diff --git a/Gemfile.lock b/Gemfile.lock
index d0a93a5f..55173b86 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -6,7 +6,7 @@ PATH
GEM
remote: https://rubygems.org/
specs:
- activesupport (6.0.3.4)
+ activesupport (6.0.4.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2)
minitest (~> 5.1)
@@ -21,24 +21,40 @@ GEM
colorator (1.1.0)
commonmarker (0.17.13)
ruby-enum (~> 0.5)
- concurrent-ruby (1.1.7)
- dnsruby (1.61.5)
+ concurrent-ruby (1.1.9)
+ dnsruby (1.61.7)
simpleidn (~> 0.1)
- em-websocket (0.5.2)
+ em-websocket (0.5.3)
eventmachine (>= 0.12.9)
- http_parser.rb (~> 0.6.0)
- ethon (0.12.0)
- ffi (>= 1.3.0)
+ http_parser.rb (~> 0)
+ ethon (0.15.0)
+ ffi (>= 1.15.0)
eventmachine (1.2.7)
- execjs (2.7.0)
- faraday (1.1.0)
+ execjs (2.8.1)
+ faraday (1.8.0)
+ faraday-em_http (~> 1.0)
+ faraday-em_synchrony (~> 1.0)
+ faraday-excon (~> 1.1)
+ faraday-httpclient (~> 1.0.1)
+ faraday-net_http (~> 1.0)
+ faraday-net_http_persistent (~> 1.1)
+ faraday-patron (~> 1.0)
+ faraday-rack (~> 1.0)
multipart-post (>= 1.2, < 3)
- ruby2_keywords
- ffi (1.13.1)
+ ruby2_keywords (>= 0.0.4)
+ faraday-em_http (1.0.0)
+ faraday-em_synchrony (1.0.0)
+ faraday-excon (1.1.0)
+ faraday-httpclient (1.0.1)
+ faraday-net_http (1.0.1)
+ faraday-net_http_persistent (1.2.0)
+ faraday-patron (1.0.0)
+ faraday-rack (1.0.0)
+ ffi (1.15.4)
forwardable-extended (2.6.0)
gemoji (3.0.1)
- github-pages (209)
- github-pages-health-check (= 1.16.1)
+ github-pages (222)
+ github-pages-health-check (= 1.17.9)
jekyll (= 3.9.0)
jekyll-avatar (= 0.7.0)
jekyll-coffeescript (= 1.1.1)
@@ -53,44 +69,44 @@ GEM
jekyll-readme-index (= 0.3.0)
jekyll-redirect-from (= 0.16.0)
jekyll-relative-links (= 0.6.1)
- jekyll-remote-theme (= 0.4.2)
+ jekyll-remote-theme (= 0.4.3)
jekyll-sass-converter (= 1.5.2)
- jekyll-seo-tag (= 2.6.1)
+ jekyll-seo-tag (= 2.7.1)
jekyll-sitemap (= 1.4.0)
jekyll-swiss (= 1.0.0)
- jekyll-theme-architect (= 0.1.1)
- jekyll-theme-cayman (= 0.1.1)
- jekyll-theme-dinky (= 0.1.1)
- jekyll-theme-hacker (= 0.1.2)
- jekyll-theme-leap-day (= 0.1.1)
- jekyll-theme-merlot (= 0.1.1)
- jekyll-theme-midnight (= 0.1.1)
- jekyll-theme-minimal (= 0.1.1)
- jekyll-theme-modernist (= 0.1.1)
- jekyll-theme-primer (= 0.5.4)
- jekyll-theme-slate (= 0.1.1)
- jekyll-theme-tactile (= 0.1.1)
- jekyll-theme-time-machine (= 0.1.1)
+ jekyll-theme-architect (= 0.2.0)
+ jekyll-theme-cayman (= 0.2.0)
+ jekyll-theme-dinky (= 0.2.0)
+ jekyll-theme-hacker (= 0.2.0)
+ jekyll-theme-leap-day (= 0.2.0)
+ jekyll-theme-merlot (= 0.2.0)
+ jekyll-theme-midnight (= 0.2.0)
+ jekyll-theme-minimal (= 0.2.0)
+ jekyll-theme-modernist (= 0.2.0)
+ jekyll-theme-primer (= 0.6.0)
+ jekyll-theme-slate (= 0.2.0)
+ jekyll-theme-tactile (= 0.2.0)
+ jekyll-theme-time-machine (= 0.2.0)
jekyll-titles-from-headings (= 0.5.3)
jemoji (= 0.12.0)
- kramdown (= 2.3.0)
+ kramdown (= 2.3.1)
kramdown-parser-gfm (= 1.1.0)
liquid (= 4.0.3)
mercenary (~> 0.3)
minima (= 2.5.1)
- nokogiri (>= 1.10.4, < 2.0)
- rouge (= 3.23.0)
+ nokogiri (>= 1.12.5, < 2.0)
+ rouge (= 3.26.0)
terminal-table (~> 1.4)
- github-pages-health-check (1.16.1)
+ github-pages-health-check (1.17.9)
addressable (~> 2.3)
dnsruby (~> 1.60)
octokit (~> 4.0)
- public_suffix (~> 3.0)
+ public_suffix (>= 3.0, < 5.0)
typhoeus (~> 1.3)
html-pipeline (2.14.0)
activesupport (>= 2)
nokogiri (>= 1.4)
- http_parser.rb (0.6.0)
+ http_parser.rb (0.8.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jekyll (3.9.0)
@@ -139,57 +155,57 @@ GEM
jekyll (>= 3.3, < 5.0)
jekyll-relative-links (0.6.1)
jekyll (>= 3.3, < 5.0)
- jekyll-remote-theme (0.4.2)
+ jekyll-remote-theme (0.4.3)
addressable (~> 2.0)
jekyll (>= 3.5, < 5.0)
jekyll-sass-converter (>= 1.0, <= 3.0.0, != 2.0.0)
rubyzip (>= 1.3.0, < 3.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
- jekyll-seo-tag (2.6.1)
- jekyll (>= 3.3, < 5.0)
+ jekyll-seo-tag (2.7.1)
+ jekyll (>= 3.8, < 5.0)
jekyll-sitemap (1.4.0)
