MITRE ATT&CK Integration for LinPEAS and WinPEAS (#614)

* feat: MITRE ATT&CK integration for LinPEAS and WinPEAS

- Add -T T1234,T5678 flag to LinPEAS to filter checks by technique
- Add mitre=T1234,T5678 argument to WinPEAS for technique-based filtering
- Annotate every check title with MITRE technique ID(s) displayed in grey
- Add $_mitre_tag to Generated Global Variables in 0_variables_base.sh
- Add check_mitre_filter() shell function with prefix-match support
- Add MitreAttackIds property to ISystemCheck interface (C#)
- Update MainPrint/GreatPrint in Beaprint.cs to accept optional mitreIds
- Tag all 158 LinPEAS check modules with # Mitre: metadata
- Tag all 16 WinPEAS check classes with MitreAttackIds property
- Update linpeasModule.py to parse # Mitre: metadata field
- Update linpeasBaseBuilder.py to emit check_mitre_filter wrappers
- Add 3 MITRE argument parsing tests to ArgumentParsingTests.cs

* test: add MITRE filter coverage for LinPEAS builder and WinPEAS

LinPEAS (test_builder.py):
- test_mitre_flag_present_in_getopts: -T: must appear in getopts string
- test_mitre_flag_present_in_help_text: -T must appear in built help text
- test_mitre_filter_function_present: check_mitre_filter() must be in built script

WinPEAS (ArgumentParsingTests.cs):
- PassesMitreFilter_EmptyFilter_AllChecksPass: no filter -> all checks run
- PassesMitreFilter_ExactMatch_Passes: T1082 filter matches T1082 check
- PassesMitreFilter_NoMatch_Fails: T1082 filter rejects T1057 check
- PassesMitreFilter_PrefixMatch_Passes: T1552 filter matches T1552.001/T1552.005
- PassesMitreFilter_SubtechniqueDoesNotMatchDifferentBase_Fails: T1548 != T1552.001

* chore: ignore .github/instructions/ and untrack todos.instructions.md

* fix: complete and accurate MITRE ATT&CK mappings for LinPEAS and WinPEAS

gitignore:
- Add .github/instructions/ to .gitignore and untrack todos.instructions.md

LinPEAS — corrected mappings:
- 29_Interesting_environment_variables.sh: add missing T1552.007,T1082
- 3_USBCreator.sh: T1548 → T1548.003,T1068 (polkit bypass + CVE-class exploit)
- 9_Doas.sh: T1548 → T1548.003 (doas is a sudo/sudo-caching equivalent)
- 10_Pkexec.sh: T1548 → T1548.003,T1548.004,T1068 per-section specificity
- 2_Process_cred_in_memory.sh: T1003,T1055 → T1003.007 (Proc Filesystem, drop wrong T1055)
- 11_Superusers.sh: T1087.001,T1548 → T1087.001 (discovery only, no elevation abuse)
- 14/15/16 writable files: T1574 → T1574.009,T1574.010 (specific sub-techniques)

WinPEAS — corrected mappings:
- SystemInfo: class expanded to full technique union; WSUS T1195→T1072,T1068;
  KrbRelayUp T1558→T1187,T1558; Object Manager T1548→T1068;
  Named Pipes T1559.001→T1559; Low-priv pipes T1559.001→T1134.001,T1559
- EventsInfo: class expanded with T1078.003,T1552.001,T1059.001,T1082
- UserInfo: class expanded; Token privileges T1134→T1134.001
- ProcessInfo: Leaked Handlers T1134.003→T1134.001 (token impersonation, not make-token)
- ServicesInfo: class adds T1574.011,T1068
- ApplicationsInfo: class adds T1010,T1014
- NetworkInfo: class adds T1018,T1090
- ActiveDirectoryInfo: T1484→T1484.001; class adds T1003
- WindowsCreds: class sub-techniques T1552→T1552.001,T1552.002, T1555→T1555.003,T1555.004;
  SSClient T1059→T1552.001 (wrong technique entirely)
- FilesInfo: class expanded with T1552.002,T1552.004,T1552.006,T1564.001,T1574.001,
  T1059.004,T1114.001,T1218,T1649; Cloud Credentials T1552.005→T1552.001
- SoapClientInfo: T1059,T1071→T1559,T1071.001 (IPC/Web protocol, not scripting)

