From a7ff562b6ec1d3f4ebdfe2e34f78ceb2274b63e6 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 27 Aug 2021 15:54:05 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 4 + atomics/Indexes/Indexes-CSV/linux-index.csv | 4 + atomics/Indexes/Indexes-Markdown/index.md | 4 + .../Indexes/Indexes-Markdown/linux-index.md | 4 + atomics/Indexes/index.yaml | 92 +++++++++++++++++++ atomics/T1548.001/T1548.001.md | 85 +++++++++++++++++ 6 files changed, 193 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index d4fe89f6..6dd3d9a2 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -211,6 +211,8 @@ privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh +privilege-escalation,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh +privilege-escalation,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh @@ -483,6 +485,8 @@ defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service Image defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh +defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh +defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 539fcfdf..b7bdd3bd 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -52,6 +52,8 @@ privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh +privilege-escalation,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh +privilege-escalation,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh @@ -123,6 +125,8 @@ defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f1 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh +defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh +defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 441c083d..023c7c2a 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -385,6 +385,8 @@ - Atomic Test #1: Make and modify binary from C source [macos, linux] - Atomic Test #2: Set a SetUID flag on file [macos, linux] - Atomic Test #3: Set a SetGID flag on file [macos, linux] + - Atomic Test #4: Make and modify capabilities of a binary [linux] + - Atomic Test #5: Provide the SetUID capability to a file [linux] - [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md) - Atomic Test #1: Shortcut Modification [windows] - Atomic Test #2: Create shortcut to cmd in startup folders [windows] @@ -804,6 +806,8 @@ - Atomic Test #1: Make and modify binary from C source [macos, linux] - Atomic Test #2: Set a SetUID flag on file [macos, linux] - Atomic Test #3: Set a SetGID flag on file [macos, linux] + - Atomic Test #4: Make and modify capabilities of a binary [linux] + - Atomic Test #5: Provide the SetUID capability to a file [linux] - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md) - Atomic Test #1: mavinject - Inject DLL into running process [windows] - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 6d926267..49ef4853 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -145,6 +145,8 @@ - Atomic Test #1: Make and modify binary from C source [macos, linux] - Atomic Test #2: Set a SetUID flag on file [macos, linux] - Atomic Test #3: Set a SetGID flag on file [macos, linux] + - Atomic Test #4: Make and modify capabilities of a binary [linux] + - Atomic Test #5: Provide the SetUID capability to a file [linux] - [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md) - Atomic Test #1: Sudo usage [macos, linux] - Atomic Test #2: Unlimited sudo cache timeout [macos, linux] @@ -295,6 +297,8 @@ - Atomic Test #1: Make and modify binary from C source [macos, linux] - Atomic Test #2: Set a SetUID flag on file [macos, linux] - Atomic Test #3: Set a SetGID flag on file [macos, linux] + - Atomic Test #4: Make and modify capabilities of a binary [linux] + - Atomic Test #5: Provide the SetUID capability to a file [linux] - T1036.006 Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 0f807a6d..71a8b9fc 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -17636,6 +17636,52 @@ privilege-escalation: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} +' + name: sh + elevation_required: true + - name: Make and modify capabilities of a binary + auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072 + description: | + Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file. + The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`. + Without being owned by root, the binary can set the UID to 0. + supported_platforms: + - linux + input_arguments: + payload: + description: cap.c payload + type: path + default: PathToAtomicsFolder/T1548.001/src/cap.c + executor: + command: | + cp #{payload} /tmp/cap.c + make /tmp/cap + sudo setcap cap_setuid=ep /tmp/cap + /tmp/cap + cleanup_command: | + rm /tmp/cap + rm /tmp/cap.c + name: sh + elevation_required: true + - name: Provide the SetUID capability to a file + auto_generated_guid: 1ac3272f-9bcf-443a-9888-4b1d3de785c1 + description: 'This test gives a file the capability to set UID without using + flags. + +' + supported_platforms: + - linux + input_arguments: + file_to_setcap: + description: Path of file to provide the SetUID capability + type: path + default: "/tmp/evilBinary" + executor: + command: | + touch #{file_to_setcap} + sudo setcap cap_setuid=ep #{file_to_setcap} + cleanup_command: 'rm #{file_to_setcap} + ' name: sh elevation_required: true @@ -34684,6 +34730,52 @@ defense-evasion: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} +' + name: sh + elevation_required: true + - name: Make and modify capabilities of a binary + auto_generated_guid: db53959c-207d-4000-9e7a-cd8eb417e072 + description: | + Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file. + The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`. + Without being owned by root, the binary can set the UID to 0. + supported_platforms: + - linux + input_arguments: + payload: + description: cap.c payload + type: path + default: PathToAtomicsFolder/T1548.001/src/cap.c + executor: + command: | + cp #{payload} /tmp/cap.c + make /tmp/cap + sudo setcap cap_setuid=ep /tmp/cap + /tmp/cap + cleanup_command: | + rm /tmp/cap + rm /tmp/cap.c + name: sh + elevation_required: true + - name: Provide the SetUID capability to a file + auto_generated_guid: 1ac3272f-9bcf-443a-9888-4b1d3de785c1 + description: 'This test gives a file the capability to set UID without using + flags. + +' + supported_platforms: + - linux + input_arguments: + file_to_setcap: + description: Path of file to provide the SetUID capability + type: path + default: "/tmp/evilBinary" + executor: + command: | + touch #{file_to_setcap} + sudo setcap cap_setuid=ep #{file_to_setcap} + cleanup_command: 'rm #{file_to_setcap} + ' name: sh elevation_required: true diff --git a/atomics/T1548.001/T1548.001.md b/atomics/T1548.001/T1548.001.md index 7286cc60..8c134cc8 100644 --- a/atomics/T1548.001/T1548.001.md +++ b/atomics/T1548.001/T1548.001.md @@ -14,6 +14,10 @@ Adversaries can use this mechanism on their own malware to make sure they're abl - [Atomic Test #3 - Set a SetGID flag on file](#atomic-test-3---set-a-setgid-flag-on-file) +- [Atomic Test #4 - Make and modify capabilities of a binary](#atomic-test-4---make-and-modify-capabilities-of-a-binary) + +- [Atomic Test #5 - Provide the SetUID capability to a file](#atomic-test-5---provide-the-setuid-capability-to-a-file) +
@@ -135,4 +139,85 @@ sudo rm #{file_to_setuid} +
+
+ +## Atomic Test #4 - Make and modify capabilities of a binary +Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file. +The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`. +Without being owned by root, the binary can set the UID to 0. + +**Supported Platforms:** Linux + + +**auto_generated_guid:** db53959c-207d-4000-9e7a-cd8eb417e072 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| payload | cap.c payload | path | PathToAtomicsFolder/T1548.001/src/cap.c| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +cp #{payload} /tmp/cap.c +make /tmp/cap +sudo setcap cap_setuid=ep /tmp/cap +/tmp/cap +``` + +#### Cleanup Commands: +```sh +rm /tmp/cap +rm /tmp/cap.c +``` + + + + + +
+
+ +## Atomic Test #5 - Provide the SetUID capability to a file +This test gives a file the capability to set UID without using flags. + +**Supported Platforms:** Linux + + +**auto_generated_guid:** 1ac3272f-9bcf-443a-9888-4b1d3de785c1 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_to_setcap | Path of file to provide the SetUID capability | path | /tmp/evilBinary| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +touch #{file_to_setcap} +sudo setcap cap_setuid=ep #{file_to_setcap} +``` + +#### Cleanup Commands: +```sh +rm #{file_to_setcap} +``` + + + + +