From 446f88ae9a7c24eae0e7751f78b15b04581d1046 Mon Sep 17 00:00:00 2001
From: Ryan Edward Kozak <d0n601@meta.com>
Date: Wed, 21 Aug 2024 14:03:39 -0700
Subject: [PATCH] Added Linux Smart Enumeration to Linux Privesc TTPs

Summary:
This TTP helps identify privilege escalation paths using Linux Smart
Enumeration, a tool that automates the discovery of local privilege escalation
vulnerabilities on Linux-based operating systems.

## Arguments

- **escalate_privileges**: A boolean flag indicating whether to run the TTP as
  root or not. Default is false.
- **download_link**: The URL to download the latest version of `lse.sh` from
  GitHub. Default is
  [https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh](https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh)

## Pre-requisites

1. A Linux-based operating system.
2. Bash shell.

## Examples

You can run the TTP using the following example (after updating the arguments):

```bash
ttpforge run forgearmory//privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/identify-privilege-escalation-paths-with-lse.yaml \
  --arg escalate_privileges=true
```

## Steps

1. **ensure-root-user-if-required**: This step checks if the TTP needs to be run
   as root and ensures that it is being executed as the root user.
2. **download-and-run-lse**: This step downloads the latest version of `lse.sh`
   from GitHub and executes it with bash.

## Manual Reproduction Steps

```
# Escalate privileges to root (optional - being root gives you more info)
sudo su

# Download and run lse
curl -sL https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh | bash
```

## MITRE ATT&CK Mapping

- **Tactics**:
  - TA0003 Execution
  - TA0007 Discovery
- **Techniques**:
  - T1059 Command and Scripting Interpreter
  - T1087 Account Discovery
  - T1083 File and Directory Discovery
  - T1057 Process Discovery
  - T1069 Permission Groups Discovery
  - T1518 Software Discovery
  - T1082 System Information Discovery
  - T1033 System Owner/User Discovery
  - T1007 System Service Discovery
- **Subtechniques**:
  - T1059.004 Command and Scripting Interpreter Unix Shell

Differential Revision: D61623273
---
 .../README.md                                 | 64 +++++++++++++++++++
 ...y-privilege-escalation-paths-with-lse.yaml | 57 +++++++++++++++++
 2 files changed, 121 insertions(+)
 create mode 100644 ttps/privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/README.md
 create mode 100644 ttps/privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/identify-privilege-escalation-paths-with-lse.yaml

diff --git a/ttps/privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/README.md b/ttps/privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/README.md
new file mode 100644
index 0000000..8a774a3
--- /dev/null
+++ b/ttps/privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/README.md
@@ -0,0 +1,64 @@
+# Identify Privilege Escalation Paths with Linux Smart Enumeration
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue)
+
+This TTP helps identify privilege escalation paths using Linux Smart
+Enumeration, a tool that automates the discovery of local privilege escalation
+vulnerabilities on Linux-based operating systems.
+
+## Arguments
+
+- **escalate_privileges**: A boolean flag indicating whether to run the TTP as
+  root or not. Default is false.
+- **download_link**: The URL to download the latest version of `lse.sh` from
+  GitHub. Default is
+  [https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh](https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh)
+
+## Pre-requisites
+
+1. A Linux-based operating system.
+2. Bash shell.
+
+## Examples
+
+You can run the TTP using the following example (after updating the arguments):
+
+```bash
+ttpforge run forgearmory//privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/identify-privilege-escalation-paths-with-lse.yaml \
+  --arg escalate_privileges=true
+```
+
+## Steps
+
+1. **ensure-root-user-if-required**: This step checks if the TTP needs to be run
+   as root and ensures that it is being executed as the root user.
+2. **download-and-run-lse**: This step downloads the latest version of `lse.sh`
+   from GitHub and executes it with bash.
+
+## Manual Reproduction Steps
+
+```
+# Escalate privileges to root (optional - being root gives you more info)
+sudo su
+
+# Download and run lse
+curl -sL https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh | bash
+```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+  - TA0003 Execution
+  - TA0007 Discovery
+- **Techniques**:
+  - T1059 Command and Scripting Interpreter
+  - T1087 Account Discovery
+  - T1083 File and Directory Discovery
+  - T1057 Process Discovery
+  - T1069 Permission Groups Discovery
+  - T1518 Software Discovery
+  - T1082 System Information Discovery
+  - T1033 System Owner/User Discovery
+  - T1007 System Service Discovery
+- **Subtechniques**:
+  - T1059.004 Command and Scripting Interpreter Unix Shell
diff --git a/ttps/privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/identify-privilege-escalation-paths-with-lse.yaml b/ttps/privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/identify-privilege-escalation-paths-with-lse.yaml
new file mode 100644
index 0000000..5a36815
--- /dev/null
+++ b/ttps/privilege-escalation/linux/identify-privilege-escalation-paths-with-lse/identify-privilege-escalation-paths-with-lse.yaml
@@ -0,0 +1,57 @@
+---
+api_version: 2.0
+uuid: 11b1b974-d720-4ab0-80c5-e539c103d0fd
+name: identify-privilege-escalation-paths-with-lse
+description: Downloads latest Linux Smart Enumeration from Github and executes it with bash
+requirements:
+  platforms:
+    - os: linux
+args:
+  - name: escalate_privileges
+    default: false
+  - name: download_link
+    default: https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh
+mitre:
+  tactics:
+    - TA0003 Execution
+    - TA0007 Discovery
+  techniques:
+    - T1059 Command and Scripting Interpreter
+    - T1087 Account Discovery
+    - T1083 File and Directory Discovery
+    - T1057 Process Discovery
+    - T1069 Permission Groups Discovery
+    - T1518 Software Discovery
+    - T1082 System Information Discovery
+    - T1033 System Owner/User Discovery
+    - T1007 System Service Discovery
+  subtechniques:
+    - T1059.004 Command and Scripting Interpreter Unix Shell
+steps:
+  - name: setup
+    inline: |
+      if ! command -v curl &> /dev/null; then
+          echo "Error: curl is not installed on the current system, cannot download lse."
+          exit 1
+      fi
+  - name: ensure-root-user-if-required
+    inline: |
+      echo "{{ .Args.escalate_privileges }}"
+      if [[ {{ .Args.escalate_privileges }} -ne 0 ]]; then
+        if [[ "${EUID}" -ne 0 ]]; then
+            echo "error: TTP must be run as root."
+            exit 1
+        fi
+      else
+        echo "No need to run as root."
+      fi
+  - name: download-and-run-lse
+    inline: |
+      curl -sL https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh | bash
+      execution_status=$?
+      if [[ "${execution_status}" == 0 ]]; then
+        echo "TTP Ran Successfully"
+        exit 0
+      else
+        exit 1
+      fi