From 4a5881e34322fd6aeb3f1a78393a0e0d175cd713 Mon Sep 17 00:00:00 2001 From: glallen Date: Fri, 19 Nov 2021 13:42:46 -0500 Subject: [PATCH 1/2] Linux prereq updates (#1673) * T1070.003-9 update (get_)prereq_commmand - moved system changes to the get_prereq(s) - ubuntu `passwd` didn't accept `--stdin` - updated get_prereqs for both ubuntu/centos * T1016 - update prereq * T1018 - update prereq * T1562.001 - update rsyslog prereq * T1560.001 updates dep check/install, update default likely to exist switch to /var/log/wtmp and /var/log/btmp vs ${HOME}/*.txt, since those will always be present tests for zip in the prereq adds deb/rpm install for zip * T1486 - update getprereqs * T1135 - update prereqs * T1046 - update prereqs * T1040 - update prereqs --- atomics/T1016/T1016.yaml | 8 ++++++++ atomics/T1018/T1018.yaml | 2 +- atomics/T1040/T1040.yaml | 8 ++++---- atomics/T1046/T1046.yaml | 2 +- atomics/T1070.003/T1070.003.yaml | 8 ++++---- atomics/T1135/T1135.yaml | 4 ++-- atomics/T1486/T1486.yaml | 2 ++ atomics/T1560.001/T1560.001.yaml | 7 ++++--- atomics/T1562.001/T1562.001.yaml | 6 +++--- 9 files changed, 29 insertions(+), 18 deletions(-) diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index fe769559..4a0090be 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -38,6 +38,14 @@ atomic_tests: supported_platforms: - macos - linux + dependency_executor_name: sh + dependencies: + - description: | + Check if arp command exists on the machine + prereq_command: | + if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + (which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools) executor: command: | if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index 8808fc2b..cc5b2c67 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -83,7 +83,7 @@ atomic_tests: prereq_command: | if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; get_prereq_command: | - echo "Install arp on the machine."; exit 1; + (which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools) executor: command: | arp -a | grep -v '^?' diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index c5d3bed5..e965dde8 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -17,11 +17,11 @@ atomic_tests: dependency_executor_name: bash dependencies: - description: | - Check if at least one of the tools are installed on the machine. + Check if at least one of tcpdump or tshark is installed. prereq_command: | if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; get_prereq_command: | - echo "Install tcpdump and/or tshark for the test to run."; exit 1; + (which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) executor: command: | tcpdump -c 5 -nnni #{interface} @@ -44,11 +44,11 @@ atomic_tests: dependency_executor_name: bash dependencies: - description: | - Check if at least one of the tools are installed on the machine. + Check if at least one of tcpdump or tshark is installed. prereq_command: | if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; get_prereq_command: | - echo "Install tcpdump and/or tshark for the test to run."; exit 1; + (which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) executor: command: | sudo tcpdump -c 5 -nnni #{interface} diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index ec13b833..9efe6ac3 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -46,7 +46,7 @@ atomic_tests: prereq_command: | if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; get_prereq_command: | - echo "Install nmap on the machine to run the test."; exit 1; + (which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap) executor: command: | nmap -sS #{network_range} -p #{port} diff --git a/atomics/T1070.003/T1070.003.yaml b/atomics/T1070.003/T1070.003.yaml index 672dd07a..694a04bf 100644 --- a/atomics/T1070.003/T1070.003.yaml +++ b/atomics/T1070.003/T1070.003.yaml @@ -108,11 +108,11 @@ atomic_tests: - description: | Install sshpass and create user account used for excuting prereq_command: | - /usr/sbin/useradd testuser1 - echo pwd101! | passwd testuser1 --stdin + $(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null) get_prereq_command: | - yum -y install epel-release - yum -y install sshpass + /usr/sbin/useradd testuser1 + echo -e 'pwd101!\npwd101!' | passwd testuser1 + (which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass) executor: command: | sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index 84a51fc4..2a295910 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -28,11 +28,11 @@ atomic_tests: package_checker: description: Package checking command. Debian - dpkg -s samba type: String - default: rpm -q samba + default: (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed) package_installer: description: Package installer command. Debian - apt install samba type: String - default: yum install -y samba + default: (which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba) dependency_executor_name: bash dependencies: - description: | diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml index 3e2b9d04..bdf7a69b 100644 --- a/atomics/T1486/T1486.yaml +++ b/atomics/T1486/T1486.yaml @@ -32,6 +32,7 @@ atomic_tests: prereq_command: | which_gpg=`which gpg` get_prereq_command: | + (which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg) executor: name: bash elevation_required: false @@ -109,6 +110,7 @@ atomic_tests: which_ccdecrypt=`which ccdecrypt` if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi get_prereq_command: | + (which yum && yum -y epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt) executor: name: bash elevation_required: false diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index 21c32954..407b0f30 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -164,7 +164,7 @@ atomic_tests: input_files: description: Path that should be compressed into our output file, may include wildcards type: Path - default: $HOME/*.txt + default: /var/log/{w,b}tmp output_file: description: Path that should be output as a zip archive type: Path @@ -173,8 +173,9 @@ atomic_tests: - description: | Files to zip must exist (#{input_files}) prereq_command: | - if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi; + if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi; get_prereq_command: | + (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip) echo Please set input_files argument to include files that exist executor: name: sh @@ -262,7 +263,7 @@ atomic_tests: prereq_command: | if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; get_prereq_command: | - echo "Install gpg and zip to run the test"; exit 1; + (which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg) executor: name: sh elevation_required: false diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 1ce54cac..7ed7e6e6 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -9,13 +9,13 @@ atomic_tests: - linux input_arguments: package_checker: - description: Package checking command for linux. Default rpm + description: Package checking command for linux. type: String - default: rpm -q rsyslog + default: (rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q installed) package_installer: description: Package installer command for linux. Default yum type: String - default: yum install -y rsyslog + default: (which yum && yum -y epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog) flavor_command: description: Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog type: String From 4b1bc4557e35363b813553728e8800a1a75f915d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 19 Nov 2021 18:43:15 +0000 Subject: [PATCH 2/2] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 101 +++++++++++++++++---------------- atomics/T1016/T1016.md | 12 ++++ atomics/T1018/T1018.md | 2 +- atomics/T1040/T1040.md | 8 +-- atomics/T1046/T1046.md | 2 +- atomics/T1070.003/T1070.003.md | 8 +-- atomics/T1135/T1135.md | 4 +- atomics/T1486/T1486.md | 4 +- atomics/T1560.001/T1560.001.md | 7 ++- atomics/T1562.001/T1562.001.md | 4 +- 10 files changed, 84 insertions(+), 68 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 98698604..d1ddb50f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4361,17 +4361,15 @@ credential-access: default: ens33 dependency_executor_name: bash dependencies: - - description: 'Check if at least one of the tools are installed on the machine. + - description: 'Check if at least one of tcpdump or tshark is installed. ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ' - get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which + apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: command: | tcpdump -c 5 -nnni #{interface} @@ -4393,17 +4391,15 @@ credential-access: default: en0A dependency_executor_name: bash dependencies: - - description: 'Check if at least one of the tools are installed on the machine. + - description: 'Check if at least one of tcpdump or tshark is installed. ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ' - get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which + apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: command: "sudo tcpdump -c 5 -nnni #{interface} \nif [ -x \"$(command -v tshark)\" ]; then sudo tshark -c 5 -i #{interface}; fi;\n" @@ -7571,7 +7567,7 @@ collection: description: Path that should be compressed into our output file, may include wildcards type: Path - default: "$HOME/*.txt" + default: "/var/log/{w,b}tmp" output_file: description: Path that should be output as a zip archive type: Path @@ -7580,14 +7576,13 @@ collection: - description: 'Files to zip must exist (#{input_files}) ' - prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else - exit 1; fi; - -' - get_prereq_command: 'echo Please set input_files argument to include files - that exist + prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) + ] ; then exit 0; else exit 1; fi; ' + get_prereq_command: | + (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip) + echo Please set input_files argument to include files that exist executor: name: sh elevation_required: false @@ -7692,9 +7687,8 @@ collection: ]; then exit 1; fi; ' - get_prereq_command: 'echo "Install gpg and zip to run the test"; exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release zip gpg)||(which apt-get + && apt-get install -y zip gpg)\n" executor: name: sh elevation_required: false @@ -22255,12 +22249,12 @@ defense-evasion: - description: 'Install sshpass and create user account used for excuting ' - prereq_command: | - /usr/sbin/useradd testuser1 - echo pwd101! | passwd testuser1 --stdin + prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass + >/dev/null)\n" get_prereq_command: | - yum -y install epel-release - yum -y install sshpass + /usr/sbin/useradd testuser1 + echo -e 'pwd101!