jekyll (>= 3.7, < 5.0)
jekyll-swiss (1.0.0)
- jekyll-theme-architect (0.1.1)
- jekyll (~> 3.5)
- jekyll-seo-tag (~> 2.0)
- jekyll-theme-cayman (0.1.1)
- jekyll (~> 3.5)
- jekyll-seo-tag (~> 2.0)
- jekyll-theme-dinky (0.1.1)
- jekyll (~> 3.5)
- jekyll-seo-tag (~> 2.0)
- jekyll-theme-hacker (0.1.2)
+ jekyll-theme-architect (0.2.0)
jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
- jekyll-theme-leap-day (0.1.1)
- jekyll (~> 3.5)
+ jekyll-theme-cayman (0.2.0)
+ jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
- jekyll-theme-merlot (0.1.1)
- jekyll (~> 3.5)
+ jekyll-theme-dinky (0.2.0)
+ jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
- jekyll-theme-midnight (0.1.1)
- jekyll (~> 3.5)
+ jekyll-theme-hacker (0.2.0)
+ jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
- jekyll-theme-minimal (0.1.1)
- jekyll (~> 3.5)
+ jekyll-theme-leap-day (0.2.0)
+ jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
- jekyll-theme-modernist (0.1.1)
- jekyll (~> 3.5)
+ jekyll-theme-merlot (0.2.0)
+ jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
- jekyll-theme-primer (0.5.4)
+ jekyll-theme-midnight (0.2.0)
+ jekyll (> 3.5, < 5.0)
+ jekyll-seo-tag (~> 2.0)
+ jekyll-theme-minimal (0.2.0)
+ jekyll (> 3.5, < 5.0)
+ jekyll-seo-tag (~> 2.0)
+ jekyll-theme-modernist (0.2.0)
+ jekyll (> 3.5, < 5.0)
+ jekyll-seo-tag (~> 2.0)
+ jekyll-theme-primer (0.6.0)
jekyll (> 3.5, < 5.0)
jekyll-github-metadata (~> 2.9)
jekyll-seo-tag (~> 2.0)
- jekyll-theme-slate (0.1.1)
- jekyll (~> 3.5)
+ jekyll-theme-slate (0.2.0)
+ jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
- jekyll-theme-tactile (0.1.1)
- jekyll (~> 3.5)
+ jekyll-theme-tactile (0.2.0)
+ jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
- jekyll-theme-time-machine (0.1.1)
- jekyll (~> 3.5)
+ jekyll-theme-time-machine (0.2.0)
+ jekyll (> 3.5, < 5.0)
jekyll-seo-tag (~> 2.0)
jekyll-titles-from-headings (0.5.3)
jekyll (>= 3.3, < 5.0)
@@ -199,12 +215,12 @@ GEM
gemoji (~> 3.0)
html-pipeline (~> 2.2)
jekyll (>= 3.0, < 5.0)
- kramdown (2.3.0)
+ kramdown (2.3.1)
rexml
kramdown-parser-gfm (1.1.0)
kramdown (~> 2.0)
liquid (4.0.3)
- listen (3.3.0)
+ listen (3.7.0)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
mercenary (0.3.6)
@@ -213,27 +229,27 @@ GEM
jekyll (>= 3.5, < 5.0)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
- minitest (5.14.2)
+ minitest (5.14.4)
multipart-post (2.1.1)
nokogiri (1.12.5)
mini_portile2 (~> 2.6.1)
racc (~> 1.4)
- octokit (4.19.0)
+ octokit (4.21.0)
faraday (>= 0.9)
sawyer (~> 0.8.0, >= 0.5.3)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
- public_suffix (3.1.1)
- racc (1.5.2)
- rb-fsevent (0.10.4)
+ public_suffix (4.0.6)
+ racc (1.6.0)
+ rb-fsevent (0.11.0)
rb-inotify (0.10.1)
ffi (~> 1.0)
rexml (3.2.5)
- rouge (3.23.0)
- ruby-enum (0.8.0)
+ rouge (3.26.0)
+ ruby-enum (0.9.0)
i18n
- ruby2_keywords (0.0.2)
- rubyzip (2.3.0)
+ ruby2_keywords (0.0.5)
+ rubyzip (2.3.2)
safe_yaml (1.0.5)
sass (3.7.4)
sass-listen (~> 4.0.0)
@@ -243,20 +259,20 @@ GEM
sawyer (0.8.2)
addressable (>= 2.3.5)
faraday (> 0.8, < 2.0)
- simpleidn (0.1.1)
+ simpleidn (0.2.1)
unf (~> 0.1.4)
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
thread_safe (0.3.6)
typhoeus (1.4.0)
ethon (>= 0.9.0)
- tzinfo (1.2.8)
+ tzinfo (1.2.9)
thread_safe (~> 0.1)
unf (0.1.4)
unf_ext
- unf_ext (0.0.7.7)
- unicode-display_width (1.7.0)
- zeitwerk (2.4.1)
+ unf_ext (0.0.8)
+ unicode-display_width (1.8.0)
+ zeitwerk (2.5.1)
PLATFORMS
ruby
diff --git a/atomic_red_team/spec.yaml b/atomic_red_team/spec.yaml
index 7f34d392..45eeb19b 100644
--- a/atomic_red_team/spec.yaml
+++ b/atomic_red_team/spec.yaml
@@ -116,7 +116,7 @@ atomic_tests:
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
# Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
- executors:
+ executor:
# the name of the executor describes the framework or application in which the test should be executed.
#
# Each of these executors will have options that the executor needs to run. Possible executors we've imagined
@@ -200,6 +200,6 @@ atomic_tests:
