Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -244,6 +244,8 @@ defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
+defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
+defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
 defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
@@ -537,6 +539,8 @@ privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Set
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
+privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
+privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -58,6 +58,8 @@ defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
+defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
+defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
@@ -142,6 +144,8 @@ privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Set
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
 privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
+privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
+privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
 privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -332,6 +332,8 @@
   - Atomic Test #3: Set a SetGID flag on file [macos, linux]
   - Atomic Test #4: Make and modify capabilities of a binary [linux]
   - Atomic Test #5: Provide the SetUID capability to a file [linux]
+  - Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
+  - Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
 - T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1054 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -810,6 +812,8 @@
   - Atomic Test #3: Set a SetGID flag on file [macos, linux]
   - Atomic Test #4: Make and modify capabilities of a binary [linux]
   - Atomic Test #5: Provide the SetUID capability to a file [linux]
+  - Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
+  - Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
 - [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
   - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
   - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -92,6 +92,8 @@
   - Atomic Test #3: Set a SetGID flag on file [macos, linux]
   - Atomic Test #4: Make and modify capabilities of a binary [linux]
   - Atomic Test #5: Provide the SetUID capability to a file [linux]
+  - Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
+  - Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
   - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
@@ -336,6 +338,8 @@
   - Atomic Test #3: Set a SetGID flag on file [macos, linux]
   - Atomic Test #4: Make and modify capabilities of a binary [linux]
   - Atomic Test #5: Provide the SetUID capability to a file [linux]
+  - Atomic Test #6: Do reconnaissance for files that have the setuid bit set [linux]
+  - Atomic Test #7: Do reconnaissance for files that have the setgid bit set [linux]
 - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)

atomics/Indexes/index.yaml

@@ -12510,7 +12510,7 @@ defense-evasion:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod u+s #{file_to_setuid}
+          sudo chmod u+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -12533,7 +12533,7 @@ defense-evasion:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod g+s #{file_to_setuid}
+          sudo chmod g+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -12585,6 +12585,32 @@ defense-evasion:
           '
         name: sh
         elevation_required: true
+    - name: Do reconnaissance for files that have the setuid bit set
+      auto_generated_guid: 8e36da01-cd29-45fd-be72-8a0fcaad4481
+      description: 'This test simulates a command that can be run to enumerate files
+        that have the setuid bit set
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /usr/bin -perm -4000
+
+          '
+        name: sh
+    - name: Do reconnaissance for files that have the setgid bit set
+      auto_generated_guid: 3fb46e17-f337-4c14-9f9a-a471946533e2
+      description: 'This test simulates a command that can be run to enumerate files
+        that have the setgid bit set
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /usr/bin -perm -2000
+
+          '
+        name: sh
   T1117:
     technique:
       x_mitre_platforms:
@@ -34058,7 +34084,7 @@ privilege-escalation:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod u+s #{file_to_setuid}
+          sudo chmod u+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -34081,7 +34107,7 @@ privilege-escalation:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod g+s #{file_to_setuid}
+          sudo chmod g+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -34133,6 +34159,32 @@ privilege-escalation:
           '
         name: sh
         elevation_required: true
+    - name: Do reconnaissance for files that have the setuid bit set
+      auto_generated_guid: 8e36da01-cd29-45fd-be72-8a0fcaad4481
+      description: 'This test simulates a command that can be run to enumerate files
+        that have the setuid bit set
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /usr/bin -perm -4000
+
+          '
+        name: sh
+    - name: Do reconnaissance for files that have the setgid bit set
+      auto_generated_guid: 3fb46e17-f337-4c14-9f9a-a471946533e2
+      description: 'This test simulates a command that can be run to enumerate files
+        that have the setgid bit set
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /usr/bin -perm -2000
+
+          '
+        name: sh
   T1547.004:
     technique:
       x_mitre_platforms:

