diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md
index 7d79875b..b3b14332 100644
--- a/atomics/T1070/T1070.md
+++ b/atomics/T1070/T1070.md
@@ -26,6 +26,10 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https://
- [Atomic Test #3 - rm -rf](#atomic-test-3---rm--rf)
+- [Atomic Test #4 - Overwrite Linux Mail Spool](#atomic-test-4---overwrite-linux-mail-spool)
+
+- [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log)
+
@@ -72,3 +76,39 @@ rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
```
+
+
+## Atomic Test #4 - Overwrite Linux Mail Spool
+This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Username of mail spool | String | root|
+
+#### Run it with `bash`!
+```
+echo 0> /var/spool/mail/#{username}
+```
+
+
+
+## Atomic Test #5 - Overwrite Linux Log
+This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| log_path | Path of specified log | Path | /var/log/secure|
+
+#### Run it with `bash`!
+```
+echo 0> #{log_path}
+```
+
diff --git a/atomics/T1107/T1107.md b/atomics/T1107/T1107.md
index bdcb58c2..b72842d2 100644
--- a/atomics/T1107/T1107.md
+++ b/atomics/T1107/T1107.md
@@ -28,6 +28,8 @@ There are tools available from the host operating system to perform cleanup, but
- [Atomic Test #11 - wbadmin](#atomic-test-11---wbadmin)
+- [Atomic Test #12 - Delete Filesystem - Linux](#atomic-test-12---delete-filesystem---linux)
+
@@ -184,7 +186,7 @@ wmic shadowcopy delete
## Atomic Test #10 - bcdedit
-xxx
+This test leverages `bcdedit` to remove boot-time recovery measures.
**Supported Platforms:** Windows
@@ -198,7 +200,7 @@ bcdedit /set {default} recoveryenabled no
## Atomic Test #11 - wbadmin
-xxx
+This test deletes Windows Backup catalogs.
**Supported Platforms:** Windows
@@ -208,3 +210,16 @@ xxx
wbadmin delete catalog -quiet
```
+
+
+## Atomic Test #12 - Delete Filesystem - Linux
+This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
+
+**Supported Platforms:** Linux, CentOS, Ubuntu
+
+
+#### Run it with `bash`!
+```
+rm -rf / --no-preserve-root > /dev/null 2> /dev/null
+```
+
diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md
index 55c3b8ec..a696863c 100644
--- a/atomics/T1136/T1136.md
+++ b/atomics/T1136/T1136.md
@@ -14,6 +14,8 @@ The net user commands can be used to create a local or domain accou
- [Atomic Test #4 - Create a new user in PowerShell](#atomic-test-4---create-a-new-user-in-powershell)
+- [Atomic Test #5 - Create a new user in Linux with `root` UID and GID.](#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid)
+
@@ -95,3 +97,23 @@ New-LocalUser -Name #{username} -NoPassword
net user /add #{username}
```
+
+
+## Atomic Test #5 - Create a new user in Linux with `root` UID and GID.
+Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.
+
+**Supported Platforms:** Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Username of the user to create | String | butter|
+| password | Password of the user to create | String | BetterWithButter|
+
+#### Run it with `bash`!
+```
+useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
+echo "#{password}" | passwd --stdin #{username}
+```
+
diff --git a/atomics/T1168/T1168.md b/atomics/T1168/T1168.md
index b81a35e6..0010420e 100644
--- a/atomics/T1168/T1168.md
+++ b/atomics/T1168/T1168.md
@@ -18,15 +18,17 @@ Each launchd job is described by a different configuration property list (plist)
## Atomic Tests
-- [Atomic Test #1 - Cron Job](#atomic-test-1---cron-job)
+- [Atomic Test #1 - Cron - Replace crontab with referenced file](#atomic-test-1---cron---replace-crontab-with-referenced-file)
-- [Atomic Test #2 - Cron Job](#atomic-test-2---cron-job)
+- [Atomic Test #2 - Cron - Add script to cron folder](#atomic-test-2---cron---add-script-to-cron-folder)
+
+- [Atomic Test #3 - Event Monitor Daemon Persistence](#atomic-test-3---event-monitor-daemon-persistence)
-## Atomic Test #1 - Cron Job
-Set a cron job
+## Atomic Test #1 - Cron - Replace crontab with referenced file
+This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
@@ -34,17 +36,37 @@ Set a cron job
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| script | Script to execute | path | /tmp/evil.sh|
+| command | Command to execute | string | /tmp/evil.sh|
+| tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
-#### Run it with `sh`!
