Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -986,7 +986,7 @@ credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
-credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
@@ -994,6 +994,10 @@ credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba
 credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
 credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
 credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
+credential-access,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
+credential-access,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
+credential-access,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
+credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
@@ -1162,7 +1166,7 @@ discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGrou
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
-discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
@@ -1170,6 +1174,10 @@ discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b
 discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
 discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
 discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
+discovery,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
+discovery,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
+discovery,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
+discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
 discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
 discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
 discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -160,7 +160,11 @@ credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Re
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
-credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+credential-access,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
+credential-access,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
+credential-access,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
+credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
 credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
 credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
@@ -184,7 +188,11 @@ discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account ha
 discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
-discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+discovery,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
+discovery,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
+discovery,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
+discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
 discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
 discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash

atomics/Indexes/Indexes-Markdown/index.md

@@ -1648,7 +1648,7 @@
   - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
-  - Atomic Test #1: Packet Capture Linux [linux]
+  - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
   - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
   - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #4: Windows Internal Packet Capture [windows]
@@ -1656,6 +1656,10 @@
   - Atomic Test #6: Windows Internal pktmon set filter [windows]
   - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
   - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
+  - Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
+  - Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
+  - Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
 - [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -1890,7 +1894,7 @@
   - Atomic Test #2: System Service Discovery - net.exe [windows]
   - Atomic Test #3: System Service Discovery - systemctl [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
-  - Atomic Test #1: Packet Capture Linux [linux]
+  - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
   - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
   - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
   - Atomic Test #4: Windows Internal Packet Capture [windows]
@@ -1898,6 +1902,10 @@
   - Atomic Test #6: Windows Internal pktmon set filter [windows]
   - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
   - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
+  - Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
+  - Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
+  - Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
   - Atomic Test #1: Network Share Discovery [macos]
   - Atomic Test #2: Network Share Discovery - linux [linux]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -386,7 +386,11 @@
   - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
-  - Atomic Test #1: Packet Capture Linux [linux]
+  - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
+  - Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
+  - Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
+  - Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
+  - Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
@@ -447,7 +451,11 @@
 - [T1007 System Service Discovery](../../T1007/T1007.md)
   - Atomic Test #3: System Service Discovery - systemctl [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
-  - Atomic Test #1: Packet Capture Linux [linux]
+  - Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
+  - Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
+  - Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
+  - Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
+  - Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
   - Atomic Test #2: Network Share Discovery - linux [linux]
 - T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -75071,7 +75071,7 @@ credential-access:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1040
     atomic_tests:
-    - name: Packet Capture Linux
+    - name: Packet Capture Linux using tshark or tcpdump
       auto_generated_guid: 7fe741f7-b265-4951-a7c7-320889083b3e
       description: |
         Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
@@ -75308,6 +75308,153 @@ credential-access:
           '
         name: bash
         elevation_required: true
+    - name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
+      auto_generated_guid: 10c710c9-9104-4d5f-8829-5b65391e2a29
+      description: 'Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few
+        seconds.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_linux_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -a -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo
+      auto_generated_guid: 7a0895f0-84c1-4adf-8491-a21510b1d4c1
+      description: 'Captures packets with domain=AF_INET,type=SOCK_RAW,protocol=TCP
+        for a few seconds.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_linux_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -4 -p 6 -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo
+      auto_generated_guid: 515575ab-d213-42b1-aa64-ef6a2dd4641b
+      description: |
+        Captures packets with domain=AF_INET,type=SOCK_PACKET,protocol=UDP for a few seconds.
+        SOCK_PACKET is "obsolete" according to the man page, but still works on Ubuntu 20.04
+      supported_platforms:
+      - linux
+      input_arguments:
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_linux_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -4 -P -p 17 -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP
+        with sudo
+      auto_generated_guid: b1cbdf8b-6078-48f5-a890-11ea19d7f8e9
+      description: |
+        Captures packets with domain=AF_PACKET,type=SOCK_RAW for a few seconds.
+        Sets a BPF filter on the socket to filter for UDP traffic.
+      supported_platforms:
+      - linux
+      input_arguments:
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_linux_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -a -f -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
   T1552.002:
     technique:
       x_mitre_platforms:
@@ -84289,7 +84436,7 @@ discovery:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1040
     atomic_tests:
-    - name: Packet Capture Linux
+    - name: Packet Capture Linux using tshark or tcpdump
       auto_generated_guid: 7fe741f7-b265-4951-a7c7-320889083b3e
       description: |
         Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
@@ -84526,6 +84673,153 @@ discovery:
           '
         name: bash
         elevation_required: true
+    - name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
+      auto_generated_guid: 10c710c9-9104-4d5f-8829-5b65391e2a29
+      description: 'Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few
+        seconds.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_linux_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -a -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo
+      auto_generated_guid: 7a0895f0-84c1-4adf-8491-a21510b1d4c1
+      description: 'Captures packets with domain=AF_INET,type=SOCK_RAW,protocol=TCP
+        for a few seconds.
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_linux_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -4 -p 6 -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo
+      auto_generated_guid: 515575ab-d213-42b1-aa64-ef6a2dd4641b
+      description: |
+        Captures packets with domain=AF_INET,type=SOCK_PACKET,protocol=UDP for a few seconds.
+        SOCK_PACKET is "obsolete" according to the man page, but still works on Ubuntu 20.04
+      supported_platforms:
+      - linux
+      input_arguments:
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_linux_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -4 -P -p 17 -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP
+        with sudo
+      auto_generated_guid: b1cbdf8b-6078-48f5-a890-11ea19d7f8e9
+      description: |
+        Captures packets with domain=AF_PACKET,type=SOCK_RAW for a few seconds.
+        Sets a BPF filter on the socket to filter for UDP traffic.
+      supported_platforms:
+      - linux
+      input_arguments:
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_linux_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -a -f -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
   T1135:
     technique:
       x_mitre_platforms:

