diff --git a/atomic_red_team/atomic_red_team.rb b/atomic_red_team/atomic_red_team.rb
index 24a4c811..f7b63964 100755
--- a/atomic_red_team/atomic_red_team.rb
+++ b/atomic_red_team/atomic_red_team.rb
@@ -142,7 +142,7 @@ class AtomicRedTeam
raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
- valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud']
+ valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
case executor['name']
when 'manual'
raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +152,7 @@ class AtomicRedTeam
string: executor['steps'],
string_description: "atomic_tests[#{i}].executor.steps"
- when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud'
+ when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
diff --git a/atomic_red_team/spec.yaml b/atomic_red_team/spec.yaml
index 9ccd2b42..7f34d392 100644
--- a/atomic_red_team/spec.yaml
+++ b/atomic_red_team/spec.yaml
@@ -115,7 +115,7 @@ atomic_tests:
# a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
- # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, and `gcloud`.
+ # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
executors:
# the name of the executor describes the framework or application in which the test should be executed.
#
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index da09d5a0..ebe5a1aa 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -192,6 +192,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
@@ -565,6 +566,7 @@ persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364
persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index d7c342f8..f06859b0 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -42,6 +42,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
@@ -164,6 +165,7 @@ persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3
persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 6c7e9586..bb1de4c0 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -370,6 +370,7 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
+ - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1013,6 +1014,7 @@
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
+ - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index de2b75a9..2adc7269 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -137,6 +137,7 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
+ - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
@@ -466,6 +467,7 @@
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
+ - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 35161db6..ffb927c7 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -17073,6 +17073,48 @@ privilege-escalation:
rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
name: bash
+ - name: Create Systemd Service file, Enable the service , Modify and Reload the
+ service.
+ auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+ description: "This test creates a systemd service unit file and enables it to
+ autostart on boot. Once service is created and enabled, it also modifies this
+ same service file showcasing both Creation and Modification of system process.
+ \n"
+ supported_platforms:
+ - linux
+ dependencies:
+ - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+ prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+ /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+ ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+ get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+ executor:
+ name: bash
+ elevation_required: true
+ command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+ INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+ : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+ Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+ os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+ +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+ ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+ defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+ chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+ OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+ \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+ | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+ restart T1543.002\n"
+ cleanup_command: |
+ systemctl stop T1543.002
+ systemctl disable T1543.002
+ rm -rf /etc/init.d/T1543.002
+ systemctl daemon-reload
T1053.006:
technique:
id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
@@ -44860,6 +44902,48 @@ persistence:
rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
name: bash
+ - name: Create Systemd Service file, Enable the service , Modify and Reload the
+ service.
+ auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+ description: "This test creates a systemd service unit file and enables it to
+ autostart on boot. Once service is created and enabled, it also modifies this
+ same service file showcasing both Creation and Modification of system process.
+ \n"
+ supported_platforms:
+ - linux
+ dependencies:
+ - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+ prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+ /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+ ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+ get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+ executor:
+ name: bash
+ elevation_required: true
+ command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+ INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+ : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+ Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+ os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+ +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+ ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+ defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+ chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+ OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+ \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+ | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+ restart T1543.002\n"
+ cleanup_command: |
+ systemctl stop T1543.002
+ systemctl disable T1543.002
+ rm -rf /etc/init.d/T1543.002
+ systemctl daemon-reload
T1053.006:
technique:
id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md
index c9bfec54..44951c1c 100644
--- a/atomics/T1543.002/T1543.002.md
+++ b/atomics/T1543.002/T1543.002.md
@@ -16,6 +16,8 @@ While adversaries typically require root privileges to create/modify service uni
- [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service)
+- [Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-file--enable-the-service--modify-and-reload-the-service)
+
@@ -75,4 +77,67 @@ systemctl daemon-reload
+
+
+
+## Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service.
+This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+
+```bash
+cat > /etc/init.d/T1543.002 << EOF
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides : Atomic Test T1543.002
+# Required-Start: $all
+# Required-Stop :
+# Default-Start: 2 3 4 5
+# Default-Stop:
+# Short Description: Atomic Test for Systemd Service Creation
+### END INIT INFO
+python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))"
+EOF
+
+chmod +x /etc/init.d/T1543.002
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ;
+systemctl enable T1543.002
+systemctl start T1543.002
+
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
+systemctl daemon-reload
+systemctl restart T1543.002
+```
+
+#### Cleanup Commands:
+```bash
+systemctl stop T1543.002
+systemctl disable T1543.002
+rm -rf /etc/init.d/T1543.002
+systemctl daemon-reload
+```
+
+
+
+#### Dependencies: Run with `bash`!
+##### Description: System must be Ubuntu ,Kali OR CentOS.
+##### Check Prereq Commands:
+```bash
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+echo Please run from Ubuntu ,Kali OR CentOS.
+```
+
+
+
+
diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml
index a7adda26..393c59b4 100644
--- a/atomics/T1543.002/T1543.002.yaml
+++ b/atomics/T1543.002/T1543.002.yaml
@@ -68,6 +68,7 @@ atomic_tests:
- name: Create Systemd Service file, Enable the service , Modify and Reload the service.
+ auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
description: |
This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index e9c19f64..71c27abf 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -709,3 +709,4 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319
c33f3d80-5f04-419b-a13a-854d1cbdbf3a
126f71af-e1c9-405c-94ef-26a47b16c102
da4f751a-020b-40d7-b9ff-d433b7799803
+c35ac4a8-19de-43af-b9f8-755da7e89c89