security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1543.002/T1543.002.yaml
T
AlbertoPellitteri 1c96b6af45 Fixing test 3 (#2926) 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2024-09-14 17:21:28 -05:00

156 lines
7.7 KiB
YAML
Raw Permalink Blame History

attack_technique: T1543.002
display_name: 'Create or Modify System Process: SysV/Systemd Service'
atomic_tests:
- name: Create Systemd Service
auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c
description: |
This test creates a Systemd service unit file and enables it as a service.
supported_platforms:
- linux
input_arguments:
systemd_service_path:
description: Path to systemd service unit file
type: path
default: /etc/systemd/system
systemd_service_file:
description: File name of systemd service unit file
type: string
default: art-systemd-service.service
execstoppost_action:
description: ExecStopPost action for Systemd service
type: string
default: /bin/touch /tmp/art-systemd-execstoppost-marker
execreload_action:
description: ExecReload action for Systemd service
type: string
default: /bin/touch /tmp/art-systemd-execreload-marker
execstart_action:
description: ExecStart action for Systemd service
type: string
default: /bin/touch /tmp/art-systemd-execstart-marker
execstop_action:
description: ExecStop action for Systemd service
type: string
default: /bin/touch /tmp/art-systemd-execstop-marker
execstartpre_action:
description: ExecStartPre action for Systemd service
type: string
default: /bin/touch /tmp/art-systemd-execstartpre-marker
execstartpost_action:
description: ExecStartPost action for Systemd service
type: string
default: /bin/touch /tmp/art-systemd-execstartpost-marker
executor:
command: |
echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file}
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file}
echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
systemctl enable #{systemd_service_file}
systemctl start #{systemd_service_file}
cleanup_command: |
systemctl stop #{systemd_service_file}
systemctl disable #{systemd_service_file}
rm -rf #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
name: bash
elevation_required: true
- name: Create SysV Service
auto_generated_guid: 760fe8d2-79d9-494f-905e-a239a3df86f6
description: |
This test creates a SysV service unit file and enables it as a service.
supported_platforms:
- linux
input_arguments:
rc_service_path:
description: Path to rc service file
type: path
default: /usr/local/etc/rc.d
rc_service_file:
description: File name of rc service file
type: string
default: art-test
executor:
command: |
echo '#\!/bin/sh' > #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo '#' >> #{rc_service_path}/#{rc_service_file}
echo '# PROVIDE: art-test' >> #{rc_service_path}/#{rc_service_file}
echo '# REQUIRE: LOGIN' >> #{rc_service_path}/#{rc_service_file}
echo '# KEYWORD: shutdown' >> #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo '. /etc/rc.subr' >> #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo 'name="art_test"' >> #{rc_service_path}/#{rc_service_file}
echo 'rcvar=art_test_enable' >> #{rc_service_path}/#{rc_service_file}
echo 'load_rc_config ${name}' >> #{rc_service_path}/#{rc_service_file}
echo 'command="/usr/bin/touch"' >> #{rc_service_path}/#{rc_service_file}
echo 'start_cmd="art_test_start"' >> #{rc_service_path}/#{rc_service_file}
echo '' >> #{rc_service_path}/#{rc_service_file}
echo 'art_test_start()' >> #{rc_service_path}/#{rc_service_file}
echo '{' >> #{rc_service_path}/#{rc_service_file}
echo ' ${command} /tmp/art-test.marker' >> #{rc_service_path}/#{rc_service_file}
echo '}' >> #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo 'run_rc_command "$1"' >> #{rc_service_path}/#{rc_service_file}
chmod +x #{rc_service_path}/#{rc_service_file}
service art-test enable
service art-test start
cleanup_command: |
sysrc -x art_test_enable
rm -f #{rc_service_path}/#{rc_service_file}
name: sh
elevation_required: true
- name: Create Systemd Service file, Enable the service , Modify and Reload the service.
auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
description: |
This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
supported_platforms:
- linux
dependencies:
- description: |
System must be Ubuntu ,Kali OR CentOS.
prereq_command: |
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi;
get_prereq_command: |
echo Please run from Ubuntu ,Kali OR CentOS.
executor:
name: bash
elevation_required: true
command: |
echo "#!/bin/bash" > /etc/init.d/T1543.002
echo "### BEGIN INIT INFO" >> /etc/init.d/T1543.002
echo "# Provides : Atomic Test T1543.002" >> /etc/init.d/T1543.002
echo "# Required-Start: \$all" >> /etc/init.d/T1543.002
echo "# Required-Stop : " >> /etc/init.d/T1543.002
echo "# Default-Start: 2 3 4 5" >> /etc/init.d/T1543.002
echo "# Default-Stop: " >> /etc/init.d/T1543.002
echo "# Short Description: Atomic Test for Systemd Service Creation" >> /etc/init.d/T1543.002
echo "### END INIT INFO" >> /etc/init.d/T1543.002
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK')) \" " >> /etc/init.d/T1543.002
chmod +x /etc/init.d/T1543.002
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi
systemctl enable T1543.002
systemctl start T1543.002
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
systemctl daemon-reload
systemctl restart T1543.002
cleanup_command: |
systemctl stop T1543.002
systemctl disable T1543.002
rm -rf /etc/init.d/T1543.002
systemctl daemon-reload
Reference in New Issue View Git Blame Copy Permalink