\npwd101!' | passwd testuser1 + (which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass) executor: command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname @@ -25097,13 +25091,15 @@ defense-evasion: - linux input_arguments: package_checker: - description: Package checking command for linux. Default rpm + description: Package checking command for linux. type: String - default: rpm -q rsyslog + default: "(rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q + installed)" package_installer: description: Package installer command for linux. Default yum type: String - default: yum install -y rsyslog + default: "(which yum && yum -y epel-release rsyslog)||(which apt-get && + apt-get install -y rsyslog)" flavor_command: description: Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog @@ -50572,7 +50568,8 @@ impact: prereq_command: 'which_gpg=`which gpg` ' - get_prereq_command: '' + get_prereq_command: "(which yum && yum -y epel-release gpg)||(which apt-get + && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n" executor: name: bash elevation_required: false @@ -50657,7 +50654,8 @@ impact: which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi - get_prereq_command: '' + get_prereq_command: "(which yum && yum -y epel-release ccrypt)||(which apt-get + && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n" executor: name: bash elevation_required: false @@ -54569,10 +54567,8 @@ discovery: fi; ' - get_prereq_command: 'echo "Install nmap on the machine to run the test."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release nmap)||(which apt-get + && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n" executor: command: | nmap -sS #{network_range} -p #{port} @@ -54725,11 +54721,12 @@ discovery: package_checker: description: Package checking command. Debian - dpkg -s samba type: String - default: rpm -q samba + default: "(rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)" package_installer: description: Package installer command. Debian - apt install samba type: String - default: yum install -y samba + default: "(which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive + apt-get install -y samba)" dependency_executor_name: bash dependencies: - description: 'Package with smbstatus (samba) must exist on device @@ -54881,17 +54878,15 @@ discovery: default: ens33 dependency_executor_name: bash dependencies: - - description: 'Check if at least one of the tools are installed on the machine. + - description: 'Check if at least one of tcpdump or tshark is installed. ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ' - get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which + apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: command: | tcpdump -c 5 -nnni #{interface} @@ -54913,17 +54908,15 @@ discovery: default: en0A dependency_executor_name: bash dependencies: - - description: 'Check if at least one of the tools are installed on the machine. + - description: 'Check if at least one of tcpdump or tshark is installed. ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ' - get_prereq_command: 'echo "Install tcpdump and/or tshark for the test to run."; - exit 1; - -' + get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which + apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: command: "sudo tcpdump -c 5 -nnni #{interface} \nif [ -x \"$(command -v tshark)\" ]; then sudo tshark -c 5 -i #{interface}; fi;\n" @@ -55569,9 +55562,8 @@ discovery: fi; ' - get_prereq_command: 'echo "Install arp on the machine."; exit 1; - -' + get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get + && apt-get install -y net-tools)\n" executor: command: 'arp -a | grep -v ''^?'' @@ -56488,6 +56480,17 @@ discovery: supported_platforms: - macos - linux + dependency_executor_name: sh + dependencies: + - description: 'Check if arp command exists on the machine + +' + prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; + fi; + +' + get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get + && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)\n" executor: command: | if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi; diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 35bd3edd..3a933f3d 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -117,6 +117,18 @@ if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep +#### Dependencies: Run with `sh`! +##### Description: Check if arp command exists on the machine +##### Check Prereq Commands: +```sh +if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```sh +(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools) +``` + +
