From abd235ade42a2f6c04b565868922a8b6f09fa45a Mon Sep 17 00:00:00 2001 From: AlbertoPellitteri <66901396+AlbertoPellitteri@users.noreply.github.com> Date: Sun, 15 Sep 2024 00:16:13 +0200 Subject: [PATCH] Removing comments from code section and adding it to descriptions (#2922) Co-authored-by: Carrie Roberts --- atomics/T1078.003/T1078.003.yaml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index a3329edf..4bd783fe 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -165,36 +165,32 @@ atomic_tests: - name: Login as nobody (Linux) auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85 description: | - An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. + An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd` before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin` supported_platforms: - linux executor: name: bash elevation_required: true command: | - cat /etc/passwd |grep nobody - # -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin + cat /etc/passwd |grep nobody chsh --shell /bin/bash nobody usermod --password $(openssl passwd -1 nobody) nobody - su nobody - whoami - exit + su -c "whoami" nobody cleanup_command: | chsh --shell /usr/sbin/nologin nobody - cat /etc/passwd |grep nobody + cat /etc/passwd |grep nobody # -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin - name: Login as nobody (freebsd) auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310 description: | - An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. + An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd` before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin` supported_platforms: - linux executor: name: sh elevation_required: true command: | - cat /etc/passwd |grep nobody - # -> nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin + cat /etc/passwd |grep nobody pw usermod nobody -s /bin/sh echo $(openssl passwd -1 art) | pw mod user nobody -h 0 su nobody