Add two T1003.008 tests (#1299)

* Create T1003.008.yaml * Create T1003.008.md * Update T1003.008.md Co-authored-by: Carl <57147304+rc-grey@users.noreply.github.com>
2020-11-30 11:12:21 -05:00
parent e8bad1a913
commit 2b4c7c0112
2 changed files with 120 additions and 0 deletions
@@ -0,0 +1,80 @@
+# T1003.008 - /etc/passwd and /etc/shadow
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003/008)
+<blockquote>Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
+
+The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local)
+
+
+<br/>
+
+## Atomic Test #1 - Access /etc/shadow (Local)
+/etc/shadow file is accessed in Linux environments
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin)
+
+
+```bash
+sudo cat /etc/shadow > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file}
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Access /etc/passwd (Local)
+/etc/passwd file is accessed in Linux environments
+
+**Supported Platforms:** Linux
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+
+
+#### Attack Commands: Run with `sh`!
+
+
+```sh
+cat /etc/passwd > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```sh
+rm -f #{output_file}
+```
+
+
+
+
+
+<br/>
@@ -0,0 +1,40 @@
+attack_technique: T1003.008
+display_name: 'OS Credential Dumping: /etc/passwd and /etc/shadow'
+atomic_tests:
+- name: Access /etc/shadow (Local)
+  auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235
+  description: |
+    /etc/shadow file is accessed in Linux environments
+  supported_platforms:
+  - linux
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.008.txt
+  executor:
+    command: |
+      sudo cat /etc/shadow > #{output_file}
+      cat #{output_file}
+    cleanup_command: |
+      rm -f #{output_file}
+    name: bash
+    elevation_required: true
+- name: Access /etc/passwd (Local)
+  auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
+  description: |
+    /etc/passwd file is accessed in Linux environments
+  supported_platforms:
+  - linux
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.008.txt
+  executor:
+    command: |
+      cat /etc/passwd > #{output_file}
+      cat #{output_file}
+    cleanup_command: |
+      rm -f #{output_file}
+    name: sh