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index d6da10ad..daa23249 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -220,7 +220,7 @@ if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh -echo "Install arp on the machine."; exit 1; +(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools) ``` diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index af431cf0..19954721 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -51,14 +51,14 @@ tshark -c 5 -i #{interface} #### Dependencies: Run with `bash`! -##### Description: Check if at least one of the tools are installed on the machine. +##### Description: Check if at least one of tcpdump or tshark is installed. ##### Check Prereq Commands: ```bash if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ``` ##### Get Prereq Commands: ```bash -echo "Install tcpdump and/or tshark for the test to run."; exit 1; +(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) ``` @@ -99,14 +99,14 @@ if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi; #### Dependencies: Run with `bash`! -##### Description: Check if at least one of the tools are installed on the machine. +##### Description: Check if at least one of tcpdump or tshark is installed. ##### Check Prereq Commands: ```bash if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ``` ##### Get Prereq Commands: ```bash -echo "Install tcpdump and/or tshark for the test to run."; exit 1; +(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) ``` diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index d858a9d8..29040d0a 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -92,7 +92,7 @@ if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh -echo "Install nmap on the machine to run the test."; exit 1; +(which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap) ``` diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md index 8d5e8582..51fdaf74 100644 --- a/atomics/T1070.003/T1070.003.md +++ b/atomics/T1070.003/T1070.003.md @@ -306,13 +306,13 @@ userdel -f testuser1 ##### Description: Install sshpass and create user account used for excuting ##### Check Prereq Commands: ```sh -/usr/sbin/useradd testuser1 -echo pwd101! | passwd testuser1 --stdin +$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null) ``` ##### Get Prereq Commands: ```sh -yum -y install epel-release -yum -y install sshpass +/usr/sbin/useradd testuser1 +echo -e 'pwd101!\npwd101!' | passwd testuser1 +(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass) ``` diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index d0ba4331..d8d36300 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -71,8 +71,8 @@ Network Share Discovery using smbstatus #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| package_checker | Package checking command. Debian - dpkg -s samba | String | rpm -q samba| -| package_installer | Package installer command. Debian - apt install samba | String | yum install -y samba| +| package_checker | Package checking command. Debian - dpkg -s samba | String | (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)| +| package_installer | Package installer command. Debian - apt install samba | String | (which yum && yum -y epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)| #### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index afe77350..f70a901d 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -64,7 +64,7 @@ which_gpg=`which gpg` ``` ##### Get Prereq Commands: ```bash - +(which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg) ``` @@ -170,7 +170,7 @@ if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; els ``` ##### Get Prereq Commands: ```bash - +(which yum && yum -y epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt) ``` diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index bfb6fb6c..cf27be43 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -257,7 +257,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt| +| input_files | Path that should be compressed into our output file, may include wildcards | Path | /var/log/{w,b}tmp| | output_file | Path that should be output as a zip archive | Path | $HOME/data.zip| @@ -279,10 +279,11 @@ rm -f #{output_file} ##### Description: Files to zip must exist (#{input_files}) ##### Check Prereq Commands: ```sh -if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi; +if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh +(which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip) echo Please set input_files argument to include files that exist ``` @@ -426,7 +427,7 @@ if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi ``` ##### Get Prereq Commands: ```sh -echo "Install gpg and zip to run the test"; exit 1; +(which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg) ``` diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index da23d66d..e3deec65 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -72,8 +72,8 @@ Disables syslog collection #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| package_checker | Package checking command for linux. Default rpm | String | rpm -q rsyslog| -| package_installer | Package installer command for linux. Default yum | String | yum install -y rsyslog| +| package_checker | Package checking command for linux. | String | (rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q installed)| +| package_installer | Package installer command for linux. Default yum | String | (which yum && yum -y epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)| | flavor_command | Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog | String | systemctl stop rsyslog ; systemctl disable rsyslog| | cleanup_command | Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on | String | systemctl start rsyslog ; systemctl enable rsyslog|