# in this example we have no input arguments
input_arguments:
- executors:
+ executor:
- name: bash
command: echo "Hello world!"
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index ac9d0409..58a72c95 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1,6 +1,8 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
+credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
+credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 29375cc5..33000f16 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -1,6 +1,8 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
+credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
+credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index f2ddb5d5..29810972 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -3,6 +3,8 @@
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
+ - Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
+ - Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 6deb269b..94018be6 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -3,6 +3,8 @@
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
+ - Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
+ - Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index a33f049b..ed63930c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -82,6 +82,49 @@ credential-access:
'
name: sh
+ - name: Access /etc/{shadow,passwd} with a standard bin that's not cat
+ auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a
+ description: 'Dump /etc/passwd and /etc/shadow using ed
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ output_file:
+ description: Path where captured results will be placed
+ type: Path
+ default: "/tmp/T1003.008.txt"
+ executor:
+ command: 'echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
+
+'
+ cleanup_command: 'rm -f #{output_file}
+
+'
+ name: bash
+ elevation_required: true
+ - name: Access /etc/{shadow,passwd} with shell builtins
+ auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713
+ description: 'Dump /etc/passwd and /etc/shadow using bash builtins
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ output_file:
+ description: Path where captured results will be placed
+ type: Path
+ default: "/tmp/T1003.008.txt"
+ executor:
+ command: |
+ function testcat(){ echo "$(< $1)"; }
+ testcat /etc/passwd > #{output_file}
+ testcat /etc/shadow > #{output_file}
+ cleanup_command: 'rm -f #{output_file}
+
+'
+ name: bash
+ elevation_required: true
T1557.002:
technique:
external_references:
@@ -50545,7 +50588,8 @@ impact:
type: Path
default: "/var/log/syslog"
executor:
- command: 'dd of=#{file_to_overwrite} if=#{overwrite_source}
+ command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l
+ #{file_to_overwrite} | awk ''{print $5}'') iflag=count_bytes
'
name: bash
diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md
index 496d6d4c..1e3e476b 100644
--- a/atomics/T1003.008/T1003.008.md
+++ b/atomics/T1003.008/T1003.008.md
@@ -11,6 +11,10 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
- [Atomic Test #2 - Access /etc/passwd (Local)](#atomic-test-2---access-etcpasswd-local)
+- [Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat](#atomic-test-3---access-etcshadowpasswd-with-a-standard-bin-thats-not-cat)
+
+- [Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins](#atomic-test-4---access-etcshadowpasswd-with-shell-builtins)
+
@@ -87,4 +91,80 @@ rm -f #{output_file}
+
+
+
+## Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat
+Dump /etc/passwd and /etc/shadow using ed
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+
+```bash
+echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file}
+```
+
+
+
+
+
+
+
+
+## Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins
+Dump /etc/passwd and /etc/shadow using bash builtins
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
