From d190d830db1bff208b1aac0c0f64182512937765 Mon Sep 17 00:00:00 2001 From: George Allen Date: Sun, 21 Nov 2021 17:11:37 +0000 Subject: [PATCH 1/5] T1003.008 - additional tests --- atomics/T1003.008/T1003.008.yaml | 37 ++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 68ddee87..5a32a791 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -38,3 +38,40 @@ atomic_tests: cleanup_command: | rm -f #{output_file} name: sh +- name: Access /etc/{shadow,passwd} with a standard bin that's not cat + auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + description: | + Dump /etc/passwd and /etc/shadow using ed + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.008.txt + executor: + command: | + echo ,p | ed /etc/{pass,}wd > #{output_file} + echo ,p | ed /etc/{sha,}dow > #{output_file} + cleanup_command: | + rm -f #{output_file} + name: bash +- name: Access /etc/{shadow,passwd} with shell builtins + auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + description: | + Dump /etc/passwd and /etc/shadow using bash builtins + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.008.txt + executor: + command: | + function testcat(){ echo "$(< $1)"; } + testcat /etc/passwd > #{output_file} + testcat /etc/shadow > #{output_file} + cleanup_command: | + rm -f #{output_file} + name: bash From 1c28bb03842c1c71d6761ba8b56e0e1f1d3352e0 Mon Sep 17 00:00:00 2001 From: George Allen Date: Mon, 22 Nov 2021 03:19:29 +0000 Subject: [PATCH 2/5] T1003.008 - fix copy/pasted guids --- atomics/T1003.008/T1003.008.yaml | 4 ++-- atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 5a32a791..d9c3c049 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -21,7 +21,7 @@ atomic_tests: name: bash elevation_required: true - name: Access /etc/passwd (Local) - auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: | /etc/passwd file is accessed in Linux environments supported_platforms: @@ -39,7 +39,7 @@ atomic_tests: rm -f #{output_file} name: sh - name: Access /etc/{shadow,passwd} with a standard bin that's not cat - auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a description: | Dump /etc/passwd and /etc/shadow using ed supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 67b6c4df..556998a4 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -821,3 +821,5 @@ f449c933-0891-407f-821e-7916a21a1a6f d3eda496-1fc0-49e9-aff5-3bec5da9fa22 e42d33cd-205c-4acf-ab59-a9f38f6bad9c dddd4aca-bbed-46f0-984d-e4c5971c51ea +f5aa6543-6cb2-4fae-b9c2-b96e14721713 +df1a55ae-019d-4120-bc35-94f4bc5c4b0a From 3468842c02424c86828ce4c4b22eef072db359c7 Mon Sep 17 00:00:00 2001 From: George Allen Date: Mon, 22 Nov 2021 03:23:39 +0000 Subject: [PATCH 3/5] T1003.008 - fix guids (again) the previous guid fix attempt was done by deleting the auto_generated_guid field, then running bin/generate-guids.rb. But I deleted the field under the wrong, existing test. Swapped the new guid back under the new test, since this didn't hit the jsons yet. --- atomics/T1003.008/T1003.008.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index d9c3c049..38f1e8ea 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -21,7 +21,7 @@ atomic_tests: name: bash elevation_required: true - name: Access /etc/passwd (Local) - auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 + auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d description: | /etc/passwd file is accessed in Linux environments supported_platforms: @@ -57,7 +57,7 @@ atomic_tests: rm -f #{output_file} name: bash - name: Access /etc/{shadow,passwd} with shell builtins - auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: | Dump /etc/passwd and /etc/shadow using bash builtins supported_platforms: From e96ce08275929e02c5351f86444d35ccc2918e82 Mon Sep 17 00:00:00 2001 From: George Allen Date: Mon, 22 Nov 2021 03:29:56 +0000 Subject: [PATCH 4/5] T1003.008: set elevation_required --- atomics/T1003.008/T1003.008.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 38f1e8ea..b53669cf 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -56,6 +56,7 @@ atomic_tests: cleanup_command: | rm -f #{output_file} name: bash + elevation_required: true - name: Access /etc/{shadow,passwd} with shell builtins auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: | @@ -75,3 +76,4 @@ atomic_tests: cleanup_command: | rm -f #{output_file} name: bash + elevation_required: true From 9a304d3485d7638d39ffef36486156f8557ac68d Mon Sep 17 00:00:00 2001 From: George Allen Date: Tue, 23 Nov 2021 14:19:38 +0000 Subject: [PATCH 5/5] T1003.008 - tweak test to move arg off cmdline --- atomics/T1003.008/T1003.008.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index b53669cf..491690de 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -51,8 +51,7 @@ atomic_tests: default: /tmp/T1003.008.txt executor: command: | - echo ,p | ed /etc/{pass,}wd > #{output_file} - echo ,p | ed /etc/{sha,}dow > #{output_file} + echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} cleanup_command: | rm -f #{output_file} name: bash