From 3ed39e35997bcf78b8d7d077d1b4df9cff6c149f Mon Sep 17 00:00:00 2001 From: Michael Boman Date: Thu, 18 Nov 2021 20:26:52 +0000 Subject: [PATCH 01/16] Fixed CVE-2021-28834 notified by Dependabot --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d0a93a5f..f98eacf0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -73,7 +73,7 @@ GEM jekyll-theme-time-machine (= 0.1.1) jekyll-titles-from-headings (= 0.5.3) jemoji (= 0.12.0) - kramdown (= 2.3.0) + kramdown (= 2.3.1) kramdown-parser-gfm (= 1.1.0) liquid (= 4.0.3) mercenary (~> 0.3) @@ -199,7 +199,7 @@ GEM gemoji (~> 3.0) html-pipeline (~> 2.2) jekyll (>= 3.0, < 5.0) - kramdown (2.3.0) + kramdown (2.3.1) rexml kramdown-parser-gfm (1.1.0) kramdown (~> 2.0) From f6557adf995239ee8960ad7e5d8345eae7d3a794 Mon Sep 17 00:00:00 2001 From: Michael Boman Date: Thu, 18 Nov 2021 21:04:40 +0000 Subject: [PATCH 02/16] Update the ruby dependencies to more recent versions to close the CVE-2021-28834 vulnerability. --- Gemfile.lock | 172 ++++++++++++++++++++++++++++----------------------- 1 file changed, 94 insertions(+), 78 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index f98eacf0..55173b86 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -6,7 +6,7 @@ PATH GEM remote: https://rubygems.org/ specs: - activesupport (6.0.3.4) + activesupport (6.0.4.1) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -21,24 +21,40 @@ GEM colorator (1.1.0) commonmarker (0.17.13) ruby-enum (~> 0.5) - concurrent-ruby (1.1.7) - dnsruby (1.61.5) + concurrent-ruby (1.1.9) + dnsruby (1.61.7) simpleidn (~> 0.1) - em-websocket (0.5.2) + em-websocket (0.5.3) eventmachine (>= 0.12.9) - http_parser.rb (~> 0.6.0) - ethon (0.12.0) - ffi (>= 1.3.0) + http_parser.rb (~> 0) + ethon (0.15.0) + ffi (>= 1.15.0) eventmachine (1.2.7) - execjs (2.7.0) - faraday (1.1.0) + execjs (2.8.1) + faraday (1.8.0) + faraday-em_http (~> 1.0) + faraday-em_synchrony (~> 1.0) + faraday-excon (~> 1.1) + faraday-httpclient (~> 1.0.1) + faraday-net_http (~> 1.0) + faraday-net_http_persistent (~> 1.1) + faraday-patron (~> 1.0) + faraday-rack (~> 1.0) multipart-post (>= 1.2, < 3) - ruby2_keywords - ffi (1.13.1) + ruby2_keywords (>= 0.0.4) + faraday-em_http (1.0.0) + faraday-em_synchrony (1.0.0) + faraday-excon (1.1.0) + faraday-httpclient (1.0.1) + faraday-net_http (1.0.1) + faraday-net_http_persistent (1.2.0) + faraday-patron (1.0.0) + faraday-rack (1.0.0) + ffi (1.15.4) forwardable-extended (2.6.0) gemoji (3.0.1) - github-pages (209) - github-pages-health-check (= 1.16.1) + github-pages (222) + github-pages-health-check (= 1.17.9) jekyll (= 3.9.0) jekyll-avatar (= 0.7.0) jekyll-coffeescript (= 1.1.1) @@ -53,24 +69,24 @@ GEM jekyll-readme-index (= 0.3.0) jekyll-redirect-from (= 0.16.0) jekyll-relative-links (= 0.6.1) - jekyll-remote-theme (= 0.4.2) + jekyll-remote-theme (= 0.4.3) jekyll-sass-converter (= 1.5.2) - jekyll-seo-tag (= 2.6.1) + jekyll-seo-tag (= 2.7.1) jekyll-sitemap (= 1.4.0) jekyll-swiss (= 1.0.0) - jekyll-theme-architect (= 0.1.1) - jekyll-theme-cayman (= 0.1.1) - jekyll-theme-dinky (= 0.1.1) - jekyll-theme-hacker (= 0.1.2) - jekyll-theme-leap-day (= 0.1.1) - jekyll-theme-merlot (= 0.1.1) - jekyll-theme-midnight (= 0.1.1) - jekyll-theme-minimal (= 0.1.1) - jekyll-theme-modernist (= 0.1.1) - jekyll-theme-primer (= 0.5.4) - jekyll-theme-slate (= 0.1.1) - jekyll-theme-tactile (= 0.1.1) - jekyll-theme-time-machine (= 0.1.1) + jekyll-theme-architect (= 0.2.0) + jekyll-theme-cayman (= 0.2.0) + jekyll-theme-dinky (= 0.2.0) + jekyll-theme-hacker (= 0.2.0) + jekyll-theme-leap-day (= 0.2.0) + jekyll-theme-merlot (= 0.2.0) + jekyll-theme-midnight (= 0.2.0) + jekyll-theme-minimal (= 0.2.0) + jekyll-theme-modernist (= 0.2.0) + jekyll-theme-primer (= 0.6.0) + jekyll-theme-slate (= 0.2.0) + jekyll-theme-tactile (= 0.2.0) + jekyll-theme-time-machine (= 0.2.0) jekyll-titles-from-headings (= 0.5.3) jemoji (= 0.12.0) kramdown (= 2.3.1) @@ -78,19 +94,19 @@ GEM liquid (= 4.0.3) mercenary (~> 0.3) minima (= 2.5.1) - nokogiri (>= 1.10.4, < 