Merge branch 'master' into insecure-curl

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1739-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1740-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 
 Atomic Red Team™ is a library of tests mapped to the

atomics/Indexes/Indexes-CSV/index.csv

@@ -2025,6 +2025,7 @@ discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery
 discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
 discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
+discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -367,6 +367,7 @@ discovery,T1217,Browser Bookmark Discovery,4,List Google Chromium Bookmark JSON
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
+discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
 discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -2731,6 +2731,7 @@
   - Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
   - Atomic Test #6: Launch DirLister Executable [windows]
   - Atomic Test #7: ESXi - Enumerate VMDKs available on an ESXi Host [windows]
+  - Atomic Test #8: Identifying Network Shares - Linux [linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #1: System Network Connections Discovery [windows]
   - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -777,6 +777,7 @@
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
   - Atomic Test #3: Nix File and Directory Discovery [linux, macos]
   - Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
+  - Atomic Test #8: Identifying Network Shares - Linux [linux]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
   - Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/iaas_aws-index.yaml

@@ -12171,9 +12171,9 @@ defense-evasion:
         command: |
           aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Created ***"
-          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
           echo "*** Log Stream Created ***"
-          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
           echo "*** Log Stream Deleted ***"
           aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Deleted ***"

atomics/Indexes/index.yaml

@@ -27916,9 +27916,9 @@ defense-evasion:
         command: |
           aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Created ***"
-          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
           echo "*** Log Stream Created ***"
-          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+          aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
           echo "*** Log Stream Deleted ***"
           aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
           echo "*** Log Group Deleted ***"
@@ -109694,6 +109694,18 @@ discovery:
           '
         name: command_prompt
         elevation_required: false
+    - name: Identifying Network Shares - Linux
+      auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
+      description: |
+        If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+        Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'findmnt -t nfs
+
+          '
+        name: sh
   T1049:
     technique:
       type: attack-pattern

atomics/Indexes/linux-index.yaml

@@ -62945,6 +62945,18 @@ discovery:
           find . -type f -name ".*"
         cleanup_command: 'rm #{output_file}'
         name: sh
+    - name: Identifying Network Shares - Linux
+      auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
+      description: |
+        If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+        Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+      supported_platforms:
+      - linux
+      executor:
+        command: 'findmnt -t nfs
+
+          '
+        name: sh
   T1049:
     technique:
       type: attack-pattern

atomics/T1083/T1083.md

@@ -26,6 +26,8 @@ Some files and directories may require elevated or specific user permissions to
 
 - [Atomic Test #7 - ESXi - Enumerate VMDKs available on an ESXi Host](#atomic-test-7---esxi---enumerate-vmdks-available-on-an-esxi-host)
 
+- [Atomic Test #8 - Identifying Network Shares - Linux](#atomic-test-8---identifying-network-shares---linux)
+
 
 <br/>
 
@@ -344,4 +346,33 @@ Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -O
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Identifying Network Shares - Linux
+If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 361fe49d-0c19-46ec-a483-ccb92d38e88e
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+findmnt -t nfs
+```
+
+
+
+
+
+
 <br/>

atomics/T1083/T1083.yaml

@@ -191,3 +191,14 @@ atomic_tests:
        echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
     name: command_prompt
     elevation_required: false
+- name: Identifying Network Shares - Linux
+  auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
+  description: |
+    If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
+    Attackers may then attempt to access these shares for lateral movement or data exfiltration.
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      findmnt -t nfs
+    name: sh

atomics/T1562.008/T1562.008.md

@@ -559,9 +559,9 @@ deleting the log stream. Once it is deleted, the logs created by the attackers w
 ```sh
 aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
 echo "*** Log Group Created ***"
-aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
 echo "*** Log Stream Created ***"
-aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
 echo "*** Log Stream Deleted ***"
 aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
 echo "*** Log Group Deleted ***"

atomics/T1562.008/T1562.008.yaml

@@ -388,9 +388,9 @@ atomic_tests:
     command: |
       aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
       echo "*** Log Group Created ***"
-      aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+      aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
       echo "*** Log Stream Created ***"
-      aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name}
+      aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
       echo "*** Log Stream Deleted ***"
       aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
       echo "*** Log Group Deleted ***"

atomics/used_guids.txt

@@ -1762,3 +1762,4 @@ b404caaa-12ce-43c7-9214-62a531c044f7
 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
 d2a1f4bc-a064-4223-8281-a086dce5423c
 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5
+361fe49d-0c19-46ec-a483-ccb92d38e88e