* fix: add missing T1613 and T1562.001 to SystemInfo class-level MitreAttackIds; label AD object enumeration with T1087.002 and T1018

* fix: correct linpeas mitre filter matching logic

* fix: MITRE code bugs — pass-through for untagged checks, remove dead OR in section gate

- PassesMitreFilter (Checks.cs): when MitreAttackIds is null or empty and a filter
  is active, return true (pass-through) instead of false.  Previously any future
  ISystemCheck added without MITRE IDs would be silently excluded by an active filter.
- linpeasBaseBuilder.py: remove redundant '|| [ -z "$MITRE_FILTER" ]' from the
  generated section-level gate.  check_mitre_filter already returns 0 immediately
  when MITRE_FILTER is empty, so the OR branch was unreachable and inconsistent with
  the check-level gate which uses the same function without the extra guard.
- ArgumentParsingTests.cs: add PassesMitreFilter_NullMitreAttackIds_PassesThrough
  and PassesMitreFilter_EmptyMitreAttackIds_PassesThrough regression tests.

* fix(mitre): 4 bugs — dead arg parser, wait logic, subprocess forks, cleanup race

Checks.cs: max-regex-file-size used string.Equals which requires exact match,
so 'max-regex-file-size=500000' could never match and MaxRegexFileSize was stuck
at 1000000 forever. Fixed to arg.StartsWith.

Checks.cs RunChecks: wait compared loop index i against
_systemCheckSelectedKeysHashSet.Count, which is 0 when all checks run (so
i < -1 is always false) and semantically wrong when a key subset is selected.
Replaced with a pre-count of checks that pass both filters and a running counter.

0_variables_base.sh check_mitre_filter: replaced two $(echo ... | tr ...)
subprocess forks per call with pure parameter-expansion while-loops. Zero
process forks, POSIX-compliant, ~632 fork()s saved per full filtered run.
Declares _mitre_tags_left and _mitre_filters_left in Generated Global Variables.

linpeas_builder.py: os.remove of the shared temp file raised FileNotFoundError
when multiple sequential builder invocations ran (the second saw the file
already deleted by the first). Wrapped in try/except FileNotFoundError.

Tests: Added PassesMitreFilter_SubtechniqueFilter_DoesNotMatchParentOnlyTag
and MaxRegexFileSize_ArgParsed_Correctly regression tests (16 total).

* ci: add manual build-artifacts workflow (winPEAS.exe + linpeas.sh)

* fix(linpeas): getopts silent mode — clear error when -T given without argument

Switch getopts to silent mode (leading ':') so the shell does not emit its
own terse 'No arg for -T option' message. Add explicit :) case that prints
  ERROR: -T requires an argument (e.g. -T T1082,T1552)
and then dumps the help text before exiting 1. Add *) case for unrecognised
flags with the same pattern. Behaviour for all valid flags is unchanged.

* chore: untrack build-artifacts workflow, add to .gitignore

.gitignore

@@ -33,4 +33,6 @@ winPEAS/winPEASexe/Directory.Build.targets
 .dccache
 ./*/.dccache
 regexes.yaml
+.github/instructions/
+.github/workflows/build-artifacts.yml
 build_lists/regexes.yaml

linPEAS/builder/linpeas_builder.py

@@ -20,7 +20,10 @@ def main(all_modules, all_no_fat_modules, no_network_scanning, small, include_mo
     lbuilder = LinpeasBuilder(ploaded)
     lbuilder.build()
     lbuilder.write_linpeas(output)
-    os.remove(TEMPORARY_LINPEAS_BASE_PATH) # Remove the built linpeas_base_temp.sh file
+    try:
+        os.remove(TEMPORARY_LINPEAS_BASE_PATH) # Remove the built linpeas_base_temp.sh file
+    except FileNotFoundError:
+        pass  # Already removed (e.g. by a concurrent builder invocation in tests)
     
     st = os.stat(output)
     os.chmod(output, st.st_mode | stat.S_IEXEC)

linPEAS/builder/linpeas_parts/10_api_keys_regex/regexes.sh

@@ -5,6 +5,7 @@
 # Description: Regexes
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.001,T1528
 # Functions Used: print_2title, search_for_regex
 # Global Variables: $REGEXES, $TIMEOUT
 # Initial Functions:

linPEAS/builder/linpeas_parts/1_system_information/10_Environment.sh

@@ -25,6 +25,7 @@
 #       - Configuration abuse
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082,T1552.007
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $NoEnvVars, $EnvVarsRed
 # Initial Functions:
@@ -33,7 +34,7 @@
 # Small linpeas: 1
 
