Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -709,6 +709,7 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute
 execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -257,6 +257,7 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute
 execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -1093,6 +1093,7 @@
   - Atomic Test #2: Command-Line Interface [macos, linux]
   - Atomic Test #3: Harvest SUID executable files [linux]
   - Atomic Test #4: LinEnum tool execution [linux]
+  - Atomic Test #5: New script file in the tmp directory [linux]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -641,6 +641,7 @@
   - Atomic Test #2: Command-Line Interface [macos, linux]
   - Atomic Test #3: Harvest SUID executable files [linux]
   - Atomic Test #4: LinEnum tool execution [linux]
+  - Atomic Test #5: New script file in the tmp directory [linux]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -47275,6 +47275,27 @@ execution:
 
           '
         name: sh
+    - name: New script file in the tmp directory
+      auto_generated_guid: 8cd1947b-4a54-41fb-b5ea-07d0ace04f81
+      description: 'An attacker may create script files in the /tmp directory using
+        the mktemp utility and execute them. The following commands creates a temp
+        file and places a pointer to it in the variable $TMPFILE, echos the string
+        id into it, and then executes the file using bash, which results in the id
+        command being executed.
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          TMPFILE=$(mktemp)
+          echo "id" > $TMPFILE
+          bash $TMPFILE
+        cleanup_command: |
+          rm $TMPFILE
+          unset TMPFILE
   T1559:
     technique:
       x_mitre_platforms:

atomics/T1059.004/T1059.004.md

@@ -16,6 +16,8 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter
 
 - [Atomic Test #4 - LinEnum tool execution](#atomic-test-4---linenum-tool-execution)
 
+- [Atomic Test #5 - New script file in the tmp directory](#atomic-test-5---new-script-file-in-the-tmp-directory)
+
 
 <br/>
 
@@ -193,4 +195,39 @@ curl --create-dirs #{linenum_url} --output #{linenum}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - New script file in the tmp directory
+An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 8cd1947b-4a54-41fb-b5ea-07d0ace04f81
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+TMPFILE=$(mktemp)
+echo "id" > $TMPFILE
+bash $TMPFILE
+```
+
+#### Cleanup Commands:
+```sh
+rm $TMPFILE
+unset TMPFILE
+```
+
+
+
+
+
 <br/>