2.0) - rouge (= 3.23.0) + nokogiri (>= 1.12.5, < 2.0) + rouge (= 3.26.0) terminal-table (~> 1.4) - github-pages-health-check (1.16.1) + github-pages-health-check (1.17.9) addressable (~> 2.3) dnsruby (~> 1.60) octokit (~> 4.0) - public_suffix (~> 3.0) + public_suffix (>= 3.0, < 5.0) typhoeus (~> 1.3) html-pipeline (2.14.0) activesupport (>= 2) nokogiri (>= 1.4) - http_parser.rb (0.6.0) + http_parser.rb (0.8.0) i18n (0.9.5) concurrent-ruby (~> 1.0) jekyll (3.9.0) @@ -139,57 +155,57 @@ GEM jekyll (>= 3.3, < 5.0) jekyll-relative-links (0.6.1) jekyll (>= 3.3, < 5.0) - jekyll-remote-theme (0.4.2) + jekyll-remote-theme (0.4.3) addressable (~> 2.0) jekyll (>= 3.5, < 5.0) jekyll-sass-converter (>= 1.0, <= 3.0.0, != 2.0.0) rubyzip (>= 1.3.0, < 3.0) jekyll-sass-converter (1.5.2) sass (~> 3.4) - jekyll-seo-tag (2.6.1) - jekyll (>= 3.3, < 5.0) + jekyll-seo-tag (2.7.1) + jekyll (>= 3.8, < 5.0) jekyll-sitemap (1.4.0) jekyll (>= 3.7, < 5.0) jekyll-swiss (1.0.0) - jekyll-theme-architect (0.1.1) - jekyll (~> 3.5) - jekyll-seo-tag (~> 2.0) - jekyll-theme-cayman (0.1.1) - jekyll (~> 3.5) - jekyll-seo-tag (~> 2.0) - jekyll-theme-dinky (0.1.1) - jekyll (~> 3.5) - jekyll-seo-tag (~> 2.0) - jekyll-theme-hacker (0.1.2) + jekyll-theme-architect (0.2.0) jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-leap-day (0.1.1) - jekyll (~> 3.5) + jekyll-theme-cayman (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-merlot (0.1.1) - jekyll (~> 3.5) + jekyll-theme-dinky (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-midnight (0.1.1) - jekyll (~> 3.5) + jekyll-theme-hacker (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-minimal (0.1.1) - jekyll (~> 3.5) + jekyll-theme-leap-day (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-modernist (0.1.1) - jekyll (~> 3.5) + jekyll-theme-merlot (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-primer (0.5.4) + jekyll-theme-midnight (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-minimal (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-modernist (0.2.0) + jekyll (> 3.5, < 5.0) + jekyll-seo-tag (~> 2.0) + jekyll-theme-primer (0.6.0) jekyll (> 3.5, < 5.0) jekyll-github-metadata (~> 2.9) jekyll-seo-tag (~> 2.0) - jekyll-theme-slate (0.1.1) - jekyll (~> 3.5) + jekyll-theme-slate (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-tactile (0.1.1) - jekyll (~> 3.5) + jekyll-theme-tactile (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) - jekyll-theme-time-machine (0.1.1) - jekyll (~> 3.5) + jekyll-theme-time-machine (0.2.0) + jekyll (> 3.5, < 5.0) jekyll-seo-tag (~> 2.0) jekyll-titles-from-headings (0.5.3) jekyll (>= 3.3, < 5.0) @@ -204,7 +220,7 @@ GEM kramdown-parser-gfm (1.1.0) kramdown (~> 2.0) liquid (4.0.3) - listen (3.3.0) + listen (3.7.0) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) mercenary (0.3.6) @@ -213,27 +229,27 @@ GEM jekyll (>= 3.5, < 5.0) jekyll-feed (~> 0.9) jekyll-seo-tag (~> 2.1) - minitest (5.14.2) + minitest (5.14.4) multipart-post (2.1.1) nokogiri (1.12.5) mini_portile2 (~> 2.6.1) racc (~> 1.4) - octokit (4.19.0) + octokit (4.21.0) faraday (>= 0.9) sawyer (~> 0.8.0, >= 0.5.3) pathutil (0.16.2) forwardable-extended (~> 2.6) - public_suffix (3.1.1) - racc (1.5.2) - rb-fsevent (0.10.4) + public_suffix (4.0.6) + racc (1.6.0) + rb-fsevent (0.11.0) rb-inotify (0.10.1) ffi (~> 1.0) rexml (3.2.5) - rouge (3.23.0) - ruby-enum (0.8.0) + rouge (3.26.0) + ruby-enum (0.9.0) i18n - ruby2_keywords (0.0.2) - rubyzip (2.3.0) + ruby2_keywords (0.0.5) + rubyzip (2.3.2) safe_yaml (1.0.5) sass (3.7.4) sass-listen (~> 4.0.0) @@ -243,20 +259,20 @@ GEM sawyer (0.8.2) addressable (>= 2.3.5) faraday (> 0.8, < 2.0) - simpleidn (0.1.1) + simpleidn (0.2.1) unf (~> 0.1.4) terminal-table (1.8.0) unicode-display_width (~> 1.1, >= 1.1.1) thread_safe (0.3.6) typhoeus (1.4.0) ethon (>= 0.9.0) - tzinfo (1.2.8) + tzinfo (1.2.9) thread_safe (~> 0.1) unf (0.1.4) unf_ext - unf_ext (0.0.7.7) - unicode-display_width (1.7.0) - zeitwerk (2.4.1) + unf_ext (0.0.8) + unicode-display_width (1.8.0) + zeitwerk (2.5.1) PLATFORMS ruby From d190d830db1bff208b1aac0c0f64182512937765 Mon Sep 17 00:00:00 2001 From: George Allen Date: Sun, 21 Nov 2021 17:11:37 +0000 Subject: [PATCH 03/16] T1003.008 - additional tests --- atomics/T1003.008/T1003.008.yaml | 37 ++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 68ddee87..5a32a791 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -38,3 +38,40 @@ atomic_tests: cleanup_command: | rm -f #{output_file} name: sh +- name: Access /etc/{shadow,passwd} with a standard bin that's not cat + auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + description: | + Dump /etc/passwd and /etc/shadow using ed + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.008.txt + executor: + command: | + echo ,p | ed /etc/{pass,}wd > #{output_file} + echo ,p | ed /etc/{sha,}dow > #{output_file} + cleanup_command: | + rm -f #{output_file} + name: bash +- name: Access /etc/{shadow,passwd} with shell builtins + auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + description: | + Dump /etc/passwd and /etc/shadow using bash builtins + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.008.txt + executor: + command: | + function testcat(){ echo "$(< $1)"; } + testcat /etc/passwd > #{output_file} + testcat /etc/shadow > #{output_file} + cleanup_command: | + rm -f #{output_file} + name: bash From ba45698be796b86e3709785c63cbe53711228aa7 Mon Sep 17 00:00:00 2001 From: George Allen Date: Sun, 21 Nov 2021 17:13:14 +0000 Subject: [PATCH 04/16] T1036.006 - add test for space after filename --- atomics/T1036.006/T1036.006.yaml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index 1d239842..fc5a7d5d 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -1,7 +1,7 @@ attack_technique: T1036.006 display_name: 'Masquerading: Space after Filename' atomic_tests: -- name: Space After Filename +- name: Space After Filename (Manual) auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f description: | Space After Filename @@ -9,10 +9,25 @@ atomic_tests: - macos executor: steps: | - 1. 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt + 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt 2. mv execute.txt "execute.txt " 3. ./execute.txt\ name: manual - +- name: Space After Filename + description: | + Space after filename. + supported_platforms: + - macos + - linux + executor: + name: bash + command: | + mkdir -p /tmp/atomic-test-T1036.006 + cd /tmp/atomic-test-T1036.006 + mkdir -p 'testdirwithspaceend\ ' + touch 'testdirwithspaceend\ /testfile\ ' + echo -e "a\n#modified $(date -Is)\n.\nw\nq\n" | ed 'endspacetestfile\ ' + cleanup_command: + rm -rf /tmp/atomic-test-T1036.006 From 2e055a11b90316f1f065dcfbf35fde92962e9e27 Mon Sep 17 00:00:00 2001 From: George Allen Date: Mon, 22 Nov 2021 01:05:59 +0000 Subject: [PATCH 05/16] T1036.006 generate-guids --- atomics/T1036.006/T1036.006.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index fc5a7d5d..0e3c4e15 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -16,6 +16,7 @@ atomic_tests: 3. ./execute.txt\ name: manual - name: Space After Filename + auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea description: | Space after filename. supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 67b6c4df..e424d8d7 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -821,3 +821,4 @@ f449c933-0891-407f-821e-7916a21a1a6f d3eda496-1fc0-49e9-aff5-3bec5da9fa22 e42d33cd-205c-4acf-ab59-a9f38f6bad9c dddd4aca-bbed-46f0-984d-e4c5971c51ea +b95ce2eb-a093-4cd8-938d-5258cef656ea From 974334e776ff05c8ae6191e30d602540f93f2adf Mon Sep 17 00:00:00 2001 From: George Allen Date: Mon, 22 Nov 2021 01:20:43 +0000 Subject: [PATCH 06/16] T1036.006: tweak based on testing --- atomics/T1036.006/T1036.006.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index 0e3c4e15..6e8752fb 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -27,8 +27,8 @@ atomic_tests: command: | mkdir -p /tmp/atomic-test-T1036.006 cd /tmp/atomic-test-T1036.006 - mkdir -p 'testdirwithspaceend\ ' - touch 'testdirwithspaceend\ /testfile\ ' - echo -e "a\n#modified $(date -Is)\n.