atomic-red-team/atomics/T1547.006/T1547.006.yaml

attack_technique: T1547.006
display_name: 'Boot or Logon Autostart Execution: Kernel Modules and Extensions'
atomic_tests:
- name: Linux - Load Kernel Module via insmod
  auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23
  description: |
    This test uses the insmod command to load a kernel module for Linux.
  supported_platforms:
  - linux
  input_arguments:
    module_name:
      description: Name of the kernel module name.
      type: string
      default: T1547006
    module_path:
      description: Folder used to store the module.
      type: path
      default: /tmp/T1547.006/T1547006.ko
    temp_folder:
      description: Temp folder used to compile the code.
      type: path
      default: /tmp/T1547.006
    module_source_path:
      description: Path to download Gsecdump binary file
      type: path
      default: PathToAtomicsFolder/T1547.006/src
  dependency_executor_name: bash
  dependencies:
  - description: |
      The kernel module must exist on disk at specified location
    prereq_command: |
      if [ -f #{module_path} ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
      cp #{module_source_path}/* #{temp_folder}/
      cd #{temp_folder}; make
      if [ ! -f #{module_path} ]; then mv #{temp_folder}/#{module_name}.ko #{module_path}; fi;
  executor:
    command: |
      sudo insmod #{module_path}
    cleanup_command: |
      sudo rmmod #{module_name}
      [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
    name: bash
    elevation_required: true
- name: MacOS - Load Kernel Module via kextload and kmutil
  auto_generated_guid: f4391089-d3a5-4dd1-ab22-0419527f2672
  description: |
    This test uses the kextload and kmutil commands to load and unload a MacOS kernel module.
  supported_platforms:
  - macos
  input_arguments:
    module_path:
      description: Folder used to store the module.
      type: path
      default: /Library/Extensions/SoftRAID.kext
  dependency_executor_name: bash
  dependencies:
  - description: |
      The kernel module must exist on disk at specified location
    prereq_command: |
      if [ -d #{module_path} ] ; then exit 0; else exit 1 ; fi
    get_prereq_command: |
      exit 1
  executor:
    command: |
      set -x
      sudo kextload #{module_path}
      kextstat 2>/dev/null | grep SoftRAID
      sudo kextunload #{module_path}
      sudo kmutil load -p #{module_path}
      kextstat 2>/dev/null | grep SoftRAID
      sudo kmutil unload -p #{module_path}
    name: bash
    elevation_required: true
- name: MacOS - Load Kernel Module via KextManagerLoadKextWithURL()
  auto_generated_guid: f0007753-beb3-41ea-9948-760785e4c1e5
  description: |
    This test uses the IOKit API to load a kernel module for macOS.
    Harcoded to use SoftRAID kext
  supported_platforms:
  - macos
  input_arguments:
    src_path:
      description: Folder used to store the module.
      type: path
      default: PathToAtomicsFolder/T1547.006/src/macos_kextload.c
    exe_path:
      description: Folder used to store the module.
      type: path
      default: /tmp/T1547006_iokit_loader
  dependency_executor_name: bash
  dependencies:
  - description: |
      The kernel module must exist on disk at specified location
    prereq_command: |
      if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
    get_prereq_command: |
      cc -o #{exe_path} #{src_path} -framework IOKit -framework Foundation
  executor:
    command: |
      sudo #{exe_path}
      kextstat 2>/dev/null | grep SoftRAID
      sudo kextunload /Library/Extensions/SoftRAID.kext
    name: bash
    elevation_required: true
    cleanup_command: |
      rm -f #{exe_path}
- name: Snake Malware Kernel Driver Comadmin
  auto_generated_guid: e5cb5564-cc7b-4050-86e8-f2d9eec1941f
  description: |
    The following Atomic Test will write an file, comadmin.dat, to disk. From the report, Snake's installer drops the kernel driver and a custom DLL which is used to load the driver into a
    single AES encrypted file on disk. Typically, this file is named “comadmin.dat” and is stored in the %windows%\system32\Com directory. 
    This Atomic Test will write a hardcoded named file to disk in the com directory named comadmin.dat.
    [Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)  
  supported_platforms:
  - windows
  executor:
    command: |
      $examplePath = Join-Path $env:windir "system32\Com"; if (-not (Test-Path $examplePath)) { New-Item -ItemType Directory -Path $examplePath | Out-Null }; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); [System.IO.File]::WriteAllBytes($exampleFullPath, $randomBytes)
    cleanup_command: |
      $examplePath = Join-Path $env:windir "system32\Com"; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; if (Test-Path $exampleFullPath) { Remove-Item $exampleFullPath -Force }
    name: powershell
    elevation_required: true