From 8d5a575af8561869ef374a7e90371c584d762fb9 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Tue, 8 Oct 2019 12:27:00 -0500
Subject: [PATCH] Add test for LKM via insmod (#580)

---
 atomics/T1215/T1215.yaml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 atomics/T1215/T1215.yaml

diff --git a/atomics/T1215/T1215.yaml b/atomics/T1215/T1215.yaml
new file mode 100644
index 00000000..80f7f4bc
--- /dev/null
+++ b/atomics/T1215/T1215.yaml
@@ -0,0 +1,31 @@
+---
+attack_technique: T1215
+display_name: Kernel Modules and Extensions
+
+atomic_tests:
+- name: Linux - Load Kernel Module via insmod
+  description: |
+    This test uses the insmod command to load a kernel module for Linux.
+
+  supported_platforms:
+    - centos
+    - ubuntu
+    - linux
+
+  input_arguments:
+    kernel_module_file:
+      description: KO object containing kernel module code.
+      type: path
+      default: diamorphine.ko
+    module_name:
+      description: Kernel module name once loaded.
+      type: string
+      default: diamorphine
+
+  executor:
+    name: bash
+    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
+    command: | # these are the actaul attack commands, at least one command must be provided
+      insmod #{kernel_module_file}
+    cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
+      rmmod #{module_name}