Generated docs from job=generate-docs branch=master [ci skip]

2024-07-14 09:30:23 +00:00
parent 6b724e37d0
commit 3c045e1822
16 changed files with 76 additions and 5 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1601-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1602-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -992,6 +992,7 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shel
 execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,12,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,13,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,14,Shell Creation using awk command,ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5,sh
 execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
 execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
 execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
@@ -402,6 +402,7 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shel
 execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,12,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,13,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,14,Shell Creation using awk command,ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts,6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables,0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -247,6 +247,7 @@ execution,T1059.002,Command and Scripting Interpreter: AppleScript,1,AppleScript
 execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
 execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,14,Shell Creation using awk command,ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5,sh
 impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
 impact,T1531,Account Access Removal,5,Delete User via dscl utility,4d938c43-2fe8-4d70-a5b3-5bf239aa7846,sh
 impact,T1531,Account Access Removal,6,Delete User via sysadminctl utility,d3812c4e-30ee-466a-a0aa-07e355b561d6,sh
@@ -1327,6 +1327,7 @@
  - Atomic Test #11: Environment variable scripts [linux]
  - Atomic Test #12: Detecting pipe-to-shell [linux]
  - Atomic Test #13: Current kernel information enumeration [linux]
+  - Atomic Test #14: Shell Creation using awk command [linux, macos]
 - [T1559 Inter-Process Communication](../../T1559/T1559.md)
  - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
  - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
@@ -740,6 +740,7 @@
  - Atomic Test #11: Environment variable scripts [linux]
  - Atomic Test #12: Detecting pipe-to-shell [linux]
  - Atomic Test #13: Current kernel information enumeration [linux]
+  - Atomic Test #14: Shell Creation using awk command [linux, macos]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
@@ -596,6 +596,7 @@
 - [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
  - Atomic Test #1: Create and Execute Bash Shell Script [linux, macos]
  - Atomic Test #2: Command-Line Interface [linux, macos]
+  - Atomic Test #14: Shell Creation using awk command [linux, macos]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -54405,6 +54405,17 @@ execution:
        command: 'uname -srm

          '
+    - name: Shell Creation using awk command
+      auto_generated_guid: ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5
+      description: |-
+        In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command.
+        Reference - https://gtfobins.github.io/gtfobins/awk/#shell
+      supported_platforms:
+      - linux
+      - macos
+      executor:
+        command: awk 'BEGIN {system("/bin/sh &")}'
+        name: sh
  T1559:
    technique:
      x_mitre_platforms:
@@ -31659,6 +31659,17 @@ execution:
        command: 'uname -srm

          '
+    - name: Shell Creation using awk command
+      auto_generated_guid: ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5
+      description: |-
+        In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command.
+        Reference - https://gtfobins.github.io/gtfobins/awk/#shell
+      supported_platforms:
+      - linux
+      - macos
+      executor:
+        command: awk 'BEGIN {system("/bin/sh &")}'
+        name: sh
  T1559:
    technique:
      x_mitre_platforms:
@@ -29384,6 +29384,17 @@ execution:

          '
        name: sh
+    - name: Shell Creation using awk command
+      auto_generated_guid: ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5
+      description: |-
+        In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command.
+        Reference - https://gtfobins.github.io/gtfobins/awk/#shell
+      supported_platforms:
+      - linux
+      - macos
+      executor:
+        command: awk 'BEGIN {system("/bin/sh &")}'
+        name: sh
  T1559:
    technique:
      x_mitre_platforms:
@@ -34,6 +34,8 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter

 - [Atomic Test #13 - Current kernel information enumeration](#atomic-test-13---current-kernel-information-enumeration)

+- [Atomic Test #14 - Shell Creation using awk command](#atomic-test-14---shell-creation-using-awk-command)
+

 <br/>

@@ -524,4 +526,33 @@ uname -srm



+<br/>
+<br/>
+
+## Atomic Test #14 - Shell Creation using awk command
+In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command.
+Reference - https://gtfobins.github.io/gtfobins/awk/#shell
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+awk 'BEGIN {system("/bin/sh &")}'
+```
+
+
+
+
+
+
 <br/>
@@ -244,7 +244,7 @@ atomic_tests:
    command: |
      uname -srm
 - name: Shell Creation using awk command
-  auto_generated_guid: 
+  auto_generated_guid: ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5
  description: |-
    In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command.
    Reference - https://gtfobins.github.io/gtfobins/awk/#shell
@@ -1640,3 +1640,4 @@ e672a340-a933-447c-954c-d68db38a09b1
 5a496325-0115-4274-8eb9-755b649ad0fb
 0d4f2281-f720-4572-adc8-d5bb1618affe
 b0cdacf6-8949-4ffe-9274-a9643a788e55
+ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5