T1153 Source (#356)

atomics/T1153/T1153.md

@@ -0,0 +1,53 @@
+# T1153 - Source
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1153)
+<blockquote>The <code>source</code> command loads functions into the current shell or executes files in the current context. This built-in command can be run in two different ways <code>source /path/to/filename [arguments]</code> or <code>. /path/to/filename [arguments]</code>. Take note of the space after the ".". Without a space, a new shell is created that runs the program instead of running the program within the current context. This is often used to make certain features or functions available to a shell or to update a specific shell's environment. 
+
+Adversaries can abuse this functionality to execute programs. The file executed with this technique does not need to be marked executable beforehand.
+
+Detection: Monitor for command shell execution of source and subsequent processes that are started as a result of being executed by a source command. Adversaries must also drop a file to disk in order to execute it with source, and these files can also detected by file monitoring.
+
+Platforms: Linux, macOS
+
+Data Sources: Process Monitoring, File monitoring, Process command-line parameters
+
+Permissions Required: User
+
+Remote Support: No</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Execute Script using Source](#atomic-test-1---execute-script-using-source)
+
+- [Atomic Test #2 - Execute Script using Source Alias](#atomic-test-2---execute-script-using-source-alias)
+
+
+<br/>
+
+## Atomic Test #1 - Execute Script using Source
+Creates a script and executes it using the source command
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Run it with `sh`!
+```
+sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
+chmod +x /tmp/art.sh
+source /tmp/art.sh
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Execute Script using Source Alias
+Creates a script and executes it using the source command's dot alias
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Run it with `sh`!
+```
+sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
+chmod +x /tmp/art.sh
+. /tmp/art.sh
+```
+<br/>

atomics/T1153/T1153.yaml

@@ -0,0 +1,35 @@
+---
+attack_technique: T1153
+display_name: Source
+
+atomic_tests:
+- name: Execute Script using Source
+  description: |
+    Creates a script and executes it using the source command
+
+  supported_platforms:
+    - macos
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
+      chmod +x /tmp/art.sh
+      source /tmp/art.sh
+
+- name: Execute Script using Source Alias
+  description: |
+    Creates a script and executes it using the source command's dot alias
+
+  supported_platforms:
+    - macos
+    - linux
+
+  executor:
+    name: sh
+    command: |
+      sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
+      chmod +x /tmp/art.sh
+      . /tmp/art.sh
+

atomics/index.md

@@ -498,7 +498,9 @@
 - T1035 Service Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1216 Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1153 Source](./T1153/T1153.md)
+  - Atomic Test #1: Execute Script using Source [macos, linux]
+  - Atomic Test #2: Execute Script using Source Alias [macos, linux]
 - [T1151 Space after Filename](./T1151/T1151.md)
   - Atomic Test #1: Space After Filename [macos]
 - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/linux-index.md

@@ -178,9 +178,11 @@
 - [T1168 Local Job Scheduling](./T1168/T1168.md)
   - Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
   - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
+- [T1153 Source](./T1153/T1153.md)
+  - Atomic Test #1: Execute Script using Source [macos, linux]
+  - Atomic Test #2: Execute Script using Source Alias [macos, linux]
 - [T1064 Scripting](./T1064/T1064.md)
   - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
-- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1151 Space after Filename](./T1151/T1151.md)
 - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1154 Trap](./T1154/T1154.md)

atomics/macos-index.md

@@ -102,7 +102,9 @@
   - Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
 - [T1064 Scripting](./T1064/T1064.md)
   - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
-- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1153 Source](./T1153/T1153.md)
+  - Atomic Test #1: Execute Script using Source [macos, linux]
+  - Atomic Test #2: Execute Script using Source Alias [macos, linux]
 - [T1151 Space after Filename](./T1151/T1151.md)
   - Atomic Test #1: Space After Filename [macos]
 - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/matrix.md

@@ -24,7 +24,7 @@
 |  | Service Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | [Scheduled Task](./T1053/T1053.md) | [HISTCONTROL](./T1148/T1148.md) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) |  |  |  |  |  |  |
 |  | Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [Hidden Users](./T1147/T1147.md) |  |  |  |  |  |  |
-|  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](./T1165/T1165.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  | [Source](./T1153/T1153.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](./T1165/T1165.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  | [Space after Filename](./T1151/T1151.md) | [Launch Agent](./T1159/T1159.md) | [Sudo](./T1169/T1169.md) | [Image File Execution Options Injection](./T1183/T1183.md) |  |  |  |  |  |  |
 |  | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [Sudo Caching](./T1206/T1206.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  | [Trap](./T1154/T1154.md) | [Launchctl](./T1152/T1152.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |