From 4b1bc4557e35363b813553728e8800a1a75f915d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 19 Nov 2021 18:43:15 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 101 +++++++++++++++++---------------- atomics/T1016/T1016.md | 12 ++++ atomics/T1018/T1018.md | 2 +- atomics/T1040/T1040.md | 8 +-- atomics/T1046/T1046.md | 2 +- atomics/T1070.003/T1070.003.md | 8 +-- atomics/T1135/T1135.md | 4 +- atomics/T1486/T1486.md | 4 +- atomics/T1560.001/T1560.001.md | 7 ++- atomics/T1562.001/T1562.001.md | 4 +- 10 files changed, 84 insertions(+), 68 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 98698604..d1ddb50f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4361,17 +4361,15 @@ credential-access: default: ens33 dependency_executor_name: bash dependencies: - - description: 'Check if at least one of the tools are installed on the machine. + - description: 'Check if at least one of tcpdump or tshark is installed. ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ' - get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which + apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: command: | tcpdump -c 5 -nnni #{interface} @@ -4393,17 +4391,15 @@ credential-access: default: en0A dependency_executor_name: bash dependencies: - - description: 'Check if at least one of the tools are installed on the machine. + - description: 'Check if at least one of tcpdump or tshark is installed. ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ' - get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which + apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: command: "sudo tcpdump -c 5 -nnni #{interface} \nif [ -x \"$(command -v tshark)\" ]; then sudo tshark -c 5 -i #{interface}; fi;\n" @@ -7571,7 +7567,7 @@ collection: description: Path that should be compressed into our output file, may include wildcards type: Path - default: "$HOME/*.txt" + default: "/var/log/{w,b}tmp" output_file: description: Path that should be output as a zip archive type: Path @@ -7580,14 +7576,13 @@ collection: - description: 'Files to zip must exist (#{input_files}) ' - prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else - exit 1; fi; - -' - get_prereq_command: 'echo Please set input_files argument to include files - that exist + prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) + ] ; then exit 0; else exit 1; fi; ' + get_prereq_command: | + (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip) + echo Please set input_files argument to include files that exist executor: name: sh elevation_required: false @@ -7692,9 +7687,8 @@ collection: ]; then exit 1; fi; ' - get_prereq_command: 'echo "Install gpg and zip to run the test"; exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release zip gpg)||(which apt-get + && apt-get install -y zip gpg)\n" executor: name: sh elevation_required: false @@ -22255,12 +22249,12 @@ defense-evasion: - description: 'Install sshpass and create user account used for excuting ' - prereq_command: | - /usr/sbin/useradd testuser1 - echo pwd101! | passwd testuser1 --stdin + prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass + >/dev/null)\n" get_prereq_command: | - yum -y install epel-release - yum -y install sshpass + /usr/sbin/useradd testuser1 + echo -e 'pwd101!\npwd101!' | passwd testuser1 + (which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass) executor: command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname @@ -25097,13 +25091,15 @@ defense-evasion: - linux input_arguments: package_checker: - description: Package checking command for linux. Default rpm + description: Package checking command for linux. type: String - default: rpm -q rsyslog + default: "(rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q + installed)" package_installer: description: Package installer command for linux. Default yum type: String - default: yum install -y rsyslog + default: "(which yum && yum -y epel-release rsyslog)||(which apt-get && + apt-get install -y rsyslog)" flavor_command: description: Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog @@ -50572,7 +50568,8 @@ impact: prereq_command: 'which_gpg=`which gpg` ' - get_prereq_command: '' + get_prereq_command: "(which yum && yum -y epel-release gpg)||(which apt-get + && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n" executor: name: bash elevation_required: false @@ -50657,7 +50654,8 @@ impact: which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi - get_prereq_command: '' + get_prereq_command: "(which yum && yum -y epel-release ccrypt)||(which apt-get + && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n" executor: name: bash elevation_required: false @@ -54569,10 +54567,8 @@ discovery: fi; ' - get_prereq_command: 'echo "Install nmap on the machine to run the test."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release nmap)||(which apt-get + && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n" executor: command: | nmap -sS #{network_range} -p #{port} @@ -54725,11 +54721,12 @@ discovery: package_checker: description: Package checking command. Debian - dpkg -s samba type: String - default: rpm -q samba + default: "(rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)" package_installer: description: Package installer command. Debian - apt install samba type: String - default: yum install -y samba + default: "(which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive + apt-get install -y samba)" dependency_executor_name: bash dependencies: - description: 'Package with smbstatus (samba) must exist on device @@ -54881,17 +54878,15 @@ discovery: default: ens33 dependency_executor_name: bash dependencies: - - description: 'Check if at least one of the tools are installed on the machine. + - description: 'Check if at least one of tcpdump or tshark is installed. ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ' - get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which + apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: command: | tcpdump -c 5 -nnni #{interface} @@ -54913,17 +54908,15 @@ discovery: default: en0A dependency_executor_name: bash dependencies: - - description: 'Check if at least one of the tools are installed on the machine. + - description: 'Check if at least one of tcpdump or tshark is installed. ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ' - get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which + apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: command: "sudo tcpdump -c 5 -nnni #{interface} \nif [ -x \"$(command -v tshark)\" ]; then sudo tshark -c 5 -i #{interface}; fi;\n" @@ -55569,9 +55562,8 @@ discovery: fi; ' - get_prereq_command: 'echo "Install arp on the machine."; exit 1; - -' + get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get + && apt-get install -y net-tools)\n" executor: command: 'arp -a | grep -v ''^?'' @@ -56488,6 +56480,17 @@ discovery: supported_platforms: - macos - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if arp command exists on the machine + +' + prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; + fi; + +' + get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get + && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)\n" executor: command: | if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 35bd3edd..3a933f3d 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -117,6 +117,18 @@ if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep +#### Dependencies: Run with `sh`! +##### Description: Check if arp command exists on the machine +##### Check Prereq Commands: +```sh +if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```sh +(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools) +``` + +
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index d6da10ad..daa23249 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -220,7 +220,7 @@ if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh -echo "Install arp on the machine."; exit 1; +(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools) ``` diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index af431cf0..19954721 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -51,14 +51,14 @@ tshark -c 5 -i #{interface} #### Dependencies: Run with `bash`! -##### Description: Check if at least one of the tools are installed on the machine. +##### Description: Check if at least one of tcpdump or tshark is installed. ##### Check Prereq Commands: ```bash if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ``` ##### Get Prereq Commands: ```bash -echo "Install tcpdump and/or tshark for the test to run."; exit 1; +(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) ``` @@ -99,14 +99,14 @@ if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi; #### Dependencies: Run with `bash`! -##### Description: Check if at least one of the tools are installed on the machine. +##### Description: Check if at least one of tcpdump or tshark is installed. ##### Check Prereq Commands: ```bash if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ``` ##### Get Prereq Commands: ```bash -echo "Install tcpdump and/or tshark for the test to run."; exit 1; +(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) ``` diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index d858a9d8..29040d0a 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -92,7 +92,7 @@ if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh -echo "Install nmap on the machine to run the test."; exit 1; +(which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap) ``` diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md index 8d5e8582..51fdaf74 100644 --- a/atomics/T1070.003/T1070.003.md +++ b/atomics/T1070.003/T1070.003.md @@ -306,13 +306,13 @@ userdel -f testuser1 ##### Description: Install sshpass and create user account used for excuting ##### Check Prereq Commands: ```sh -/usr/sbin/useradd testuser1 -echo pwd101! | passwd testuser1 --stdin +$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null) ``` ##### Get Prereq Commands: ```sh -yum -y install epel-release -yum -y install sshpass +/usr/sbin/useradd testuser1 +echo -e 'pwd101!\npwd101!' | passwd testuser1 +(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass) ``` diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index d0ba4331..d8d36300 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -71,8 +71,8 @@ Network Share Discovery using smbstatus #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| package_checker | Package checking command. Debian - dpkg -s samba | String | rpm -q samba| -| package_installer | Package installer command. Debian - apt install samba | String | yum install -y samba| +| package_checker | Package checking command. Debian - dpkg -s samba | String | (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)| +| package_installer | Package installer command. Debian - apt install samba | String | (which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)| #### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index afe77350..f70a901d 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -64,7 +64,7 @@ which_gpg=`which gpg` ``` ##### Get Prereq Commands: ```bash - +(which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg) ``` @@ -170,7 +170,7 @@ if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; els ``` ##### Get Prereq Commands: ```bash - +(which yum && yum -y epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt) ``` diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index bfb6fb6c..cf27be43 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -257,7 +257,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt| +| input_files | Path that should be compressed into our output file, may include wildcards | Path | /var/log/{w,b}tmp| | output_file | Path that should be output as a zip archive | Path | $HOME/data.zip| @@ -279,10 +279,11 @@ rm -f #{output_file} ##### Description: Files to zip must exist (#{input_files}) ##### Check Prereq Commands: ```sh -if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi; +if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh +(which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip) echo Please set input_files argument to include files that exist ``` @@ -426,7 +427,7 @@ if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi ``` ##### Get Prereq Commands: ```sh -echo "Install gpg and zip to run the test"; exit 1; +(which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg) ``` diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index da23d66d..e3deec65 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -72,8 +72,8 @@ Disables syslog collection #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| package_checker | Package checking command for linux. Default rpm | String | rpm -q rsyslog| -| package_installer | Package installer command for linux. Default yum | String | yum install -y rsyslog| +| package_checker | Package checking command for linux. | String | (rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q installed)| +| package_installer | Package installer command for linux. Default yum | String | (which yum && yum -y epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)| | flavor_command | Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog | String | systemctl stop rsyslog ; systemctl disable rsyslog| | cleanup_command | Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on | String | systemctl start rsyslog ; systemctl enable rsyslog|