atomics/T1040/T1040.md

@@ -10,7 +10,7 @@ In cloud-based environments, adversaries may still be able to use traffic mirror
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Packet Capture Linux](#atomic-test-1---packet-capture-linux)
+- [Atomic Test #1 - Packet Capture Linux using tshark or tcpdump](#atomic-test-1---packet-capture-linux-using-tshark-or-tcpdump)
 
 - [Atomic Test #2 - Packet Capture macOS using tcpdump or tshark](#atomic-test-2---packet-capture-macos-using-tcpdump-or-tshark)
 
@@ -26,10 +26,18 @@ In cloud-based environments, adversaries may still be able to use traffic mirror
 
 - [Atomic Test #8 - Filtered Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-8---filtered-packet-capture-macos-using-devbpfn-with-sudo)
 
+- [Atomic Test #9 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo](#atomic-test-9---packet-capture-linux-socket-af_packetsock_raw-with-sudo)
+
+- [Atomic Test #10 - Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo](#atomic-test-10---packet-capture-linux-socket-af_inetsock_rawtcp-with-sudo)
+
+- [Atomic Test #11 - Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo](#atomic-test-11---packet-capture-linux-socket-af_inetsock_packetudp-with-sudo)
+
+- [Atomic Test #12 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo](#atomic-test-12---packet-capture-linux-socket-af_packetsock_raw-with-bpf-filter-for-udp-with-sudo)
+
 
 <br/>
 
-## Atomic Test #1 - Packet Capture Linux
+## Atomic Test #1 - Packet Capture Linux using tshark or tcpdump
 Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
 
 Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
@@ -391,4 +399,206 @@ cc #{csource_path} -o #{program_path}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
+Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few seconds.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 10c710c9-9104-4d5f-8829-5b65391e2a29
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/linux_pcapdemo.c|
+| program_path | Path to compiled C program | String | /tmp/t1040_linux_pcapdemo|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{program_path} -a -t 3
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{program_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: compile C program
+##### Check Prereq Commands:
+```bash
+if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+cc #{csource_path} -o #{program_path}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo
+Captures packets with domain=AF_INET,type=SOCK_RAW,protocol=TCP for a few seconds.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 7a0895f0-84c1-4adf-8491-a21510b1d4c1
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/linux_pcapdemo.c|
+| program_path | Path to compiled C program | String | /tmp/t1040_linux_pcapdemo|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{program_path} -4 -p 6 -t 3
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{program_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: compile C program
+##### Check Prereq Commands:
+```bash
+if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+cc #{csource_path} -o #{program_path}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo
+Captures packets with domain=AF_INET,type=SOCK_PACKET,protocol=UDP for a few seconds.
+SOCK_PACKET is "obsolete" according to the man page, but still works on Ubuntu 20.04
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 515575ab-d213-42b1-aa64-ef6a2dd4641b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/linux_pcapdemo.c|
+| program_path | Path to compiled C program | String | /tmp/t1040_linux_pcapdemo|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{program_path} -4 -P -p 17 -t 3
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{program_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: compile C program
+##### Check Prereq Commands:
+```bash
+if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+cc #{csource_path} -o #{program_path}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo
+Captures packets with domain=AF_PACKET,type=SOCK_RAW for a few seconds.
+Sets a BPF filter on the socket to filter for UDP traffic.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** b1cbdf8b-6078-48f5-a890-11ea19d7f8e9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/linux_pcapdemo.c|
+| program_path | Path to compiled C program | String | /tmp/t1040_linux_pcapdemo|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{program_path} -a -f -t 3
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{program_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: compile C program
+##### Check Prereq Commands:
+```bash
+if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+cc #{csource_path} -o #{program_path}
+```
+
+
+
+
 <br/>