Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-06-04 17:14:26 +00:00
parent 1f1a002d89
commit 94d442bcd6
9 changed files with 194 additions and 86 deletions
@@ -160,6 +160,8 @@ privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4
 privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
 privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -536,6 +538,8 @@ persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a
 persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
 persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
 persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -32,6 +32,8 @@ privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injecti
 privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
+privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
@@ -157,6 +159,8 @@ persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD
 persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
 persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
+persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
+persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
@@ -324,6 +324,8 @@
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
  - Atomic Test #1: rc.common [macos]
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
  - Atomic Test #1: Re-Opened Applications [macos]
  - Atomic Test #2: Re-Opened Applications [macos]
@@ -967,6 +969,8 @@
 - T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
  - Atomic Test #1: rc.common [macos]
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
  - Atomic Test #1: Re-Opened Applications [macos]
@@ -122,7 +122,9 @@
 - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
  - Atomic Test #1: Make and modify binary from C source [macos, linux]
@@ -451,7 +453,9 @@
 - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037.004 RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
+  - Atomic Test #2: rc.common [linux]
+  - Atomic Test #3: rc.local [linux]
 - T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -23,7 +23,7 @@
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Keylogging](../../T1056.001/T1056.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -40,7 +40,7 @@
 |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | RC Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [RC Scripts](../../T1037.004/T1037.004.md) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -15389,6 +15389,48 @@ privilege-escalation:
 '
        elevation_required: true
        name: bash
+    - name: rc.common
+      auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+      description: 'Modify rc.common
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+          sudo chmod +x /etc/rc.common
+        cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+          && sudo rm $origfilename;fi
+
+'
+    - name: rc.local
+      auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+      description: 'Modify rc.local
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+          sudo chmod +x /etc/rc.local
+        cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+          sudo rm $origfilename;fi
+
+'
  T1547.007:
    technique:
      created: '2020-01-24T18:15:06.641Z'
@@ -43035,6 +43077,48 @@ persistence:
 '
        elevation_required: true
        name: bash
+    - name: rc.common
+      auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+      description: 'Modify rc.common
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+          sudo chmod +x /etc/rc.common
+        cleanup_command: 'origfilename=''/etc/rc.common.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
+          && sudo rm $origfilename;fi
+
+'
+    - name: rc.local
+      auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
+      description: 'Modify rc.local
+
+'
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+          printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+          echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+          printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+          sudo chmod +x /etc/rc.local
+        cleanup_command: 'origfilename=''/etc/rc.local.original'';if [ ! -f $origfilename
+          ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
+          sudo rm $origfilename;fi
+
+'
  T1542.004:
    technique:
      created: '2020-10-20T00:05:48.790Z'
@@ -12,6 +12,10 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr

 - [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)

+- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon)
+
+- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
+

 <br/>

@@ -38,4 +42,68 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e



+<br/>
+<br/>
+
+## Atomic Test #2 - rc.common
+Modify rc.common
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
+sudo chmod +x /etc/rc.common
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - rc.local
+Modify rc.local
+
+**Supported Platforms:** Linux
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
+printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
+printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
+sudo chmod +x /etc/rc.local
+```
+
+#### Cleanup Commands:
+```bash
+origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+```
+
+
+
+
+
 <br/>
@@ -1,105 +1,45 @@
-# T1037.004 - RC Scripts
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1037/004)
-<blockquote>Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
+# T1137.004 - Outlook Home Page
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/004)
+<blockquote>Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)

-Adversaries can establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
-
-Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)
-
-Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)</blockquote>
+Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)
+</blockquote>

 ## Atomic Tests

- [Atomic Test #1 - rc.common](#atomic-test-1---rccommon)
-
- [Atomic Test #2 - rc.common](#atomic-test-2---rccommon)
-
- [Atomic Test #3 - rc.local](#atomic-test-3---rclocal)
+- [Atomic Test #1 - Install Outlook Home Page Persistence](#atomic-test-1---install-outlook-home-page-persistence)


 <br/>

-## Atomic Test #1 - rc.common
-Modify rc.common
+## Atomic Test #1 - Install Outlook Home Page Persistence
+This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed.

-[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
+Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox).

-**Supported Platforms:** macOS
+**Supported Platforms:** Windows




-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | string | file://PathToAtomicsFolder&#92;T1137.004&#92;src&#92;T1137.004.html|
+| outlook_version | Version of Outlook that is installed | string | 16.0|
+| outlook_folder | Name of the Outlook folder to modify the homepage setting for | string | Inbox|


-```bash
-sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
-```
+#### Attack Commands: Run with `command_prompt`! 


-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - rc.common
-Modify rc.common
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
-printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
-echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
-printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
-sudo chmod +x /etc/rc.common
+```cmd
+reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f
 ```

 #### Cleanup Commands:
-```bash
-origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - rc.local
-Modify rc.local
-
-**Supported Platforms:** Linux
-
-
-
-
-
-#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
-
-
-```bash
-filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
-printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.local
-echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
-printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.local
-sudo chmod +x /etc/rc.local
-```
-
-#### Cleanup Commands:
-```bash
-origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi
+```cmd
+reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f
 ```