From f4338f3e0d6ed87da44eae2c41e490fc2b86f9b6 Mon Sep 17 00:00:00 2001 From: aman143kri <42419157+aman143kri@users.noreply.github.com> Date: Thu, 15 Dec 2022 20:08:54 -0800 Subject: [PATCH 1/6] Added Deploying a docker Fairly straight forward to deploy a container. Details: There was no test case for deploying a container in the atomic-red team and I was working with atomic red team so thought to create a pr for this feature Testing: Tested using ubuntu as the base image. It creates an image and runs that image to check that image is deployed properly. It may take up to a couple of minutes to run due to image creation. If it hangs for longer than a minute, something went wrong. Associated Issues: None --- atomics/T1610/Src/dockerfile | 5 +++++ atomics/T1610/T1610.yaml | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 atomics/T1610/Src/dockerfile create mode 100644 atomics/T1610/T1610.yaml diff --git a/atomics/T1610/Src/dockerfile b/atomics/T1610/Src/dockerfile new file mode 100644 index 00000000..e210c05f --- /dev/null +++ b/atomics/T1610/Src/dockerfile @@ -0,0 +1,5 @@ +FROM ubuntu +ARG DEBIAN_FRONTEND=noninteractive + +RUN echo "1" > /tmp/output.txt && \ + echo ' bin/sh -c "while true; do sleep 30;done;"' > /tmp/script.sh && chmod +x /tmp/script.sh \ No newline at end of file diff --git a/atomics/T1610/T1610.yaml b/atomics/T1610/T1610.yaml new file mode 100644 index 00000000..339901b4 --- /dev/null +++ b/atomics/T1610/T1610.yaml @@ -0,0 +1,36 @@ +--- +attack_technique: T1610 +display_name: "Deploy a container" + +atomic_tests: +- name: deploycontainer + auto_generated_guid: ab2f9520-a17a-4671-9dba-3bd034099fff + description: | + Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands + + supported_platforms: + - containers + + dependency_executor_name: sh + dependencies: + - description: Verify docker is installed. + prereq_command: | + which docker + get_prereq_command: | + if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi + + - description: Verify docker service is running. + prereq_command: | + sudo systemctl status docker --no-pager + get_prereq_command: | + sudo systemctl start docker + + + executor: + command: | + docker build -t t1610 /home/kali/test/atomic-red-team/atomics/T1610/src/ + docker run --name t1610_container --rm -itd t1610 bash /tmp/script.sh + name: bash + cleanup_command: | + docker stop t1610_container + docker rmi -f t1610:latest From 12f2a903a8af07ee7b5a8b0f925664b2da0aae59 Mon Sep 17 00:00:00 2001 From: aman143kri <42419157+aman143kri@users.noreply.github.com> Date: Fri, 16 Dec 2022 10:49:19 +0530 Subject: [PATCH 2/6] Removed auto_generated_guid --- atomics/T1610/T1610.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1610/T1610.yaml b/atomics/T1610/T1610.yaml index 339901b4..0a7390e9 100644 --- a/atomics/T1610/T1610.yaml +++ b/atomics/T1610/T1610.yaml @@ -4,7 +4,7 @@ display_name: "Deploy a container" atomic_tests: - name: deploycontainer - auto_generated_guid: ab2f9520-a17a-4671-9dba-3bd034099fff + auto_generated_guid: description: | Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands From 8ecc8d8e62afe6356afcd36de4407f1a52b7b1ae Mon Sep 17 00:00:00 2001 From: aman143kri <42419157+aman143kri@users.noreply.github.com> Date: Sat, 24 Dec 2022 14:56:22 +0530 Subject: [PATCH 3/6] Update T1610.yaml Changed the name for the atomic test case, Added references to the description & Changed the path as recommended --- atomics/T1610/T1610.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1610/T1610.yaml b/atomics/T1610/T1610.yaml index 0a7390e9..40ad8d7c 100644 --- a/atomics/T1610/T1610.yaml +++ b/atomics/T1610/T1610.yaml @@ -6,7 +6,7 @@ atomic_tests: - name: deploycontainer auto_generated_guid: description: | - Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands + Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands. Kinsing & Doki was exploited using this technique. supported_platforms: - containers @@ -28,7 +28,7 @@ atomic_tests: executor: command: | - docker build -t t1610 /home/kali/test/atomic-red-team/atomics/T1610/src/ + docker build -t t1610 $PathtoAtomicsFolder/T1610/src/ docker run --name t1610_container --rm -itd t1610 bash /tmp/script.sh name: bash cleanup_command: | From 8ba658e5205320dec6f35d2ab036dafb9eb029b5 Mon Sep 17 00:00:00 2001 From: aman143kri <42419157+aman143kri@users.noreply.github.com> Date: Thu, 5 Jan 2023 08:29:02 +0530 Subject: [PATCH 4/6] Update T1610.yaml --- atomics/T1610/T1610.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1610/T1610.yaml b/atomics/T1610/T1610.yaml index 40ad8d7c..8bd60245 100644 --- a/atomics/T1610/T1610.yaml +++ b/atomics/T1610/T1610.yaml @@ -3,7 +3,7 @@ attack_technique: T1610 display_name: "Deploy a container" atomic_tests: -- name: deploycontainer +- name: Deploy Docker container auto_generated_guid: description: | Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands. Kinsing & Doki was exploited using this technique. From f82a189443cd436c8a6f46c9561ff13dcddf0df8 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 5 Jan 2023 12:15:47 -0800 Subject: [PATCH 5/6] Update T1610.yaml remove guid --- atomics/T1610/T1610.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/atomics/T1610/T1610.yaml b/atomics/T1610/T1610.yaml index 8bd60245..a3e92ff0 100644 --- a/atomics/T1610/T1610.yaml +++ b/atomics/T1610/T1610.yaml @@ -4,7 +4,6 @@ display_name: "Deploy a container" atomic_tests: - name: Deploy Docker container - auto_generated_guid: description: | Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands. Kinsing & Doki was exploited using this technique. From c0769f5783e5b6299b9da76316dd8d6c1bf3e0b3 Mon Sep 17 00:00:00 2001 From: aman143kri <42419157+aman143kri@users.noreply.github.com> Date: Fri, 6 Jan 2023 03:14:43 +0530 Subject: [PATCH 6/6] Rename atomics/T1610/Src/dockerfile to atomics/T1610/src/dockerfile --- atomics/T1610/{Src => src}/dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename atomics/T1610/{Src => src}/dockerfile (80%) diff --git a/atomics/T1610/Src/dockerfile b/atomics/T1610/src/dockerfile similarity index 80% rename from atomics/T1610/Src/dockerfile rename to atomics/T1610/src/dockerfile index e210c05f..28aec902 100644 --- a/atomics/T1610/Src/dockerfile +++ b/atomics/T1610/src/dockerfile @@ -2,4 +2,4 @@ FROM ubuntu ARG DEBIAN_FRONTEND=noninteractive RUN echo "1" > /tmp/output.txt && \ - echo ' bin/sh -c "while true; do sleep 30;done;"' > /tmp/script.sh && chmod +x /tmp/script.sh \ No newline at end of file + echo ' bin/sh -c "while true; do sleep 30;done;"' > /tmp/script.sh && chmod +x /tmp/script.sh