Merge branch 'master' into insecure-curl

2025-10-06 11:46:05 -04:00
parent 1762ecd901 55c553ddd3
commit 38dff4b4c9
21 changed files with 172 additions and 18 deletions
@@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
        with:
          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
          stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1742-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1744-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -540,6 +540,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable Ev
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,58,Freeze PPL-protected process with EDR-Freeze,cbb2573a-a6ad-4c87-aef8-6e175598559b,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
@@ -2155,6 +2156,7 @@ impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-4
 impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
 impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
 impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
+impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
 impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
 impact,T1491.001,Defacement: Internal Defacement,3,ESXi - Change Welcome Message on Direct Console User Interface (DCUI),30905f21-34f3-4504-8b4c-f7a5e314b810,command_prompt
@@ -125,6 +125,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagg
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Disable Account Lockout Policy via PowerCLI,091a6290-cd29-41cb-81ea-b12f133c66cb,powershell
+defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as FreeBSD or Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
@@ -426,6 +427,7 @@ impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-4
 impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
 impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
 impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
+impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
 impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
 impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (FreeBSD/Linux),7b8ce084-3922-4618-8d22-95f996173765,sh
 impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (FreeBSD/Linux),53e6735a-4727-44cc-b35b-237682a151ad,sh
@@ -672,6 +672,7 @@
  - Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd [windows]
  - Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell [windows]
  - Atomic Test #58: Freeze PPL-protected process with EDR-Freeze [windows]
+  - Atomic Test #59: Disable ASLR Via sysctl parameters - Linux [linux]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2988,6 +2989,7 @@
  - Atomic Test #5: Linux - Stop service by killing process using killall [linux]
  - Atomic Test #6: Linux - Stop service by killing process using kill [linux]
  - Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
+  - Atomic Test #8: Abuse of linux magic system request key for Send a SIGTERM to all processes [linux]
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -182,6 +182,7 @@
  - Atomic Test #43: Disable Memory Swap [linux]
  - Atomic Test #47: Tamper with Defender ATP on Linux/MacOS [linux, macos]
  - Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI [linux]
+  - Atomic Test #59: Disable ASLR Via sysctl parameters - Linux [linux]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -833,6 +834,7 @@
  - Atomic Test #5: Linux - Stop service by killing process using killall [linux]
  - Atomic Test #6: Linux - Stop service by killing process using kill [linux]
  - Atomic Test #7: Linux - Stop service by killing process using pkill [linux]
+  - Atomic Test #8: Abuse of linux magic system request key for Send a SIGTERM to all processes [linux]
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -6569,10 +6569,9 @@ defense-evasion:
          type: path
          default: myapp.app
      executor:
-        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+        command: 'xattr -d com.apple.quarantine #{app_path}

          '
-        elevation_required: true
        name: sh
  T1553.002:
    technique:
@@ -23721,6 +23720,21 @@ defense-evasion:
          Write-Output "File deleted: $edrFreezeExe"
        name: powershell
        elevation_required: true
+    - name: Disable ASLR Via sysctl parameters - Linux
+      auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
+      description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
+        which disables Address Space Layout Randomization (ASLR) in Linux.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sysctl -w kernel.randomize_va_space=0
+
+          '
+        cleanup_command: 'sysctl -w kernel.randomize_va_space=2
+
+          '
+        name: bash
+        elevation_required: true
  T1601:
    technique:
      type: attack-pattern
@@ -120083,6 +120097,21 @@ impact:
          '
        name: sh
        elevation_required: true
+    - name: Abuse of linux magic system request key for Send a SIGTERM to all processes
+      auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+      description: 'Adversaries with root or sufficient privileges Send a SIGTERM
+        to all processes, except for init. By writing ''e'' to /proc/sysrq-trigger,
+        they can forced kill all processes, except for init.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'echo "e" > /proc/sysrq-trigger
+
+          '
+        name: bash
+        elevation_required: true
  T1499.004:
    technique:
      type: attack-pattern
@@ -120796,9 +120825,9 @@ impact:
              - notepad.exe launched with a ransom-themed text file
              - creation of a ransom-themed text file in %TEMP%
            NON-DESTRUCTIVE Atomic Red Team test.
+      dependency_executor_name: command_prompt
      dependencies:
      - description: Notepad must be present on the system
-        dependency_executor_name: command_prompt
        prereq_command: where notepad
        get_prereq_command: ''
      executor:
@@ -12820,6 +12820,21 @@ defense-evasion:
          | Set-AdvancedSetting -Value '0' -Confirm:$false\nDisconnect-VIServer -Confirm:$false\n"
        name: powershell
        elevation_required: true
+    - name: Disable ASLR Via sysctl parameters - Linux
+      auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
+      description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
+        which disables Address Space Layout Randomization (ASLR) in Linux.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'sysctl -w kernel.randomize_va_space=0
+
+          '
+        cleanup_command: 'sysctl -w kernel.randomize_va_space=2
+
+          '
+        name: bash
+        elevation_required: true
  T1601:
    technique:
      type: attack-pattern
@@ -71065,6 +71080,21 @@ impact:
          '
        name: sh
        elevation_required: true
+    - name: Abuse of linux magic system request key for Send a SIGTERM to all processes
+      auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+      description: 'Adversaries with root or sufficient privileges Send a SIGTERM
+        to all processes, except for init. By writing ''e'' to /proc/sysrq-trigger,
+        they can forced kill all processes, except for init.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        command: 'echo "e" > /proc/sysrq-trigger
+
+          '
+        name: bash
+        elevation_required: true
  T1499.004:
    technique:
      type: attack-pattern
@@ -3500,10 +3500,9 @@ defense-evasion:
          type: path
          default: myapp.app
      executor:
-        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+        command: 'xattr -d com.apple.quarantine #{app_path}