\nw\nq\n" | ed 'endspacetestfile\ ' + mkdir -p 'testdirwithspaceend ' + touch 'testdirwithspaceend /testfile1 ' + echo -e "a\n#atomic-test T1036.006\n.\nw\nq\n" | ed 'testdirwithspaceend /testfile1 ' &> /dev/null cleanup_command: rm -rf /tmp/atomic-test-T1036.006 From 50bb3347e26d768b728b5a12dae6af73c7f0606b Mon Sep 17 00:00:00 2001 From: George Allen Date: Mon, 22 Nov 2021 03:11:40 +0000 Subject: [PATCH 07/16] T1036.006: adds the actual masquerading part Added execution, confirmed that the process name shows as `init ` via htop. Between ART, echo, yaml, bash, &c, I could not just `echo '...' > file` with the required escaping and had to resort to more drastic measures with `ed` --- atomics/T1036.006/T1036.006.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/atomics/T1036.006/T1036.006.yaml b/atomics/T1036.006/T1036.006.yaml index 6e8752fb..14c6f51e 100644 --- a/atomics/T1036.006/T1036.006.yaml +++ b/atomics/T1036.006/T1036.006.yaml @@ -28,7 +28,8 @@ atomic_tests: mkdir -p /tmp/atomic-test-T1036.006 cd /tmp/atomic-test-T1036.006 mkdir -p 'testdirwithspaceend ' - touch 'testdirwithspaceend /testfile1 ' - echo -e "a\n#atomic-test T1036.006\n.\nw\nq\n" | ed 'testdirwithspaceend /testfile1 ' &> /dev/null + /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null + chmod +x 'testdirwithspaceend /init ' + './testdirwithspaceend /init ' cleanup_command: rm -rf /tmp/atomic-test-T1036.006 From 1c28bb03842c1c71d6761ba8b56e0e1f1d3352e0 Mon Sep 17 00:00:00 2001 From: George Allen Date: Mon, 22 Nov 2021 03:19:29 +0000 Subject: [PATCH 08/16] T1003.008 - fix copy/pasted guids --- atomics/T1003.008/T1003.008.yaml | 4 ++-- atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 5a32a791..d9c3c049 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -21,7 +21,7 @@ atomic_tests: name: bash elevation_required: true - name: Access /etc/passwd (Local) - auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: | /etc/passwd file is accessed in Linux environments supported_platforms: @@ -39,7 +39,7 @@ atomic_tests: rm -f #{output_file} name: sh - name: Access /etc/{shadow,passwd} with a standard bin that's not cat - auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a description: | Dump /etc/passwd and /etc/shadow using ed supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 67b6c4df..556998a4 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -821,3 +821,5 @@ f449c933-0891-407f-821e-7916a21a1a6f d3eda496-1fc0-49e9-aff5-3bec5da9fa22 e42d33cd-205c-4acf-ab59-a9f38f6bad9c dddd4aca-bbed-46f0-984d-e4c5971c51ea +f5aa6543-6cb2-4fae-b9c2-b96e14721713 +df1a55ae-019d-4120-bc35-94f4bc5c4b0a From 3468842c02424c86828ce4c4b22eef072db359c7 Mon Sep 17 00:00:00 2001 From: George Allen Date: Mon, 22 Nov 2021 03:23:39 +0000 Subject: [PATCH 09/16] T1003.008 - fix guids (again) the previous guid fix attempt was done by deleting the auto_generated_guid field, then running bin/generate-guids.rb. But I deleted the field under the wrong, existing test. Swapped the new guid back under the new test, since this didn't hit the jsons yet. --- atomics/T1003.008/T1003.008.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index d9c3c049..38f1e8ea 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -21,7 +21,7 @@ atomic_tests: name: bash elevation_required: true - name: Access /etc/passwd (Local) - auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 + auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d description: | /etc/passwd file is accessed in Linux environments supported_platforms: @@ -57,7 +57,7 @@ atomic_tests: rm -f #{output_file} name: bash - name: Access /etc/{shadow,passwd} with shell builtins - auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: | Dump /etc/passwd and /etc/shadow using bash builtins supported_platforms: From e96ce08275929e02c5351f86444d35ccc2918e82 Mon Sep 17 00:00:00 2001 From: George Allen Date: Mon, 22 Nov 2021 03:29:56 +0000 Subject: [PATCH 10/16] T1003.008: set elevation_required --- atomics/T1003.008/T1003.008.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 38f1e8ea..b53669cf 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -56,6 +56,7 @@ atomic_tests: cleanup_command: | rm -f #{output_file} name: bash + elevation_required: true - name: Access /etc/{shadow,passwd} with shell builtins auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: | @@ -75,3 +76,4 @@ atomic_tests: cleanup_command: | rm -f #{output_file} name: bash + elevation_required: true From 9a304d3485d7638d39ffef36486156f8557ac68d Mon Sep 17 00:00:00 2001 From: George Allen Date: Tue, 23 Nov 2021 14:19:38 +0000 Subject: [PATCH 11/16] T1003.008 - tweak test to move arg off cmdline --- atomics/T1003.008/T1003.008.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index b53669cf..491690de 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -51,8 +51,7 @@ atomic_tests: default: /tmp/T1003.008.txt executor: command: | - echo ,p | ed /etc/{pass,}wd > #{output_file} - echo ,p | ed /etc/{sha,}dow > #{output_file} + echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} cleanup_command: | rm -f #{output_file} name: bash From 4cf57b9ec86a4564df6f6fec2fdd280e95260eaa Mon Sep 17 00:00:00 2001 From: glallen Date: Tue, 23 Nov 2021 12:38:03 -0500 Subject: [PATCH 12/16] spec.yaml should be singular to match working yaml (#1674) Co-authored-by: Carrie Roberts --- atomic_red_team/spec.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomic_red_team/spec.yaml b/atomic_red_team/spec.yaml index 7f34d392..45eeb19b 100644 --- a/atomic_red_team/spec.yaml +++ b/atomic_red_team/spec.yaml @@ -116,7 +116,7 @@ atomic_tests: # per test, but there are cases where you may have multiple - for example, separate executors for `sh` # and `bash` when working on linux OSes. # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`. - executors: + executor: # the name of the executor describes the framework or application in which the test should be executed. # # Each of these executors will have options that the executor needs to run. Possible executors we've imagined @@ -200,6 +200,6 @@ atomic_tests: # in this example we have no input arguments input_arguments: - executors: + executor: - name: bash command: echo "Hello world!" From 1b2cbdba8dc08108787d365c4754bee990f0afda Mon Sep 17 00:00:00 2001 From: George Allen Date: Tue, 23 Nov 2021 22:39:51 +0000 Subject: [PATCH 13/16] T1485 - constrains dd to write the original file size when overwriting --- atomics/T1485/T1485.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index 9d616fc0..98aa04e5 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -51,5 +51,5 @@ atomic_tests: default: /var/log/syslog executor: command: | - dd of=#{file_to_overwrite} if=#{overwrite_source} + dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes name: bash From 6dc53a3a7264d96dddce6a90020e5d91e2ddd3b8 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 7 Dec 2021 16:21:33 +0000 Subject: [PATCH 14/16] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 3 ++- atomics/T1485/T1485.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index d1ddb50f..3ffef009 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -50458,7 +50458,8 @@ impact: type: Path default: "/var/log/syslog" executor: - command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} + command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l + #{file_to_overwrite} | awk ''{print $5}'') iflag=count_bytes ' name: bash diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 0ae51571..c9f916df 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -91,7 +91,7 @@ To stop the test, break the command with CTRL/CMD+C. ```bash -dd of=#{file_to_overwrite} if=#{overwrite_source} +dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes ``` From 2e0b4540be511a53166c2c981ddff56c4c5ab5d3 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 7 Dec 2021 16:23:41 +0000 Subject: [PATCH 