From 71a7a77e62d1067726aeceb116d0d9f2fc090483 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Fri, 4 Jun 2021 14:30:15 -0700 Subject: [PATCH 1/3] adding kubectl to spec --- atomic_red_team/atomic_red_team.rb | 4 ++-- atomic_red_team/spec.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/atomic_red_team/atomic_red_team.rb b/atomic_red_team/atomic_red_team.rb index 24a4c811..f7b63964 100755 --- a/atomic_red_team/atomic_red_team.rb +++ b/atomic_red_team/atomic_red_team.rb @@ -142,7 +142,7 @@ class AtomicRedTeam raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String) raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/ - valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud'] + valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl'] case executor['name'] when 'manual' raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps') @@ -152,7 +152,7 @@ class AtomicRedTeam string: executor['steps'], string_description: "atomic_tests[#{i}].executor.steps" - when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud' + when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl' raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command') raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String) diff --git a/atomic_red_team/spec.yaml b/atomic_red_team/spec.yaml index 9ccd2b42..7f34d392 100644 --- a/atomic_red_team/spec.yaml +++ b/atomic_red_team/spec.yaml @@ -115,7 +115,7 @@ atomic_tests: # a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these # per test, but there are cases where you may have multiple - for example, separate executors for `sh` # and `bash` when working on linux OSes. - # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, and `gcloud`. + # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`. executors: # the name of the executor describes the framework or application in which the test should be executed. # From 22d753d55ba0e0a675ccab01422859c104fda390 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Mon, 7 Jun 2021 15:44:12 +0000 Subject: [PATCH 2/3] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1543.002/T1543.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml index a7adda26..393c59b4 100644 --- a/atomics/T1543.002/T1543.002.yaml +++ b/atomics/T1543.002/T1543.002.yaml @@ -68,6 +68,7 @@ atomic_tests: - name: Create Systemd Service file, Enable the service , Modify and Reload the service. + auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 description: | This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index e9c19f64..71c27abf 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -709,3 +709,4 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319 c33f3d80-5f04-419b-a13a-854d1cbdbf3a 126f71af-e1c9-405c-94ef-26a47b16c102 da4f751a-020b-40d7-b9ff-d433b7799803 +c35ac4a8-19de-43af-b9f8-755da7e89c89 From 72c90344983e8e21789ef177ae15825a4c852f79 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 7 Jun 2021 15:44:18 +0000 Subject: [PATCH 3/3] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/linux-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/linux-index.md | 2 + atomics/Indexes/index.yaml | 84 +++++++++++++++++++ atomics/T1543.002/T1543.002.md | 65 ++++++++++++++ 6 files changed, 157 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index da09d5a0..ebe5a1aa 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -192,6 +192,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e- privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell @@ -565,6 +566,7 @@ persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364 persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index d7c342f8..f06859b0 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -42,6 +42,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e- privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh @@ -164,6 +165,7 @@ persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3 persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 6c7e9586..bb1de4c0 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -370,6 +370,7 @@ - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -1013,6 +1014,7 @@ - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index de2b75a9..2adc7269 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -137,6 +137,7 @@ - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - [T1546.005 Trap](../../T1546.005/T1546.005.md) @@ -466,6 +467,7 @@ - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 35161db6..ffb927c7 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -17073,6 +17073,48 @@ privilege-escalation: rm -rf #{systemd_service_path}/#{systemd_service_file} systemctl daemon-reload name: bash + - name: Create Systemd Service file, Enable the service , Modify and Reload the + service. + auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 + description: "This test creates a systemd service unit file and enables it to + autostart on boot. Once service is created and enabled, it also modifies this + same service file showcasing both Creation and Modification of system process. + \n" + supported_platforms: + - linux + dependencies: + - description: 'System must be Ubuntu ,Kali OR CentOS. + +' + prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat + /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i + ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; + +' + get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. + +' + executor: + name: bash + elevation_required: true + command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT + INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop + : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic + Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import + os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod + +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu) + ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 + defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then + chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali + OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho + \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\" + | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl + restart T1543.002\n" + cleanup_command: | + systemctl stop T1543.002 + systemctl disable T1543.002 + rm -rf /etc/init.d/T1543.002 + systemctl daemon-reload T1053.006: technique: id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 @@ -44860,6 +44902,48 @@ persistence: rm -rf #{systemd_service_path}/#{systemd_service_file} systemctl daemon-reload name: bash + - name: Create Systemd Service file, Enable the service , Modify and Reload the + service. + auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 + description: "This test creates a systemd service unit file and enables it to + autostart on boot. Once service is created and enabled, it also modifies this + same service file showcasing both Creation and Modification of system process. + \n" + supported_platforms: + - linux + dependencies: + - description: 'System must be Ubuntu ,Kali OR CentOS. + +' + prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat + /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i + ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; + +' + get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. + +' + executor: + name: bash + elevation_required: true + command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT + INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop + : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic + Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import + os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod + +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu) + ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 + defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then + chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali + OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho + \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\" + | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl + restart T1543.002\n" + cleanup_command: | + systemctl stop T1543.002 + systemctl disable T1543.002 + rm -rf /etc/init.d/T1543.002 + systemctl daemon-reload T1053.006: technique: id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index c9bfec54..44951c1c 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -16,6 +16,8 @@ While adversaries typically require root privileges to create/modify service uni - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service) +- [Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-file--enable-the-service--modify-and-reload-the-service) +
@@ -75,4 +77,67 @@ systemctl daemon-reload +
+
+ +## Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service. +This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. + +**Supported Platforms:** Linux + + + + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +cat > /etc/init.d/T1543.002 << EOF +#!/bin/bash +### BEGIN INIT INFO +# Provides : Atomic Test T1543.002 +# Required-Start: $all +# Required-Stop : +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short Description: Atomic Test for Systemd Service Creation +### END INIT INFO +python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))" +EOF + +chmod +x /etc/init.d/T1543.002 +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ; +systemctl enable T1543.002 +systemctl start T1543.002 + +echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 +systemctl daemon-reload +systemctl restart T1543.002 +``` + +#### Cleanup Commands: +```bash +systemctl stop T1543.002 +systemctl disable T1543.002 +rm -rf /etc/init.d/T1543.002 +systemctl daemon-reload +``` + + + +#### Dependencies: Run with `bash`! +##### Description: System must be Ubuntu ,Kali OR CentOS. +##### Check Prereq Commands: +```bash +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; +``` +##### Get Prereq Commands: +```bash +echo Please run from Ubuntu ,Kali OR CentOS. +``` + + + +