+  supported_platforms:
+  - linux
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      useradd --create-home --shell /bin/bash art
+      su --login art
+      echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+      logout
+      cat /home/art/art.txt    
+    cleanup_command: |
+      userdel -fr art