security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added docker testcase for T1609.yaml

Browse Source 
Fairly straight forward way to execute into a container.

Details:
The test was created for kubernetes and mitre framework also mentioned about docker. So created a second test for the same.

Testing:
Tested using ubuntuas the base image. If using just Docker, run the container(already present in the script) and execute the testcase.

It may take up to a minute to run due to image creation. If it hangs for longer than a minute, something went wrong.

Associated Issues:
None
This commit is contained in:
aman143kri
2022-12-15 19:57:12 -08:00
parent b86d24fd99
commit d13230ced8
2 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1609/T1609.yaml
+30
View File
@@ -31,3 +31,33 @@ atomic_tests:
kubectl delete pod busybox -n #{namespace}
name: bash
elevation_required: false
- name: DockerExecIntoContainer
auto_generated_guid:
description: |
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”.
supported_platforms:
- containers
input_arguments:
command:
description: Command to run
type: String
default: cat
dependencies:
- description: |
docker must be installed
get_prereq_command: |
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
prereq_command: |
which docker
executor:
command: |
docker build -t t1609 /home/kali/test/atomic-red-team/atomics/T1609/src/
docker run --name t1609_container --rm -itd t1609 bash /tmp/script.sh
docker exec -i t1609_container bash -c "cat /tmp/output.txt"
cleanup_command: |
docker stop t1609_container
docker rmi -f t1609:latest
name: bash
elevation_required: false
atomics/T1609/src/dockerfile
+5
View File
@@ -0,0 +1,5 @@
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN echo "1" > /tmp/output.txt && \
echo ' bin/sh -c "while true; do sleep 30;done;"' > /tmp/script.sh && chmod +x /tmp/script.sh