search

redcanaryco / atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK.
MIT License
9.56k stars 2.77k forks source link

Fix T1613.yaml #2886

Closed AlbertoPellitteri closed 1 month ago

AlbertoPellitteri commented 1 month ago

Details: This PR should fix some issues for test T1613-1 and T1613-2:

Testing: Tested on Ubuntu 20.04

patel-bhavin commented 1 month ago

Hello @AlbertoPellitteri - Can you perhaps share a screenshot of execution and clean up! Thank you :)

AlbertoPellitteri commented 1 month ago

Hey @patel-bhavin! Sure thing! Here are some screenshots for the first test (Docker). It should be the same for the second test as well (Podman).

Before the fix

I first want to show you how the test looks like right now. As you can see the docker build command fails because of the wrong LABEL syntax in the Dockerfile.

Screenshot 2024-08-02 alle 10 11 51

Here are the results of the execution right after the fix on the Dockerfile's label and running the test again. In this case, the test was executed successfully. However, even though the cleanup stops the container, it remains there, without being deleted. Moreover the docker image is not deleted as expected as printed out by the message error: Error response from daemon: No such image: t1613_container:latest.

Screenshot 2024-08-02 alle 10 14 37 Screenshot 2024-08-02 alle 10 15 25

After the fixes

Applying all the fixes together (Dockerfile label, adding -rm to docker run, and fixing the docker rmi command), you can see how the whole test is successfully executed: the container is running as expected and then it gets stopped and deleted with its related image launching the Cleanup command.

Screenshot 2024-08-02 alle 10 22 14
patel-bhavin commented 1 month ago

@AlbertoPellitteri : amazing! thank you for the detailed explanation with the screenshots!