15/16] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/linux-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/linux-index.md | 2 + atomics/Indexes/index.yaml | 43 ++++++++++ atomics/T1003.008/T1003.008.md | 80 +++++++++++++++++++ 6 files changed, 131 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 8b2d133f..ed076b5a 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -1,6 +1,8 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh +credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash +credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 221725d9..a3056af0 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -1,6 +1,8 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh +credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash +credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 1cdb7c50..a1ad99a0 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -3,6 +3,8 @@ - [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) - Atomic Test #1: Access /etc/shadow (Local) [linux] - Atomic Test #2: Access /etc/passwd (Local) [linux] + - Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux] + - Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux] - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md) - Atomic Test #1: Rubeus asreproast [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 30839a16..68648e42 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -3,6 +3,8 @@ - [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) - Atomic Test #1: Access /etc/shadow (Local) [linux] - Atomic Test #2: Access /etc/passwd (Local) [linux] + - Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux] + - Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux] - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.003 Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 3ffef009..00c522d2 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -82,6 +82,49 @@ credential-access: ' name: sh + - name: Access /etc/{shadow,passwd} with a standard bin that's not cat + auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a + description: 'Dump /etc/passwd and /etc/shadow using ed + +' + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: "/tmp/T1003.008.txt" + executor: + command: 'echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} + +' + cleanup_command: 'rm -f #{output_file} + +' + name: bash + elevation_required: true + - name: Access /etc/{shadow,passwd} with shell builtins + auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 + description: 'Dump /etc/passwd and /etc/shadow using bash builtins + +' + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: "/tmp/T1003.008.txt" + executor: + command: | + function testcat(){ echo "$(< $1)"; } + testcat /etc/passwd > #{output_file} + testcat /etc/shadow > #{output_file} + cleanup_command: 'rm -f #{output_file} + +' + name: bash + elevation_required: true T1557.002: technique: external_references: diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md index 496d6d4c..1e3e476b 100644 --- a/atomics/T1003.008/T1003.008.md +++ b/atomics/T1003.008/T1003.008.md @@ -11,6 +11,10 @@ The Linux utility, unshadow, can be used to combine the two files in a format su - [Atomic Test #2 - Access /etc/passwd (Local)](#atomic-test-2---access-etcpasswd-local) +- [Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat](#atomic-test-3---access-etcshadowpasswd-with-a-standard-bin-thats-not-cat) + +- [Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins](#atomic-test-4---access-etcshadowpasswd-with-shell-builtins) +
@@ -87,4 +91,80 @@ rm -f #{output_file} +
+
+ +## Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat +Dump /etc/passwd and /etc/shadow using ed + +**Supported Platforms:** Linux + + +**auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt| + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} +``` + +#### Cleanup Commands: +```bash +rm -f #{output_file} +``` + + + + + +
+
