security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1610/T1610.yaml
T
Atomic Red Team GUID generator ab226f35ca Generate GUIDs from job=generate-docs branch=master [skip ci]
2023-01-09 19:44:00 +00:00

37 lines
1.3 KiB
YAML
Raw Permalink Blame History

---
attack_technique: T1610
display_name: "Deploy a container"
atomic_tests:
- name: Deploy Docker container
auto_generated_guid: 59aa6f26-7620-417e-9318-589e0fb7a372
description: |
Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands. Kinsing & Doki was exploited using this technique.
supported_platforms:
- containers
dependency_executor_name: sh
dependencies:
- description: Verify docker is installed.
prereq_command: |
which docker
get_prereq_command: |
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
- description: Verify docker service is running.
prereq_command: |
sudo systemctl status docker --no-pager
get_prereq_command: |
sudo systemctl start docker
executor:
command: |
docker build -t t1610 $PathtoAtomicsFolder/T1610/src/
docker run --name t1610_container --rm -itd t1610 bash /tmp/script.sh
name: bash
cleanup_command: |
docker stop t1610_container
docker rmi -f t1610:latest
Reference in New Issue View Git Blame Copy Permalink