+#### Run it with `bash`!
```
-echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
+echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
```
-## Atomic Test #2 - Cron Job
-Manually set a cron job
+## Atomic Test #2 - Cron - Add script to cron folder
+This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
+
+**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
+| cron_script_name | Name of file to store in cron folder | string | persistevil|
+
+#### Run it with `bash`!
+```
+echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+```
+
+
+
+## Atomic Test #3 - Event Monitor Daemon Persistence
+This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
diff --git a/atomics/index.md b/atomics/index.md
index 6b18f9d6..5452054d 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -38,6 +38,7 @@
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
+ - Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -72,8 +73,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
+ - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
+ - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
+ - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
@@ -198,6 +200,7 @@
- Atomic Test #9: Delete VSS - wmic [windows]
- Atomic Test #10: bcdedit [windows]
- Atomic Test #11: wbadmin [windows]
+ - Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu]
- [T1222 File Permissions Modification](./T1222/T1222.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: Take ownership recursively using takeown utility [windows]
@@ -246,6 +249,8 @@
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- Atomic Test #3: rm -rf [macos, linux]
+ - Atomic Test #4: Overwrite Linux Mail Spool [linux]
+ - Atomic Test #5: Overwrite Linux Log [linux]
- [T1202 Indirect Command Execution](./T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -541,8 +546,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
+ - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
+ - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
+ - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- [T1086 PowerShell](./T1086/T1086.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index bcd4d04a..a871736a 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -1156,6 +1156,27 @@ persistence:
command: |
New-LocalUser -Name #{username} -NoPassword
net user /add #{username}
+ - name: Create a new user in Linux with `root` UID and GID.
+ description: 'Creates a new user in Linux and adds the user to the `root` group.
+ This technique was used by adversaries during the Butter attack campaign.
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ username:
+ description: Username of the user to create
+ type: String
+ default: butter
+ password:
+ description: Password of the user to create
+ type: String
+ default: BetterWithButter
+ executor:
+ name: bash
+ command: |-
+ useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
+ echo "#{password}" | passwd --stdin #{username}
T1158:
technique:
id: attack-pattern--dc27c2ec-c5f9-4228-ba57-d67b590bda93
@@ -2125,8 +2146,10 @@ persistence:
created: '2017-12-14T16:46:06.044Z'
identifier: T1168
atomic_tests:
- - name: Cron Job
- description: 'Set a cron job
+ - name: Cron - Replace crontab with referenced file
+ description: 'This test replaces the current user''s crontab file with the contents
+ of the referenced file. This technique was used by numerous IoT automated
+ exploitation attacks.
'
supported_platforms:
@@ -2135,17 +2158,23 @@ persistence:
- ubuntu
- linux
input_arguments:
- script:
- description: Script to execute
- type: path
+ command:
+ description: Command to execute
+ type: string
default: "/tmp/evil.sh"
+ tmp_cron:
+ description: Temporary reference file to hold evil cron schedule
+ type: path
+ default: "/tmp/persistevil"
executor:
- name: sh
- command: 'echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
+ name: bash
+ command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
'
- - name: Cron Job
- description: 'Manually set a cron job
+ - name: Cron - Add script to cron folder
+ description: 'This test adds a script to a cron folder configured to execute
+ on a schedule. This technique was used by the threat actor Rocke during the
+ exploitation of Linux web servers.
'
supported_platforms:
@@ -2153,6 +2182,28 @@ persistence:
- centos
- ubuntu
- linux
+ input_arguments:
+ command:
+ description: Command to execute
+ type: string
+ default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
+ cron_script_name:
+ description: Name of file to store in cron folder
+ type: string
+ default: persistevil
+ executor:
+ name: bash
+ command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+
+'
+ - name: Event Monitor Daemon Persistence
+ description: "This test adds persistence via a plist to execute via the macOS
+ Event Monitor Daemon. \n"
+ supported_platforms:
+ - macos
+ - centos
+ - ubuntu
+ - linux
executor:
name: manual
steps: |
@@ -5354,7 +5405,7 @@ defense-evasion:
'
- name: bcdedit
- description: 'xxx
+ description: 'This test leverages `bcdedit` to remove boot-time recovery measures.
'
supported_platforms:
@@ -5365,15 +5416,28 @@ defense-evasion:
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
- name: wbadmin
- description: 'xxx
-
-'
+ description: "This test deletes Windows Backup catalogs. \n"
supported_platforms:
- windows
executor:
name: command_prompt
command: 'wbadmin delete catalog -quiet
+'
+ - name: Delete Filesystem - Linux
+ description: 'This test deletes the entire root filesystem of a Linux system.
