Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -211,6 +211,8 @@ privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service
 privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
+privilege-escalation,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
+privilege-escalation,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
 privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
@@ -483,6 +485,8 @@ defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service Image
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
+defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
+defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -52,6 +52,8 @@ privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a
 privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
+privilege-escalation,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
+privilege-escalation,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -123,6 +125,8 @@ defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f1
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
 defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
+defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
+defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -385,6 +385,8 @@
   - Atomic Test #1: Make and modify binary from C source [macos, linux]
   - Atomic Test #2: Set a SetUID flag on file [macos, linux]
   - Atomic Test #3: Set a SetGID flag on file [macos, linux]
+  - Atomic Test #4: Make and modify capabilities of a binary [linux]
+  - Atomic Test #5: Provide the SetUID capability to a file [linux]
 - [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
   - Atomic Test #1: Shortcut Modification [windows]
   - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
@@ -804,6 +806,8 @@
   - Atomic Test #1: Make and modify binary from C source [macos, linux]
   - Atomic Test #2: Set a SetUID flag on file [macos, linux]
   - Atomic Test #3: Set a SetGID flag on file [macos, linux]
+  - Atomic Test #4: Make and modify capabilities of a binary [linux]
+  - Atomic Test #5: Provide the SetUID capability to a file [linux]
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
   - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -145,6 +145,8 @@
   - Atomic Test #1: Make and modify binary from C source [macos, linux]
   - Atomic Test #2: Set a SetUID flag on file [macos, linux]
   - Atomic Test #3: Set a SetGID flag on file [macos, linux]
+  - Atomic Test #4: Make and modify capabilities of a binary [linux]
+  - Atomic Test #5: Provide the SetUID capability to a file [linux]
 - [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
   - Atomic Test #1: Sudo usage [macos, linux]
   - Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
@@ -295,6 +297,8 @@
   - Atomic Test #1: Make and modify binary from C source [macos, linux]
   - Atomic Test #2: Set a SetUID flag on file [macos, linux]
   - Atomic Test #3: Set a SetGID flag on file [macos, linux]
+  - Atomic Test #4: Make and modify capabilities of a binary [linux]
+  - Atomic Test #5: Provide the SetUID capability to a file [linux]
 - T1036.006 Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -17636,6 +17636,52 @@ privilege-escalation:
           sudo chmod g+s #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
+'
+        name: sh
+        elevation_required: true
+    - name: Make and modify capabilities of a binary
+      auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072
+      description: |
+        Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file.
+        The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`.
+        Without being owned by root, the binary can set the UID to 0.
+      supported_platforms:
+      - linux
+      input_arguments:
+        payload:
+          description: cap.c payload
+          type: path
+          default: PathToAtomicsFolder/T1548.001/src/cap.c
+      executor:
+        command: |
+          cp #{payload} /tmp/cap.c
+          make /tmp/cap
+          sudo setcap cap_setuid=ep /tmp/cap
+          /tmp/cap
+        cleanup_command: |
+          rm /tmp/cap
+          rm /tmp/cap.c
+        name: sh
+        elevation_required: true
+    - name: Provide the SetUID capability to a file
+      auto_generated_guid: 1ac3272f-9bcf-443a-9888-4b1d3de785c1
+      description: 'This test gives a file the capability to set UID without using
+        flags.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        file_to_setcap:
+          description: Path of file to provide the SetUID capability
+          type: path
+          default: "/tmp/evilBinary"
+      executor:
+        command: |
+          touch #{file_to_setcap}
+          sudo setcap cap_setuid=ep #{file_to_setcap}
+        cleanup_command: 'rm #{file_to_setcap}
+
 '
         name: sh
         elevation_required: true
@@ -34684,6 +34730,52 @@ defense-evasion:
           sudo chmod g+s #{file_to_setuid}
         cleanup_command: 'sudo rm #{file_to_setuid}
 
+'
+        name: sh
+        elevation_required: true
+    - name: Make and modify capabilities of a binary
+      auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072
+      description: |
+        Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file.
+        The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`.
+        Without being owned by root, the binary can set the UID to 0.
+      supported_platforms:
+      - linux
+      input_arguments:
+        payload:
+          description: cap.c payload
+          type: path
+          default: PathToAtomicsFolder/T1548.001/src/cap.c
+      executor:
+        command: |
+          cp #{payload} /tmp/cap.c
+          make /tmp/cap
+          sudo setcap cap_setuid=ep /tmp/cap
+          /tmp/cap
+        cleanup_command: |
+          rm /tmp/cap
+          rm /tmp/cap.c
+        name: sh
+        elevation_required: true
+    - name: Provide the SetUID capability to a file
+      auto_generated_guid: 1ac3272f-9bcf-443a-9888-4b1d3de785c1
+      description: 'This test gives a file the capability to set UID without using
+        flags.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        file_to_setcap:
+          description: Path of file to provide the SetUID capability
+          type: path
+          default: "/tmp/evilBinary"
+      executor:
+        command: |
+          touch #{file_to_setcap}
+          sudo setcap cap_setuid=ep #{file_to_setcap}
+        cleanup_command: 'rm #{file_to_setcap}
+
 '
         name: sh
         elevation_required: true

atomics/T1548.001/T1548.001.md

@@ -14,6 +14,10 @@ Adversaries can use this mechanism on their own malware to make sure they're abl
 
 - [Atomic Test #3 - Set a SetGID flag on file](#atomic-test-3---set-a-setgid-flag-on-file)
 
+- [Atomic Test #4 - Make and modify capabilities of a binary](#atomic-test-4---make-and-modify-capabilities-of-a-binary)
+
+- [Atomic Test #5 - Provide the SetUID capability to a file](#atomic-test-5---provide-the-setuid-capability-to-a-file)
+
 
 <br/>
 
@@ -135,4 +139,85 @@ sudo rm #{file_to_setuid}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Make and modify capabilities of a binary
+Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file.
+The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`.
+Without being owned by root, the binary can set the UID to 0.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** db53959c-207d-4000-9e7a-cd8eb417e072
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| payload | cap.c payload | path | PathToAtomicsFolder/T1548.001/src/cap.c|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+cp #{payload} /tmp/cap.c
+make /tmp/cap
+sudo setcap cap_setuid=ep /tmp/cap
+/tmp/cap
+```
+
+#### Cleanup Commands:
+```sh
+rm /tmp/cap
+rm /tmp/cap.c
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Provide the SetUID capability to a file
+This test gives a file the capability to set UID without using flags.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 1ac3272f-9bcf-443a-9888-4b1d3de785c1
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_setcap | Path of file to provide the SetUID capability | path | /tmp/evilBinary|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+touch #{file_to_setcap}
+sudo setcap cap_setuid=ep #{file_to_setcap}
+```
+
+#### Cleanup Commands:
+```sh
+rm #{file_to_setcap}
+```
+
+
+
+
+
 <br/>