+
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+
+```bash
+function testcat(){ echo "$(< $1)"; }
+testcat /etc/passwd > #{output_file}
+testcat /etc/shadow > #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file}
+```
+
+
+
+
+
diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml
index 68ddee87..491690de 100644
--- a/atomics/T1003.008/T1003.008.yaml
+++ b/atomics/T1003.008/T1003.008.yaml
@@ -38,3 +38,41 @@ atomic_tests:
cleanup_command: |
rm -f #{output_file}
name: sh
+- name: Access /etc/{shadow,passwd} with a standard bin that's not cat
+ auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a
+ description: |
+ Dump /etc/passwd and /etc/shadow using ed
+ supported_platforms:
+ - linux
+ input_arguments:
+ output_file:
+ description: Path where captured results will be placed
+ type: Path
+ default: /tmp/T1003.008.txt
+ executor:
+ command: |
+ echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
+ cleanup_command: |
+ rm -f #{output_file}
+ name: bash
+ elevation_required: true
+- name: Access /etc/{shadow,passwd} with shell builtins
+ auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713
+ description: |
+ Dump /etc/passwd and /etc/shadow using bash builtins
+ supported_platforms:
+ - linux
+ input_arguments:
+ output_file:
+ description: Path where captured results will be placed
+ type: Path
+ default: /tmp/T1003.008.txt
+ executor:
+ command: |
+ function testcat(){ echo "$(< $1)"; }
+ testcat /etc/passwd > #{output_file}
+ testcat /etc/shadow > #{output_file}
+ cleanup_command: |
+ rm -f #{output_file}
+ name: bash
+ elevation_required: true
diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml
index 1d239842..14c6f51e 100644
--- a/atomics/T1036.006/T1036.006.yaml
+++ b/atomics/T1036.006/T1036.006.yaml
@@ -1,7 +1,7 @@
attack_technique: T1036.006
display_name: 'Masquerading: Space after Filename'
atomic_tests:
-- name: Space After Filename
+- name: Space After Filename (Manual)
auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f
description: |
Space After Filename
@@ -9,10 +9,27 @@ atomic_tests:
- macos
executor:
steps: |
- 1. 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
+ 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
2. mv execute.txt "execute.txt "
3. ./execute.txt\
name: manual
-
+- name: Space After Filename
+ auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea
+ description: |
+ Space after filename.
+ supported_platforms:
+ - macos
+ - linux
+ executor:
+ name: bash
+ command: |
+ mkdir -p /tmp/atomic-test-T1036.006
+ cd /tmp/atomic-test-T1036.006
+ mkdir -p 'testdirwithspaceend '
+ /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
+ chmod +x 'testdirwithspaceend /init '
+ './testdirwithspaceend /init '
+ cleanup_command:
+ rm -rf /tmp/atomic-test-T1036.006
diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md
index 0ae51571..c9f916df 100644
--- a/atomics/T1485/T1485.md
+++ b/atomics/T1485/T1485.md
@@ -91,7 +91,7 @@ To stop the test, break the command with CTRL/CMD+C.
```bash
-dd of=#{file_to_overwrite} if=#{overwrite_source}
+dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes
```
diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml
index 9d616fc0..98aa04e5 100644
--- a/atomics/T1485/T1485.yaml
+++ b/atomics/T1485/T1485.yaml
@@ -51,5 +51,5 @@ atomic_tests:
default: /var/log/syslog
executor:
command: |
- dd of=#{file_to_overwrite} if=#{overwrite_source}
+ dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes
name: bash
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 67b6c4df..72fa84d2 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -821,3 +821,6 @@ f449c933-0891-407f-821e-7916a21a1a6f
d3eda496-1fc0-49e9-aff5-3bec5da9fa22
e42d33cd-205c-4acf-ab59-a9f38f6bad9c
dddd4aca-bbed-46f0-984d-e4c5971c51ea
+b95ce2eb-a093-4cd8-938d-5258cef656ea
+f5aa6543-6cb2-4fae-b9c2-b96e14721713
+df1a55ae-019d-4120-bc35-94f4bc5c4b0a