security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-12-23 15:20:41 +00:00
parent 096ba193b4
commit f4eac66bb7
4 changed files with 52 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1165/T1165.md
+16 -12
View File
@@ -6,33 +6,37 @@ An adversary can create the appropriate folders/files in the StartupItems direct
## Atomic Tests
- [Atomic Test #1 - Startup Items](#atomic-test-1---startup-items)
- [Atomic Test #1 - add file to Local Library StartupItems](#atomic-test-1---add-file-to-local-library-startupitems)
- [Atomic Test #2 - Startup Items (emond rule)](#atomic-test-2---startup-items-emond-rule)
- [Atomic Test #2 - Persistance with Event Monitor - emond](#atomic-test-2---persistance-with-event-monitor---emond)
<br/>
## Atomic Test #1 - Startup Items
Modify or create an file in StartupItems
## Atomic Test #1 - add file to Local Library StartupItems
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
**Supported Platforms:** macOS
#### Run it with these steps!
1. /Library/StartupItems/StartupParameters.plist
#### Run it with `sh`! Elevation Required (e.g. root or admin)
```
sudo touch /Library/StartupItems/EvilStartup.plist
```
#### Cleanup Commands:
```
sudo rm /Library/StartupItems/EvilStartup.plist
```
<br/>
<br/>
## Atomic Test #2 - Startup Items (emond rule)
Establish persistence via a rule run by emond daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
## Atomic Test #2 - Persistance with Event Monitor - emond
Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
**Supported Platforms:** macOS
@@ -40,9 +44,9 @@ Establish persistence via a rule run by emond daemon at startup, based on https:
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| plist | Path to emond plist file | path | /path/to/T1165_emond.plist|
| plist | Path to attacker emond plist file | path | $PathToAtomics/T1165/src/T1165_emond.plist|
#### Run it with `sh`!
#### Run it with `sh`! Elevation Required (e.g. root or admin)
```
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
atomics/index.md
+4 -4
View File
@@ -134,8 +134,8 @@
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- [T1165 Startup Items](./T1165/T1165.md)
- Atomic Test #1: Startup Items [macos]
- Atomic Test #2: Startup Items (emond rule) [macos]
- Atomic Test #1: add file to Local Library StartupItems [macos]
- Atomic Test #2: Persistance with Event Monitor - emond [macos]
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1501 Systemd Service](./T1501/T1501.md)
- Atomic Test #1: Create Systemd Service [linux]
@@ -478,8 +478,8 @@
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
- [T1165 Startup Items](./T1165/T1165.md)
- Atomic Test #1: Startup Items [macos]
- Atomic Test #2: Startup Items (emond rule) [macos]
- Atomic Test #1: add file to Local Library StartupItems [macos]
- Atomic Test #2: Persistance with Event Monitor - emond [macos]
- [T1169 Sudo](./T1169/T1169.md)
- Atomic Test #1: Sudo usage [macos, linux]
- [T1206 Sudo Caching](./T1206/T1206.md)
atomics/index.yaml
+28 -18
View File
@@ -4663,32 +4663,37 @@ persistence:
modified: '2019-07-18T17:58:17.016Z'
identifier: T1165
atomic_tests:
- name: Startup Items
- name: add file to Local Library StartupItems
description: |
Modify or create an file in StartupItems
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
executor:
name: manual
steps: '1. /Library/StartupItems/StartupParameters.plist
name: sh
elevation_required: true
command: 'sudo touch /Library/StartupItems/EvilStartup.plist
'
- name: Startup Items (emond rule)
description: 'Establish persistence via a rule run by emond daemon at startup,
based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
'
- name: Persistance with Event Monitor - emond
description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
'
supported_platforms:
- macos
input_arguments:
plist:
description: Path to emond plist file
description: Path to attacker emond plist file
type: path
default: "/path/to/T1165_emond.plist"
default: "$PathToAtomics/T1165/src/T1165_emond.plist"
executor:
name: sh
elevation_required: true
command: |
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
@@ -15040,32 +15045,37 @@ privilege-escalation:
modified: '2019-07-18T17:58:17.016Z'
identifier: T1165
atomic_tests:
- name: Startup Items
- name: add file to Local Library StartupItems
description: |
Modify or create an file in StartupItems
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
executor:
name: manual
steps: '1. /Library/StartupItems/StartupParameters.plist
name: sh
elevation_required: true
command: 'sudo touch /Library/StartupItems/EvilStartup.plist
'
- name: Startup Items (emond rule)
description: 'Establish persistence via a rule run by emond daemon at startup,
based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
'
- name: Persistance with Event Monitor - emond
description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
'
supported_platforms:
- macos
input_arguments:
plist:
description: Path to emond plist file
description: Path to attacker emond plist file
type: path
default: "/path/to/T1165_emond.plist"
default: "$PathToAtomics/T1165/src/T1165_emond.plist"
executor:
name: sh
elevation_required: true
command: |
sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist
sudo touch /private/var/db/emondClients/T1165
atomics/macos-index.md
+4 -4
View File
@@ -46,8 +46,8 @@
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
- [T1165 Startup Items](./T1165/T1165.md)
- Atomic Test #1: Startup Items [macos]
- Atomic Test #2: Startup Items (emond rule) [macos]
- Atomic Test #1: add file to Local Library StartupItems [macos]
- Atomic Test #2: Persistance with Event Monitor - emond [macos]
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -363,8 +363,8 @@
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
- [T1165 Startup Items](./T1165/T1165.md)
- Atomic Test #1: Startup Items [macos]
- Atomic Test #2: Startup Items (emond rule) [macos]
- Atomic Test #1: add file to Local Library StartupItems [macos]
- Atomic Test #2: Persistance with Event Monitor - emond [macos]
- [T1169 Sudo](./T1169/T1169.md)
- Atomic Test #1: Sudo usage [macos, linux]
- [T1206 Sudo Caching](./T1206/T1206.md)