+ This technique was used by Amnesia IoT malware to avoid analysis. This test
+ is dangerous and destructive, do NOT use on production equipment.
+
+'
+ supported_platforms:
+ - linux
+ - centos
+ - ubuntu
+ executor:
+ name: bash
+ command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null
+
'
T1222:
technique:
@@ -6535,6 +6599,39 @@ defense-evasion:
command: |
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
+ - name: Overwrite Linux Mail Spool
+ description: 'This test overwrites the Linux mail spool of a specified user.
+ This technique was used by threat actor Rocke during the exploitation of Linux
+ web servers.
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ username:
+ description: Username of mail spool
+ type: String
+ default: root
+ executor:
+ name: bash
+ command: 'echo 0> /var/spool/mail/#{username}
+
+'
+ - name: Overwrite Linux Log
+ description: 'This test overwrites the specified log. This technique was used
+ by threat actor Rocke during the exploitation of Linux web servers.
+
+'
+ supported_platforms:
+ - linux
+ input_arguments:
+ log_path:
+ description: Path of specified log
+ type: Path
+ default: "/var/log/secure"
+ executor:
+ name: bash
+ command: 'echo 0> #{log_path}'
T1202:
technique:
id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
@@ -14998,8 +15095,10 @@ execution:
created: '2017-12-14T16:46:06.044Z'
identifier: T1168
atomic_tests:
- - name: Cron Job
- description: 'Set a cron job
+ - name: Cron - Replace crontab with referenced file
+ description: 'This test replaces the current user''s crontab file with the contents
+ of the referenced file. This technique was used by numerous IoT automated
+ exploitation attacks.
'
supported_platforms:
@@ -15008,17 +15107,23 @@ execution:
- ubuntu
- linux
input_arguments:
- script:
- description: Script to execute
- type: path
+ command:
+ description: Command to execute
+ type: string
default: "/tmp/evil.sh"
+ tmp_cron:
+ description: Temporary reference file to hold evil cron schedule
+ type: path
+ default: "/tmp/persistevil"
executor:
- name: sh
- command: 'echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
+ name: bash
+ command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
'
- - name: Cron Job
- description: 'Manually set a cron job
+ - name: Cron - Add script to cron folder
+ description: 'This test adds a script to a cron folder configured to execute
+ on a schedule. This technique was used by the threat actor Rocke during the
+ exploitation of Linux web servers.
'
supported_platforms:
@@ -15026,6 +15131,28 @@ execution:
- centos
- ubuntu
- linux
+ input_arguments:
+ command:
+ description: Command to execute
+ type: string
+ default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
+ cron_script_name:
+ description: Name of file to store in cron folder
+ type: string
+ default: persistevil
+ executor:
+ name: bash
+ command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
+
+'
+ - name: Event Monitor Daemon Persistence
+ description: "This test adds persistence via a plist to execute via the macOS
+ Event Monitor Daemon. \n"
+ supported_platforms:
+ - macos
+ - centos
+ - ubuntu
+ - linux
executor:
name: manual
steps: |
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index a144b8f1..fb3823f5 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -10,6 +10,7 @@
- Atomic Test #3: Firefox [linux, windows, macos]
- [T1136 Create Account](./T1136/T1136.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
+ - Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #3: Hidden file [macos, linux]
@@ -17,8 +18,9 @@
- Atomic Test #10: Create hidden directories and files [macos, linux]
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
+ - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
+ - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
+ - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1166 Setuid and Setgid](./T1166/T1166.md)
@@ -153,6 +155,7 @@
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
+ - Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu]
- [T1222 File Permissions Modification](./T1222/T1222.md)
- Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
@@ -174,6 +177,8 @@
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #3: rm -rf [macos, linux]
+ - Atomic Test #4: Overwrite Linux Mail Spool [linux]
+ - Atomic Test #5: Overwrite Linux Log [linux]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- [T1036 Masquerading](./T1036/T1036.md)
@@ -203,8 +208,9 @@
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
+ - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
+ - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
+ - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- [T1153 Source](./T1153/T1153.md)
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index e99dd6a4..de022769 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -28,8 +28,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
+ - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
+ - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
+ - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #2: Logon Scripts - Mac [macos]
@@ -105,8 +106,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
+ - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
+ - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
+ - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- [T1153 Source](./T1153/T1153.md)