atomics/run_atomics.sh · Purple Team Lab

33 lines · bash

set -u
 
log() { echo "[$(date +%H:%M:%S)] $*"; }
 
log "T1053.003 - scheduled task / cron persistence"
echo '* * * * * root /usr/bin/id' | sudo tee /etc/cron.d/atomic-persist >/dev/null
 
log "T1543.002 - systemd service persistence"
printf '[Unit]\nDescription=atomic test\n[Service]\nExecStart=/usr/bin/id\n[Install]\nWantedBy=multi-user.target\n' \
  | sudo tee /etc/systemd/system/atomic-evil.service >/dev/null
 
log "T1098.004 - SSH authorized_keys persistence"
mkdir -p "$HOME/.ssh"
echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtomicRedTeamTestKeyDoNotUse attacker@evil' >> "$HOME/.ssh/authorized_keys"
 
log "T1543 - tooling drop into /usr/local/bin"
printf '#!/bin/bash\nid\n' | sudo tee /usr/local/bin/definitely-not-malware >/dev/null
sudo chmod +x /usr/local/bin/definitely-not-malware
 
log "T1110 - SSH brute force (18 invalid users)"
for i in $(seq 1 18); do
  ssh -o BatchMode=yes -o ConnectTimeout=2 -o StrictHostKeyChecking=no \
      -o PreferredAuthentications=password -o PubkeyAuthentication=no \
      "evil_user_${i}@127.0.0.1" true 2>/dev/null
done
 
log "done - check the Wazuh dashboard for rule.id 100410-100413 and 5712"
 
if [[ "${1:-}" == "--cleanup" ]]; then
  log "cleanup"
  sudo rm -f /etc/cron.d/atomic-persist /etc/systemd/system/atomic-evil.service /usr/local/bin/definitely-not-malware
  sed -i '/AtomicRedTeamTestKey/d' "$HOME/.ssh/authorized_keys" 2>/dev/null
fi

1	set -u
2
3	log() { echo "[$(date +%H:%M:%S)] $*"; }
4
5	log "T1053.003 - scheduled task / cron persistence"
6	echo '* * * * * root /usr/bin/id' \| sudo tee /etc/cron.d/atomic-persist >/dev/null
7
8	log "T1543.002 - systemd service persistence"
9	printf '[Unit]\nDescription=atomic test\n[Service]\nExecStart=/usr/bin/id\n[Install]\nWantedBy=multi-user.target\n' \
10	\| sudo tee /etc/systemd/system/atomic-evil.service >/dev/null
11
12	log "T1098.004 - SSH authorized_keys persistence"
13	mkdir -p "$HOME/.ssh"
14	echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtomicRedTeamTestKeyDoNotUse attacker@evil' >> "$HOME/.ssh/authorized_keys"
15
16	log "T1543 - tooling drop into /usr/local/bin"
17	printf '#!/bin/bash\nid\n' \| sudo tee /usr/local/bin/definitely-not-malware >/dev/null
18	sudo chmod +x /usr/local/bin/definitely-not-malware
19
20	log "T1110 - SSH brute force (18 invalid users)"
21	for i in $(seq 1 18); do
22	ssh -o BatchMode=yes -o ConnectTimeout=2 -o StrictHostKeyChecking=no \
23	-o PreferredAuthentications=password -o PubkeyAuthentication=no \
24	"evil_user_${i}@127.0.0.1" true 2>/dev/null
25	done
26
27	log "done - check the Wazuh dashboard for rule.id 100410-100413 and 5712"
28
29	if [[ "${1:-}" == "--cleanup" ]]; then
30	log "cleanup"
31	sudo rm -f /etc/cron.d/atomic-persist /etc/systemd/system/atomic-evil.service /usr/local/bin/definitely-not-malware
32	sed -i '/AtomicRedTeamTestKey/d' "$HOME/.ssh/authorized_keys" 2>/dev/null
33	fi