From 9d574c083b03ea83918f10a7ef92bfc2845a4fab Mon Sep 17 00:00:00 2001
From: haresudhan <code@0x6c.dev>
Date: Wed, 7 Oct 2020 02:45:39 -0600
Subject: [PATCH] Added T1098.004 tests

---
 atomics/T1098.004/T1098.004.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 atomics/T1098.004/T1098.004.yaml

diff --git a/atomics/T1098.004/T1098.004.yaml b/atomics/T1098.004/T1098.004.yaml
new file mode 100644
index 00000000..f8256cd3
--- /dev/null
+++ b/atomics/T1098.004/T1098.004.yaml
@@ -0,0 +1,19 @@
+---
+attack_technique: T1098.004
+display_name: SSH Authorized Keys
+
+atomic_tests:
+- name: Modify SSH Authorized Keys
+  description: |
+    Modify contents of <user-home>/.ssh/authorized_keys to maintain persistence on victim host. 
+    If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
+  supported_platforms:
+    - macos
+    - linux
+  executor:
+    name: sh
+    elevation_required: true 
+    command: | 
+      if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi;
+    cleanup_command: | 
+      unset ssh_authorized_keys
\ No newline at end of file