From d13230ced8cc4423f0fd06137fa83eedaf7e00df Mon Sep 17 00:00:00 2001
From: aman143kri <42419157+aman143kri@users.noreply.github.com>
Date: Thu, 15 Dec 2022 19:57:12 -0800
Subject: [PATCH] Added docker testcase for T1609.yaml

Fairly straight forward way to execute into a container.

Details:
The test was created for kubernetes and mitre framework also mentioned about docker. So created a second test for the same.

Testing:
Tested using ubuntuas the base image. If using just Docker, run the container(already present in the script) and execute the testcase.

It may take up to a minute to run due to image creation. If it hangs for longer than a minute, something went wrong.

Associated Issues:
None
---
 atomics/T1609/T1609.yaml     | 30 ++++++++++++++++++++++++++++++
 atomics/T1609/src/dockerfile |  5 +++++
 2 files changed, 35 insertions(+)
 create mode 100644 atomics/T1609/src/dockerfile

diff --git a/atomics/T1609/T1609.yaml b/atomics/T1609/T1609.yaml
index bf7cf744..195367a1 100644
--- a/atomics/T1609/T1609.yaml
+++ b/atomics/T1609/T1609.yaml
@@ -31,3 +31,33 @@ atomic_tests:
       kubectl delete pod busybox -n #{namespace}
     name: bash
     elevation_required: false
+- name: DockerExecIntoContainer
+  auto_generated_guid: 
+  description: |
+    Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”.
+
+  supported_platforms:
+   - containers
+  input_arguments:
+    command:
+      description: Command to run
+      type: String
+      default: cat
+  dependencies:
+  - description: |
+      docker must be installed
+    get_prereq_command: |
+      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
+    prereq_command: |
+      which docker
+  executor:
+    command: |
+      docker build -t t1609  /home/kali/test/atomic-red-team/atomics/T1609/src/ 
+      docker run --name t1609_container --rm -itd t1609 bash /tmp/script.sh
+      docker exec -i t1609_container bash -c "cat /tmp/output.txt"
+    cleanup_command: |
+      docker stop t1609_container
+      docker rmi -f t1609:latest 
+    name: bash
+    elevation_required: false
+
diff --git a/atomics/T1609/src/dockerfile b/atomics/T1609/src/dockerfile
new file mode 100644
index 00000000..e210c05f
--- /dev/null
+++ b/atomics/T1609/src/dockerfile
@@ -0,0 +1,5 @@
+FROM ubuntu
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN  echo "1" > /tmp/output.txt && \
+     echo ' bin/sh -c "while true; do sleep 30;done;"' > /tmp/script.sh && chmod +x /tmp/script.sh
\ No newline at end of file