 
-print_2title "Environment"
+print_2title "Environment" "T1082,T1552.007"
 print_info "Any private information inside environment variables?"
 (env || printenv || set) 2>/dev/null | grep -Eiv "$NoEnvVars" | sed -${E} "s,$EnvVarsRed,${SED_RED},g" || echo_not_found "env || set"
 echo ""

linPEAS/builder/linpeas_parts/1_system_information/11_Dmesg.sh

@@ -21,6 +21,7 @@
 #       - Kernel module replacement
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $DEBUG
 # Initial Functions:
@@ -30,7 +31,7 @@
 
 
 if [ "$(command -v dmesg 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
-    print_2title "Searching Signature verification failed in dmesg"
+    print_2title "Searching Signature verification failed in dmesg" "T1082"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#dmesg-signature-verification-failed"
     (dmesg 2>/dev/null | grep "signature") || echo_not_found "dmesg"
     echo ""

linPEAS/builder/linpeas_parts/1_system_information/12_Macos_os_checks.sh

@@ -26,6 +26,7 @@
 #       - System modification
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082
 # Functions Used:macosNotSigned, print_2title
 # Global Variables: $MACPEAS
 # Initial Functions:
@@ -35,18 +36,18 @@
 
 
 if [ "$MACPEAS" ]; then
-    print_2title "Kernel Extensions not belonging to apple"
+    print_2title "Kernel Extensions not belonging to apple" "T1082"
     kextstat 2>/dev/null | grep -Ev " com.apple."
     echo ""
 
-    print_2title "Unsigned Kernel Extensions"
+    print_2title "Unsigned Kernel Extensions" "T1082"
     macosNotSigned /Library/Extensions
     macosNotSigned /System/Library/Extensions
     echo ""
 fi
 
 if [ "$MACPEAS" ] && [ "$(command -v brew 2>/dev/null || echo -n '')" ]; then
-    print_2title "Brew Doctor Suggestions"
+    print_2title "Brew Doctor Suggestions" "T1082"
     brew doctor
     echo ""
 fi

linPEAS/builder/linpeas_parts/1_system_information/16_Protections.sh

@@ -27,6 +27,7 @@
 #       - Protection circumvention
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1518.001
 # Functions Used: echo_not_found, print_2title, print_list, warn_exec
 # Global Variables:
 # Initial Functions:
@@ -58,7 +59,7 @@ print_sysctl_eq_zero() {
 }
 
 #-- SY) AppArmor
-print_2title "Protections"
+print_2title "Protections" "T1518.001"
 print_list "AppArmor enabled? .............. "$NC
 if [ "$(command -v aa-status 2>/dev/null || echo -n '')" ]; then
     aa-status 2>&1 | sed "s,disabled,${SED_RED},"

linPEAS/builder/linpeas_parts/1_system_information/17_Kernel_Modules.sh

@@ -14,6 +14,7 @@
 #     * Common vulnerable modules: nf_tables, eBPF, overlayfs, etc.
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1547.006
 # Functions Used: print_2title, print_3title
 # Global Variables: 
 # Initial Functions:
@@ -22,11 +23,10 @@
 # Small linpeas: 1
 
 echo ""
-print_2title "Kernel Modules Information"
-
+print_2title "Kernel Modules Information" "T1547.006"
 # List loaded kernel modules
 if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
-    print_3title "Loaded kernel modules"
+    print_3title "Loaded kernel modules" "T1547.006"
     if [ -f "/proc/modules" ]; then
         if command -v lsmod >/dev/null 2>&1; then
             lsmod
@@ -39,7 +39,7 @@ if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
 fi
 
 # Check for kernel modules with weak permissions
-print_3title "Kernel modules with weak perms?"
+print_3title "Kernel modules with weak perms?" "T1547.006"
 if [ -d "/lib/modules" ]; then
     find /lib/modules -type f -name "*.ko" -ls 2>/dev/null | grep -Ev "root\s+root" | sed -${E} "s,.*,${SED_RED},g"
     if [ $? -eq 1 ]; then
@@ -51,7 +51,7 @@ fi
 echo ""
 