atomics/Indexes/linux-index.yaml

@@ -7525,7 +7525,7 @@ defense-evasion:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod u+s #{file_to_setuid}
+          sudo chmod u+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -7548,7 +7548,7 @@ defense-evasion:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod g+s #{file_to_setuid}
+          sudo chmod g+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -7600,6 +7600,32 @@ defense-evasion:
           '
         name: sh
         elevation_required: true
+    - name: Do reconnaissance for files that have the setuid bit set
+      auto_generated_guid: 8e36da01-cd29-45fd-be72-8a0fcaad4481
+      description: 'This test simulates a command that can be run to enumerate files
+        that have the setuid bit set
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /usr/bin -perm -4000
+
+          '
+        name: sh
+    - name: Do reconnaissance for files that have the setgid bit set
+      auto_generated_guid: 3fb46e17-f337-4c14-9f9a-a471946533e2
+      description: 'This test simulates a command that can be run to enumerate files
+        that have the setgid bit set
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /usr/bin -perm -2000
+
+          '
+        name: sh
   T1117:
     technique:
       x_mitre_platforms:
@@ -21826,7 +21852,7 @@ privilege-escalation:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod u+s #{file_to_setuid}
+          sudo chmod u+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -21849,7 +21875,7 @@ privilege-escalation:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod g+s #{file_to_setuid}
+          sudo chmod g+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -21901,6 +21927,32 @@ privilege-escalation:
           '
         name: sh
         elevation_required: true
+    - name: Do reconnaissance for files that have the setuid bit set
+      auto_generated_guid: 8e36da01-cd29-45fd-be72-8a0fcaad4481
+      description: 'This test simulates a command that can be run to enumerate files
+        that have the setuid bit set
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /usr/bin -perm -4000
+
+          '
+        name: sh
+    - name: Do reconnaissance for files that have the setgid bit set
+      auto_generated_guid: 3fb46e17-f337-4c14-9f9a-a471946533e2
+      description: 'This test simulates a command that can be run to enumerate files
+        that have the setgid bit set
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'find /usr/bin -perm -2000
+
+          '
+        name: sh
   T1547.004:
     technique:
       x_mitre_platforms:

atomics/Indexes/macos-index.yaml

@@ -6901,7 +6901,7 @@ defense-evasion:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod u+s #{file_to_setuid}
+          sudo chmod u+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -6924,7 +6924,7 @@ defense-evasion:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod g+s #{file_to_setuid}
+          sudo chmod g+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -21148,7 +21148,7 @@ privilege-escalation:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod u+s #{file_to_setuid}
+          sudo chmod u+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '
@@ -21171,7 +21171,7 @@ privilege-escalation:
         command: |
           sudo touch #{file_to_setuid}
           sudo chown root #{file_to_setuid}
-          sudo chmod g+s #{file_to_setuid}
+          sudo chmod g+xs #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
           '

atomics/T1548.001/T1548.001.md

@@ -20,6 +20,10 @@ Alternatively, adversaries may choose to find and target vulnerable binaries wit
 
 - [Atomic Test #5 - Provide the SetUID capability to a file](#atomic-test-5---provide-the-setuid-capability-to-a-file)
 
+- [Atomic Test #6 - Do reconnaissance for files that have the setuid bit set](#atomic-test-6---do-reconnaissance-for-files-that-have-the-setuid-bit-set)
+
+- [Atomic Test #7 - Do reconnaissance for files that have the setgid bit set](#atomic-test-7---do-reconnaissance-for-files-that-have-the-setgid-bit-set)
+
 
 <br/>
 
@@ -90,7 +94,7 @@ This test sets the SetUID flag on a file in Linux and macOS.
 ```sh
 sudo touch #{file_to_setuid}
 sudo chown root #{file_to_setuid}
-sudo chmod u+s #{file_to_setuid}
+sudo chmod u+xs #{file_to_setuid}
 ```
 
 #### Cleanup Commands:
@@ -129,7 +133,7 @@ This test sets the SetGID flag on a file in Linux and macOS.
 ```sh
 sudo touch #{file_to_setuid}
 sudo chown root #{file_to_setuid}
-sudo chmod g+s #{file_to_setuid}
+sudo chmod g+xs #{file_to_setuid}
 ```
 
 #### Cleanup Commands:
@@ -222,4 +226,60 @@ rm #{file_to_setcap}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Do reconnaissance for files that have the setuid bit set
+This test simulates a command that can be run to enumerate files that have the setuid bit set
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 8e36da01-cd29-45fd-be72-8a0fcaad4481
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+find /usr/bin -perm -4000
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Do reconnaissance for files that have the setgid bit set
+This test simulates a command that can be run to enumerate files that have the setgid bit set
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 3fb46e17-f337-4c14-9f9a-a471946533e2
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+find /usr/bin -perm -2000
+```
+
+
+
+
+
+
 <br/>