atomic-red-team icon indicating copy to clipboard operation
atomic-red-team copied to clipboard

Published 20 hours ago verified publisher icon redcanaryco

Idea: Add/modify atomic tests/template for a better way to identify not linux only tests

Open alonsobsd opened this issue 1 year ago • 2 comments

Use-cases

Hello, Some time ago, I sent a PR (https://github.com/redcanaryco/atomic-red-team/pull/2450) for add FreeBSD support because I wanted use/include atomic tests into another tool running on FreeBSD. Some of my changes added freebsd to supported_platforms into each compatible test files or I added new ones. Nowadays I see freebsd entry was removed or merged into linux tests. Now it is hard identify what tests can be used into FreeBSD, extract easily only FreeBSD tests, run only FreeBSD tests and more. I understand atomic-red-team follow mitre standards and it is the main reason why freebsd was removed from supported_platforms.

Proposal

Change supported_platforms to mitre_supported_platforms and add a run_on entry or someone like that for include freebsd or any other bsd/compatible system (openbsd, netbsd, dragonflybsd, etc) into template/tests

These changes could be included as following:

T1059.004

- name: Create and Execute Bash Shell Script
  auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
  description: |
    Creates and executes a simple sh script.
  mitre_supported_platforms:
  - linux
  - macos
  run_on:
  - linux
  - macos
  - freebsd
  input_arguments:
    script_path:
      description: Script path
      type: path
      default: /tmp/art.sh
  executor:
    command: |
      sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
      sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}"
      chmod +x #{script_path}
      sh #{script_path}
    cleanup_command: |
      rm #{script_path}
    name: sh
  
- name: Change login shell
  auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
  description: |
    An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user. 
  mitre_supported_platforms:
  - linux
  run_on:
  - freebsd
  - linux
  dependencies:
  - description: |
      chsh - change login shell, must be installed
    prereq_command: |
      if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit 1"; exit 1; fi
    get_prereq_command: |
      echo "Automated installer not implemented yet, please install chsh manually"
  executor:
    name: bash
    elevation_required: true 
    command: |
      [ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
      cat /etc/passwd |grep ^art
      chsh -s /bin/sh art
      cat /etc/passwd |grep ^art
    cleanup_command: | 
      [ "$(uname)" = 'FreeBSD' ] && rmuser -y art || userdel art

T1078.003

- name: Create local account (Linux and FreeBSD)
  auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
  description: |
    An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
  mitre_supported_platforms:
  - linux
  run_on:
  - freebsd
  - linux
  executor:
    name: bash
    elevation_required: true
    command: |
      password=$(openssl passwd -1 art)
      ([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
      su art -c "whoami; exit"
    cleanup_command: |
      [ "$(uname)" = 'Linux' ] && userdel art -rf || rmuser -y art

References

https://github.com/redcanaryco/atomic-red-team/pull/2450 https://github.com/redcanaryco/atomic-red-team/pull/2585 https://github.com/redcanaryco/atomic-red-team/pull/2603 https://github.com/redcanaryco/atomic-red-team/pull/2604

alonsobsd avatar Jan 25 '24 23:01 alonsobsd

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Feb 25 '24 01:02 github-actions[bot]

I did some changes to my atomic-red-team fork adding run_as entries to atomic tests. Also I did some other modifications . Take a look at https://github.com/alonsobsd/atomic-red-team/commit/7eafa47b8119f31a243f7326707c595bc80a6aba

alonsobsd avatar Mar 01 '24 04:03 alonsobsd

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Apr 01 '24 01:04 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Apr 12 '24 01:04 github-actions[bot]