Merge branch 'master' into T1110-004-Credential-Stuffing

atomic_red_team/atomic_red_team.rb

@@ -142,7 +142,7 @@ class AtomicRedTeam
       raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
       raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
   
-      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud']
+      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
       case executor['name']
         when 'manual'
           raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +152,7 @@ class AtomicRedTeam
                                          string: executor['steps'],
                                          string_description: "atomic_tests[#{i}].executor.steps"
 
-        when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud'
+        when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
           raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
           raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
 

atomic_red_team/spec.yaml

@@ -115,7 +115,7 @@ atomic_tests:
   # a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
   # per test, but there are cases where you may have multiple - for example, separate executors for `sh`
   # and `bash` when working on linux OSes.
-  # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, and `gcloud`.
+  # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
   executors:
   # the name of the executor describes the framework or application in which the test should be executed.
   #

atomics/Indexes/Indexes-CSV/index.csv

@@ -192,6 +192,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
@@ -565,6 +566,7 @@ persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364
 persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -42,6 +42,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
@@ -164,6 +165,7 @@ persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3
 persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -370,6 +370,7 @@
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1013,6 +1014,7 @@
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -137,6 +137,7 @@
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - [T1546.005 Trap](../../T1546.005/T1546.005.md)
@@ -466,6 +467,7 @@
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -17073,6 +17073,48 @@ privilege-escalation:
           rm -rf #{systemd_service_path}/#{systemd_service_file}
           systemctl daemon-reload
         name: bash
+    - name: Create Systemd Service file,  Enable the service , Modify and Reload the
+        service.
+      auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+      description: "This test creates a systemd service unit file and enables it to
+        autostart on boot. Once service is created and enabled, it also modifies this
+        same service file showcasing both Creation and Modification of system process.
+        \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+        prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+          /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+          ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+        get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+      executor:
+        name: bash
+        elevation_required: true
+        command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+          INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+          : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+          Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+          os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+          +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+          ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+          defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+          chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+          OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+          \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+          | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+          restart T1543.002\n"
+        cleanup_command: |
+          systemctl stop T1543.002
+          systemctl disable T1543.002
+          rm -rf /etc/init.d/T1543.002
+          systemctl daemon-reload
   T1053.006:
     technique:
       id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
@@ -44860,6 +44902,48 @@ persistence:
           rm -rf #{systemd_service_path}/#{systemd_service_file}
           systemctl daemon-reload
         name: bash
+    - name: Create Systemd Service file,  Enable the service , Modify and Reload the
+        service.
+      auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+      description: "This test creates a systemd service unit file and enables it to
+        autostart on boot. Once service is created and enabled, it also modifies this
+        same service file showcasing both Creation and Modification of system process.
+        \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+        prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+          /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+          ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+        get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+      executor:
+        name: bash
+        elevation_required: true
+        command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+          INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+          : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+          Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+          os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+          +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+          ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+          defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+          chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+          OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+          \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+          | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+          restart T1543.002\n"
+        cleanup_command: |
+          systemctl stop T1543.002
+          systemctl disable T1543.002
+          rm -rf /etc/init.d/T1543.002
+          systemctl daemon-reload
   T1053.006:
     technique:
       id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21

atomics/T1543.002/T1543.002.md

@@ -16,6 +16,8 @@ While adversaries typically require root privileges to create/modify service uni
 
 - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service)
 
+- [Atomic Test #2 - Create Systemd Service file,  Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-file--enable-the-service--modify-and-reload-the-service)
+
 
 <br/>
 
@@ -75,4 +77,67 @@ systemctl daemon-reload
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Create Systemd Service file,  Enable the service , Modify and Reload the service.
+This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+cat > /etc/init.d/T1543.002 << EOF
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides : Atomic Test T1543.002
+# Required-Start: $all
+# Required-Stop : 
+# Default-Start: 2 3 4 5
+# Default-Stop: 
+# Short Description: Atomic Test for Systemd Service Creation
+### END INIT INFO
+python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))"
+EOF
+
+chmod +x /etc/init.d/T1543.002
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ;
+systemctl enable T1543.002
+systemctl start T1543.002
+
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
+systemctl daemon-reload
+systemctl restart T1543.002
+```
+
+#### Cleanup Commands:
+```bash
+systemctl stop T1543.002
+systemctl disable T1543.002
+rm -rf /etc/init.d/T1543.002
+systemctl daemon-reload
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: System must be Ubuntu ,Kali OR CentOS.
+##### Check Prereq Commands:
+```bash
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; 
+```
+##### Get Prereq Commands:
+```bash
+echo Please run from Ubuntu ,Kali OR CentOS.
+```
+
+
+
+
 <br/>

atomics/T1543.002/T1543.002.yaml

@@ -68,6 +68,7 @@ atomic_tests:
 
 
 - name: Create Systemd Service file,  Enable the service , Modify and Reload the service.
+  auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
   description: |
     This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. 
 

atomics/used_guids.txt

@@ -709,3 +709,4 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319
 c33f3d80-5f04-419b-a13a-854d1cbdbf3a
 126f71af-e1c9-405c-94ef-26a47b16c102
 da4f751a-020b-40d7-b9ff-d433b7799803
+c35ac4a8-19de-43af-b9f8-755da7e89c89