Skip to content

Latest commit

 

History

History
286 lines (275 loc) · 17.5 KB

linux-index.md

File metadata and controls

286 lines (275 loc) · 17.5 KB

Linux Atomic Tests by ATT&CK Tactic & Technique

persistence

  • T1156 .bash_profile and .bashrc
    • Atomic Test #1: Add command to .bash_profile [macos, linux]
    • Atomic Test #2: Add command to .bashrc [macos, linux]
  • T1067 Bootkit CONTRIBUTE A TEST
  • T1176 Browser Extensions
    • Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
    • Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
    • Atomic Test #3: Firefox [linux, windows, macos]
  • T1136 Create Account
    • Atomic Test #1: Create a user account on a Linux system [linux]
    • Atomic Test #5: Create a new user in Linux with root UID and GID. [linux]
  • T1158 Hidden Files and Directories
    • Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
    • Atomic Test #3: Hidden file [macos, linux]
    • Atomic Test #9: Create Visible Directories [macos, linux]
    • Atomic Test #10: Create hidden directories and files [macos, linux]
  • T1215 Kernel Modules and Extensions CONTRIBUTE A TEST
  • T1168 Local Job Scheduling
    • Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
    • Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
    • Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
  • T1205 Port Knocking CONTRIBUTE A TEST
  • T1108 Redundant Access CONTRIBUTE A TEST
  • T1166 Setuid and Setgid
    • Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
    • Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
    • Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
  • T1154 Trap
    • Atomic Test #1: Trap [macos, centos, ubuntu, linux]
  • T1078 Valid Accounts CONTRIBUTE A TEST
  • T1100 Web Shell

discovery

lateral-movement

  • T1017 Application Deployment Software CONTRIBUTE A TEST
  • T1210 Exploitation of Remote Services CONTRIBUTE A TEST
  • T1105 Remote File Copy
    • Atomic Test #1: rsync remote file copy (push) [linux, macos]
    • Atomic Test #2: rsync remote file copy (pull) [linux, macos]
    • Atomic Test #3: scp remote file copy (push) [linux, macos]
    • Atomic Test #4: scp remote file copy (pull) [linux, macos]
    • Atomic Test #5: sftp remote file copy (push) [linux, macos]
    • Atomic Test #6: sftp remote file copy (pull) [linux, macos]
  • T1021 Remote Services CONTRIBUTE A TEST
  • T1184 SSH Hijacking CONTRIBUTE A TEST
  • T1072 Third-party Software CONTRIBUTE A TEST

collection

exfiltration

  • T1020 Automated Exfiltration CONTRIBUTE A TEST
  • T1002 Data Compressed
    • Atomic Test #3: Data Compressed - nix - zip [linux, macos]
    • Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
    • Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
  • T1022 Data Encrypted
    • Atomic Test #1: Data Encrypted with zip and gpg [macos, centos, ubuntu, linux]
  • T1030 Data Transfer Size Limits
    • Atomic Test #1: Data Transfer Size Limits [macos, centos, ubuntu, linux]
  • T1048 Exfiltration Over Alternative Protocol
    • Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
    • Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, centos, ubuntu, linux]
    • Atomic Test #3: Exfiltration Over Alternative Protocol - HTTP [macos, centos, ubuntu, linux]
  • T1041 Exfiltration Over Command and Control Channel CONTRIBUTE A TEST
  • T1011 Exfiltration Over Other Network Medium CONTRIBUTE A TEST
  • T1052 Exfiltration Over Physical Medium CONTRIBUTE A TEST
  • T1029 Scheduled Transfer CONTRIBUTE A TEST

credential-access

defense-evasion

  • T1009 Binary Padding
    • Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
  • T1146 Clear Command History
    • Atomic Test #1: Clear Bash history (rm) [linux, macos]
    • Atomic Test #2: Clear Bash history (echo) [linux, macos]
    • Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
    • Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
    • Atomic Test #5: Clear Bash history (truncate) [linux]
    • Atomic Test #6: Clear history of a bunch of shells [linux, macos]
  • T1089 Disabling Security Tools
    • Atomic Test #1: Disable iptables firewall [linux]
    • Atomic Test #2: Disable syslog [linux]
    • Atomic Test #3: Disable Cb Response [linux]
    • Atomic Test #4: Disable SELinux [linux]
  • T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
  • T1107 File Deletion
    • Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
    • Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
    • Atomic Test #3: Overwrite and delete a file with shred [linux]
    • Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu]
  • T1222 File Permissions Modification
    • Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
    • Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
    • Atomic Test #10: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
    • Atomic Test #11: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
    • Atomic Test #12: chown - Change file or folder ownership and group [macos, linux]
    • Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
    • Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
    • Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
    • Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
  • T1148 HISTCONTROL
    • Atomic Test #1: Disable history collection [linux, macos]
    • Atomic Test #2: Mac HISTCONTROL [macos, linux]
  • T1158 Hidden Files and Directories
    • Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
    • Atomic Test #3: Hidden file [macos, linux]
    • Atomic Test #9: Create Visible Directories [macos, linux]
    • Atomic Test #10: Create hidden directories and files [macos, linux]
  • T1066 Indicator Removal from Tools CONTRIBUTE A TEST
  • T1070 Indicator Removal on Host
    • Atomic Test #3: rm -rf [macos, linux]
    • Atomic Test #4: Overwrite Linux Mail Spool [linux]
    • Atomic Test #5: Overwrite Linux Log [linux]
  • T1130 Install Root Certificate
    • Atomic Test #1: Install root CA on CentOS/RHEL [linux]
  • T1036 Masquerading
    • Atomic Test #2: Masquerading as Linux crond process. [linux]
  • T1027 Obfuscated Files or Information
    • Atomic Test #1: Decode base64 Data into Script [macos, linux]
  • T1205 Port Knocking CONTRIBUTE A TEST
  • T1055 Process Injection
    • Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
  • T1108 Redundant Access CONTRIBUTE A TEST
  • T1014 Rootkit
    • Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
    • Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
  • T1064 Scripting
    • Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
  • T1151 Space after Filename
  • T1099 Timestomp
    • Atomic Test #1: Set a file's access timestamp [linux, macos]
    • Atomic Test #2: Set a file's modification timestamp [linux, macos]
    • Atomic Test #3: Set a file's creation timestamp [linux, macos]
    • Atomic Test #4: Modify file timestamps using reference file [linux, macos]
  • T1078 Valid Accounts CONTRIBUTE A TEST
  • T1102 Web Service CONTRIBUTE A TEST

execution

command-and-control

initial-access

privilege-escalation

  • T1068 Exploitation for Privilege Escalation CONTRIBUTE A TEST
  • T1055 Process Injection
    • Atomic Test #3: Shared Library Injection via /etc/ld.so.preload [linux]
  • T1166 Setuid and Setgid
    • Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
    • Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
    • Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
  • T1169 Sudo
    • Atomic Test #1: Sudo usage [macos, linux]
  • T1206 Sudo Caching
    • Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
    • Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
  • T1078 Valid Accounts CONTRIBUTE A TEST
  • T1100 Web Shell