Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -640,6 +640,7 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bas
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
+privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,6,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -933,6 +934,7 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
+persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,6,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -139,6 +139,7 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
+persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,6,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -170,6 +171,7 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bas
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,4,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,5,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
+privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,6,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
 privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash

atomics/Indexes/Indexes-Markdown/index.md

@@ -947,6 +947,7 @@
   - Atomic Test #3: Append to the system shell profile [linux]
   - Atomic Test #4: Append commands user shell profile [linux]
   - Atomic Test #5: System shell profile scripts [linux]
+  - Atomic Test #6: Create/Append to .bash_logout [linux]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
   - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1456,6 +1457,7 @@
   - Atomic Test #3: Append to the system shell profile [linux]
   - Atomic Test #4: Append commands user shell profile [linux]
   - Atomic Test #5: System shell profile scripts [linux]
+  - Atomic Test #6: Create/Append to .bash_logout [linux]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
   - Atomic Test #1: Authentication Package [windows]
 - T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -301,6 +301,7 @@
   - Atomic Test #3: Append to the system shell profile [linux]
   - Atomic Test #4: Append commands user shell profile [linux]
   - Atomic Test #5: System shell profile scripts [linux]
+  - Atomic Test #6: Create/Append to .bash_logout [linux]
 - T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -373,6 +374,7 @@
   - Atomic Test #3: Append to the system shell profile [linux]
   - Atomic Test #4: Append commands user shell profile [linux]
   - Atomic Test #5: System shell profile scripts [linux]
+  - Atomic Test #6: Create/Append to .bash_logout [linux]
 - T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -39532,6 +39532,27 @@ privilege-escalation:
           '
         cleanup_command: 'sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_completion.sh
 
+          '
+    - name: Create/Append to .bash_logout
+      auto_generated_guid: 37ad2f24-7c53-4a50-92da-427a4ad13f58
+      description: "The Bash shell runs ~/.bash_logout \"if it exists\" to run commands
+        on user logout. An adversary may create or append to a .bash_logout to clear
+        history, start processes etc. Note the ~/.bash_logout is only run if you explicitly
+        exit or log out of an \"interactive login shell session\" i.e. via the console,
+        SSH, /bin/bash -l or su -l <username>. \n\nThis test creates the art user,
+        logs in, creates a .bash_logout which will echo some text into the art.txt
+        file on logout and logs out and the /home/art/art.txt is created.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd --create-home --shell /bin/bash art
+          su --login art
+          echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+        cleanup_command: 'userdel -fr art
+
           '
   T1134.005:
     technique:
@@ -63808,6 +63829,27 @@ persistence:
           '
         cleanup_command: 'sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_completion.sh
 
+          '
+    - name: Create/Append to .bash_logout
+      auto_generated_guid: 37ad2f24-7c53-4a50-92da-427a4ad13f58
+      description: "The Bash shell runs ~/.bash_logout \"if it exists\" to run commands
+        on user logout. An adversary may create or append to a .bash_logout to clear
+        history, start processes etc. Note the ~/.bash_logout is only run if you explicitly
+        exit or log out of an \"interactive login shell session\" i.e. via the console,
+        SSH, /bin/bash -l or su -l <username>. \n\nThis test creates the art user,
+        logs in, creates a .bash_logout which will echo some text into the art.txt
+        file on logout and logs out and the /home/art/art.txt is created.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd --create-home --shell /bin/bash art
+          su --login art
+          echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+        cleanup_command: 'userdel -fr art
+
           '
   T1547.002:
     technique:

atomics/Indexes/linux-index.yaml

@@ -25294,6 +25294,27 @@ privilege-escalation:
           '
         cleanup_command: 'sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_completion.sh
 
+          '
+    - name: Create/Append to .bash_logout
+      auto_generated_guid: 37ad2f24-7c53-4a50-92da-427a4ad13f58
+      description: "The Bash shell runs ~/.bash_logout \"if it exists\" to run commands
+        on user logout. An adversary may create or append to a .bash_logout to clear
+        history, start processes etc. Note the ~/.bash_logout is only run if you explicitly
+        exit or log out of an \"interactive login shell session\" i.e. via the console,
+        SSH, /bin/bash -l or su -l <username>. \n\nThis test creates the art user,
+        logs in, creates a .bash_logout which will echo some text into the art.txt
+        file on logout and logs out and the /home/art/art.txt is created.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd --create-home --shell /bin/bash art
+          su --login art
+          echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+        cleanup_command: 'userdel -fr art
+
           '
   T1134.005:
     technique:
@@ -42150,6 +42171,27 @@ persistence:
           '
         cleanup_command: 'sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_completion.sh
 
+          '
+    - name: Create/Append to .bash_logout
+      auto_generated_guid: 37ad2f24-7c53-4a50-92da-427a4ad13f58
+      description: "The Bash shell runs ~/.bash_logout \"if it exists\" to run commands
+        on user logout. An adversary may create or append to a .bash_logout to clear
+        history, start processes etc. Note the ~/.bash_logout is only run if you explicitly
+        exit or log out of an \"interactive login shell session\" i.e. via the console,
+        SSH, /bin/bash -l or su -l <username>. \n\nThis test creates the art user,
+        logs in, creates a .bash_logout which will echo some text into the art.txt
+        file on logout and logs out and the /home/art/art.txt is created.\n"
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd --create-home --shell /bin/bash art
+          su --login art
+          echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+        cleanup_command: 'userdel -fr art
+
           '
   T1547.002:
     technique:

atomics/T1546.004/T1546.004.md

@@ -18,6 +18,8 @@ For macOS, the functionality of this technique is similar but may leverage zsh,
 
 - [Atomic Test #5 - System shell profile scripts](#atomic-test-5---system-shell-profile-scripts)
 
+- [Atomic Test #6 - Create/Append to .bash_logout](#atomic-test-6---createappend-to-bash_logout)
+
 
 <br/>
 
@@ -205,4 +207,40 @@ sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_complet
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Create/Append to .bash_logout
+The Bash shell runs ~/.bash_logout "if it exists" to run commands on user logout. An adversary may create or append to a .bash_logout to clear history, start processes etc. Note the ~/.bash_logout is only run if you explicitly exit or log out of an "interactive login shell session" i.e. via the console, SSH, /bin/bash -l or su -l <username>. 
+
+This test creates the art user, logs in, creates a .bash_logout which will echo some text into the art.txt file on logout and logs out and the /home/art/art.txt is created.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 37ad2f24-7c53-4a50-92da-427a4ad13f58
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+useradd --create-home --shell /bin/bash art
+su --login art
+echo 'echo "Atomic Red Team was here... T1546.004" >> $HOME/art.txt' >> $HOME/.bash_logout
+```
+
+#### Cleanup Commands:
+```bash
+userdel -fr art
+```
+
+
+
+
+
 <br/>