+ +## Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins +Dump /etc/passwd and /etc/shadow using bash builtins + +**Supported Platforms:** Linux + + +**auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt| + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +function testcat(){ echo "$(< $1)"; } +testcat /etc/passwd > #{output_file} +testcat /etc/shadow > #{output_file} +``` + +#### Cleanup Commands: +```bash +rm -f #{output_file} +``` + + + + +
From 37ea9657276df35b9de92a5c512eabbcdfdcf95a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 7 Dec 2021 16:27:21 +0000 Subject: [PATCH 16/16] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 3 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-CSV/macos-index.csv | 3 +- atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/linux-index.md | 3 +- .../Indexes/Indexes-Markdown/macos-index.md | 3 +- atomics/Indexes/Matrices/linux-matrix.md | 2 +- atomics/Indexes/index.yaml | 22 ++++++++- atomics/T1036.006/T1036.006.md | 45 +++++++++++++++++-- 10 files changed, 75 insertions(+), 12 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 2f2cc0aa..9a36de90 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.2","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1484.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1484","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1556.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1606.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1606","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file +{"version":"4.2","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1484.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1484","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1556.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1606.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1606","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index ed076b5a..5a8e7d61 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -544,7 +544,8 @@ defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux) defense-evasion,T1027.002,Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh defense-evasion,T1027.002,Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh defense-evasion,T1027.002,Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh -defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e510-4c9f-9b15-f3bae333360f,manual +defense-evasion,T1036.006,Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual +defense-evasion,T1036.006,Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index a3056af0..88393566 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -139,6 +139,7 @@ defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3 defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh +defense-evasion,T1036.006,Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index ac0f5e5c..d17b7253 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -87,7 +87,8 @@ defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3 defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh defense-evasion,T1027.002,Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh defense-evasion,T1027.002,Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh -defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e510-4c9f-9b15-f3bae333360f,manual +defense-evasion,T1036.006,Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual +defense-evasion,T1036.006,Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index a1ad99a0..7bf0f085 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -869,7 +869,8 @@ - Atomic Test #3: Binary simply packed by UPX [macos] - Atomic Test #4: Binary packed by UPX, with modified headers [macos] - [T1036.006 Space after Filename](../../T1036.006/T1036.006.md) - - Atomic Test #1: Space After Filename [macos] + - Atomic Test #1: Space After Filename (Manual) [macos] + - Atomic Test #2: Space After Filename [macos, linux] - T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 68648e42..79e481f1 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -311,7 +311,8 @@ - Atomic Test #3: Set a