          '
-        elevation_required: true
        name: sh
  T1553.002:
    technique:
@@ -99879,9 +99879,9 @@ impact:
              - notepad.exe launched with a ransom-themed text file
              - creation of a ransom-themed text file in %TEMP%
            NON-DESTRUCTIVE Atomic Red Team test.
+      dependency_executor_name: command_prompt
      dependencies:
      - description: Notepad must be present on the system
-        dependency_executor_name: command_prompt
        prereq_command: where notepad
        get_prereq_command: ''
      executor:
@@ -24,6 +24,8 @@ Adversaries may accomplish this by disabling individual services of high importa

 - [Atomic Test #7 - Linux - Stop service by killing process using pkill](#atomic-test-7---linux---stop-service-by-killing-process-using-pkill)

+- [Atomic Test #8 - Abuse of linux magic system request key for Send a SIGTERM to all processes](#atomic-test-8---abuse-of-linux-magic-system-request-key-for-send-a-sigterm-to-all-processes)
+

 <br/>

@@ -299,4 +301,32 @@ sudo systemctl start #{service_name} 2> /dev/null



+<br/>
+<br/>
+
+## Atomic Test #8 - Abuse of linux magic system request key for Send a SIGTERM to all processes
+Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+echo "e" > /proc/sysrq-trigger
+```
+
+
+
+
+
+
 <br/>
@@ -153,3 +153,14 @@ atomic_tests:
      sudo systemctl start #{service_name} 2> /dev/null
    name: sh
    elevation_required: true
+- name: Abuse of linux magic system request key for Send a SIGTERM to all processes
+  auto_generated_guid: 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+  description: |
+    Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      echo "e" > /proc/sysrq-trigger
+    name: bash
+    elevation_required: true
@@ -289,14 +289,14 @@ catch {



-#### Dependencies:  Run with `powershell`!
+#### Dependencies:  Run with `command_prompt`!
 ##### Description: Notepad must be present on the system
 ##### Check Prereq Commands:
-```powershell
+```cmd
 where notepad
 ```
 ##### Get Prereq Commands:
-```powershell
+```cmd

 ```

@@ -184,9 +184,9 @@ atomic_tests:
          - notepad.exe launched with a ransom-themed text file
          - creation of a ransom-themed text file in %TEMP%
        NON-DESTRUCTIVE Atomic Red Team test.
+  dependency_executor_name: command_prompt
  dependencies:
    - description: Notepad must be present on the system
-      dependency_executor_name: command_prompt
      prereq_command: "where notepad"
      get_prereq_command: ""
  executor:
@@ -45,11 +45,11 @@ Gatekeeper Bypass via command line
 | app_path | Path to app to be used | path | myapp.app|


-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `sh`! 


 ```sh
-sudo xattr -d com.apple.quarantine #{app_path}
+xattr -d com.apple.quarantine #{app_path}
 ```


@@ -14,6 +14,5 @@ atomic_tests:
      default: myapp.app
  executor:
    command: |
-      sudo xattr -d com.apple.quarantine #{app_path}
-    elevation_required: true
+      xattr -d com.apple.quarantine #{app_path}
    name: sh
@@ -136,6 +136,8 @@ Additionally, adversaries may exploit legitimate drivers from anti-virus softwar

 - [Atomic Test #58 - Freeze PPL-protected process with EDR-Freeze](#atomic-test-58---freeze-ppl-protected-process-with-edr-freeze)

+- [Atomic Test #59 - Disable ASLR Via sysctl parameters - Linux](#atomic-test-59---disable-aslr-via-sysctl-parameters---linux)
+

 <br/>

@@ -2616,4 +2618,36 @@ Write-Output "File deleted: $edrFreezeExe"



+<br/>
+<br/>
+
+## Atomic Test #59 - Disable ASLR Via sysctl parameters - Linux
+Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** ac333fe1-ce2b-400b-a117-538634427439
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sysctl -w kernel.randomize_va_space=0
+```
+
+#### Cleanup Commands:
+```bash
+sysctl -w kernel.randomize_va_space=2
+```
+
+
+
+
+
 <br/>
@@ -1358,3 +1358,15 @@ atomic_tests:
      Write-Output "File deleted: $edrFreezeExe"
    name: powershell
    elevation_required: true
+- name: Disable ASLR Via sysctl parameters - Linux
+  auto_generated_guid: ac333fe1-ce2b-400b-a117-538634427439
+  description: Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sysctl -w kernel.randomize_va_space=0
+    cleanup_command: |
+      sysctl -w kernel.randomize_va_space=2
+    name: bash
+    elevation_required: true
@@ -1765,3 +1765,5 @@ d2a1f4bc-a064-4223-8281-a086dce5423c
 361fe49d-0c19-46ec-a483-ccb92d38e88e
 210be7ea-d841-40ec-b3e1-ff610bb62744
 cbb2573a-a6ad-4c87-aef8-6e175598559b
+ac333fe1-ce2b-400b-a117-538634427439
+6e76f56f-2373-4a6c-a63f-98b7b72761f1