redcanaryco / atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK.
MIT License
9.72k stars 2.79k forks source link

Problem: T1574.006 /etc/ld.so.preload not deleted and sudo messed up #2944

Open iosonogio opened 1 month ago

iosonogio commented 1 month ago

What did you do?

Invoke-AtomicTest T1574.006 -TestNumber 1
Invoke-AtomicTest T1574.006 -TestNumber 1 -Cleanup

What did you expect to happen?

The file /etc/ld.so.preload should be deleted.

What happened instead?

The file /etc/ld.so.preload is not deleted, and I get this message from sudo: "sudo: account validation failure, is your account locked?" The fact that sudo fails, has a nasty side effect as the user cannot logon anymore nor "sudo" anymore. It seems that sudo is messed up by the library being preloaded (my educated guess).

The problem disappears after I delete /etc/ld.so.preload.

The problem does not come up if commands are rewritten without "sudo" in the yaml

There are also a couple of other issues with the commands:

  1. The test command is overwriting any potentially existing /etc/ld.so.preload (we may fairly assume it didn't exist, but then why are we using sed to cleanup instead of a simple rm ?)
  2. In the cleanup command the regex delimiters are confusing, better use a different delimiter: sudo sed -i 's|#{path_to_shared_library}||' /etc/ld.so.preload
executor:
    command: |
      sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'
    cleanup_command: |
      sudo sed -i 's##{path_to_shared_library}##' /etc/ld.so.preload
    name: bash
    elevation_required: true

Your Environment

github-actions[bot] commented 1 week ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.