SetGID flag on file [macos, linux] - Atomic Test #4: Make and modify capabilities of a binary [linux] - Atomic Test #5: Provide the SetUID capability to a file [linux] -- T1036.006 Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1036.006 Space after Filename](../../T1036.006/T1036.006.md) + - Atomic Test #2: Space After Filename [macos, linux] - T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 95ed53db..c021013b 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -230,7 +230,8 @@ - Atomic Test #3: Binary simply packed by UPX [macos] - Atomic Test #4: Binary packed by UPX, with modified headers [macos] - [T1036.006 Space after Filename](../../T1036.006/T1036.006.md) - - Atomic Test #1: Space After Filename [macos] + - Atomic Test #1: Space After Filename (Manual) [macos] + - Atomic Test #2: Space After Filename [macos, linux] - T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index 9e7b7c4f..53034348 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -70,7 +70,7 @@ | | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | | -| | | | | Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | [Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 00c522d2..5e9c5ab3 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -36957,7 +36957,7 @@ defense-evasion: x_mitre_version: '1.0' identifier: T1036.006 atomic_tests: - - name: Space After Filename + - name: Space After Filename (Manual) auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f description: 'Space After Filename @@ -36965,10 +36965,28 @@ defense-evasion: supported_platforms: - macos executor: - steps: "1. 1. echo '#!/bin/bash\\necho \"print \\\"hello, world!\\\"\" | /usr/bin/python\\nexit' + steps: "1. echo '#!/bin/bash\\necho \"print \\\"hello, world!\\\"\" | /usr/bin/python\\nexit' > execute.txt && chmod +x execute.txt\n\n2. mv execute.txt \"execute.txt \"\n\n3. ./execute.txt\\ \n" name: manual + - name: Space After Filename + auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea + description: 'Space after filename. + +' + supported_platforms: + - macos + - linux + executor: + name: bash + command: | + mkdir -p /tmp/atomic-test-T1036.006 + cd /tmp/atomic-test-T1036.006 + mkdir -p 'testdirwithspaceend ' + /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null + chmod +x 'testdirwithspaceend /init ' + './testdirwithspaceend /init ' + cleanup_command: rm -rf /tmp/atomic-test-T1036.006 T1027.003: technique: created: '2020-02-05T14:28:16.719Z' diff --git a/atomics/T1036.006/T1036.006.md b/atomics/T1036.006/T1036.006.md index 6a9c6ddc..16f4d969 100644 --- a/atomics/T1036.006/T1036.006.md +++ b/atomics/T1036.006/T1036.006.md @@ -8,12 +8,14 @@ Adversaries can use this feature to trick users into double clicking benign-look ## Atomic Tests -- [Atomic Test #1 - Space After Filename](#atomic-test-1---space-after-filename) +- [Atomic Test #1 - Space After Filename (Manual)](#atomic-test-1---space-after-filename-manual) + +- [Atomic Test #2 - Space After Filename](#atomic-test-2---space-after-filename)
-## Atomic Test #1 - Space After Filename +## Atomic Test #1 - Space After Filename (Manual) Space After Filename **Supported Platforms:** macOS @@ -26,7 +28,7 @@ Space After Filename #### Run it with these steps! -1. 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt +1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt 2. mv execute.txt "execute.txt " @@ -38,4 +40,41 @@ Space After Filename +
+
+ +## Atomic Test #2 - Space After Filename +Space after filename. + +**Supported Platforms:** macOS, Linux + + +**auto_generated_guid:** b95ce2eb-a093-4cd8-938d-5258cef656ea + + + + + + +#### Attack Commands: Run with `bash`! + + +```bash +mkdir -p /tmp/atomic-test-T1036.006 +cd /tmp/atomic-test-T1036.006 +mkdir -p 'testdirwithspaceend ' +/usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null +chmod +x 'testdirwithspaceend /init ' +'./testdirwithspaceend /init ' +``` + +#### Cleanup Commands: +```bash +rm -rf /tmp/atomic-test-T1036.006 +``` + + + + +