security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

made cleanup more in line with project spec (repeatable) + minor chg

Browse Source 
Updated both, on both tests:
-made cleanup more in line with project spec - copy instead of mv so it never fails
-edited description so it mentions adversary

comment:  I think it is good to have the prereq command, in case a host does not have that specific library installed, if not then the atomic would fail
This commit is contained in:
JB
2020-08-15 22:39:27 -05:00
committed by GitHub
parent 82b3dd27df
commit a14952c4b0
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1056.001/T1056.001.yaml
+6 -6
View File
@@ -26,7 +26,7 @@ atomic_tests:
elevation_required: true
- name: Living off the land Terminal Input Capture on Linux with pam.d
description: |
Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log.
Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity would then be archived and readable to an adversary with elevated credentials.
Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
@@ -45,13 +45,13 @@ atomic_tests:
sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth
sudo pam-auth-update --package --force
cleanup_command: |
sudo mv /tmp/password-auth.bk /etc/pam.d/password-auth
sudo mv /tmp/system-auth.bk /etc/pam.d/system-auth
sudo cp -f /tmp/password-auth.bk /etc/pam.d/password-auth
sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
name: bash
elevation_required: true
- name: Living off the land Terminal Input Capture on Linux with pam.d for shell
description: |
This is the same as test 2, only without the bashisms: Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log.
This is the same as test 2, only without the bashisms: Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity would then be archived and readable by an adversary with elevated privledges.
Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
@@ -70,7 +70,7 @@ atomic_tests:
sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth
sudo pam-auth-update --package --force
cleanup_command: |
sudo mv /tmp/password-auth.bk /etc/pam.d/password-auth
sudo mv /tmp/system-auth.bk /etc/pam.d/system-auth
sudo cp -f /tmp/password-auth.bk /etc/pam.d/password-auth
sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
name: sh
elevation_required: true