 # Check for kernel modules that can be loaded by unprivileged users
-print_3title "Kernel modules loadable? "
+print_3title "Kernel modules loadable? " "T1547.006"
 if [ -f "/proc/sys/kernel/modules_disabled" ]; then
     if [ "$(cat /proc/sys/kernel/modules_disabled)" = "0" ]; then
         echo "Modules can be loaded" | sed -${E} "s,.*,${SED_RED},g"
@@ -63,7 +63,7 @@ else
 fi
 
 # Check for module signature enforcement
-print_3title "Module signature enforcement? "
+print_3title "Module signature enforcement? " "T1547.006"
 if [ -f "/proc/sys/kernel/module_sig_enforce" ]; then
     if [ "$(cat /proc/sys/kernel/module_sig_enforce)" = "1" ]; then
         echo "Enforced" | sed -${E} "s,.*,${SED_GREEN},g"

linPEAS/builder/linpeas_parts/1_system_information/19_Kernel_Exploit_Registry.sh

@@ -6,6 +6,7 @@
 # Description: The module executes on all Unix-like systems and auto-detects OS applicability.
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1068
 # Functions Used: kercve_run_registry, print_2title
 # Global Variables:
 # Initial Functions:
@@ -13,6 +14,6 @@
 # Fat linpeas: 0
 # Small linpeas: 1
 
-print_2title "Kernel Exploit Registry"
+print_2title "Kernel Exploit Registry" "T1068"
 kercve_run_registry
 echo ""

linPEAS/builder/linpeas_parts/1_system_information/1_Operative_system.sh

@@ -25,6 +25,7 @@
 #       - Kernel exploitation
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082
 # Functions Used: print_2title, print_info, warn_exec
 # Global Variables: $MACPEAS, $kernelDCW_Ubuntu_Precise_1, $kernelB, $kernelDCW_Ubuntu_Precise_2, $kernelDCW_Ubuntu_Precise_3, $kernelDCW_Ubuntu_Precise_4, $kernelDCW_Ubuntu_Precise_5, $kernelDCW_Ubuntu_Precise_6, $kernelDCW_Rhel5_1, $kernelDCW_Rhel5_2, $kernelDCW_Rhel5_3, $kernelDCW_Rhel6_1, $kernelDCW_Rhel6_2, $kernelDCW_Rhel6_3, $kernelDCW_Rhel6_4, $kernelDCW_Rhel7, $kernelDCW_Ubuntu_Trusty_1, $kernelDCW_Ubuntu_Trusty_2, $kernelDCW_Ubuntu_Trusty_3, $kernelDCW_Ubuntu_Trusty_4, $kernelDCW_Ubuntu_Xenial
 # Initial Functions:
@@ -32,7 +33,7 @@
 # Fat linpeas: 0
 # Small linpeas: 1
 
-print_2title "Operative system"
+print_2title "Operative system" "T1082"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits"
 (cat /proc/version || uname -a ) 2>/dev/null | sed -${E} "s,$kernelDCW_Ubuntu_Precise_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_5,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Precise_6,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Trusty_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Ubuntu_Xenial,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel5_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_1,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_2,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_3,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel6_4,${SED_RED_YELLOW}," | sed -${E} "s,$kernelDCW_Rhel7,${SED_RED_YELLOW}," | sed -${E} "s,$kernelB,${SED_RED},"
 warn_exec lsb_release -a 2>/dev/null

linPEAS/builder/linpeas_parts/1_system_information/2_Sudo_version.sh

@@ -19,6 +19,7 @@
 #       - Command injection
 # License: GNU GPL
 # Version: 1.0 
+# Mitre: T1548.003,T1068
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $sudovB
 # Initial Functions:
@@ -27,7 +28,7 @@
 # Small linpeas: 1
 
 
-print_2title "Sudo version"
+print_2title "Sudo version" "T1548.003,T1068"
 if [ "$(command -v sudo 2>/dev/null || echo -n '')" ]; then
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version"
 sudo -V 2>/dev/null | grep "Sudo ver" | sed -${E} "s,$sudovB,${SED_RED},"

linPEAS/builder/linpeas_parts/1_system_information/3_USBCreator.sh

@@ -19,6 +19,7 @@
 #       - USB device creation abuse
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1548.003,T1068
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG
 # Initial Functions:
@@ -28,7 +29,7 @@
 
 
 if (busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator) || [ "$DEBUG" ]; then
-    print_2title "USBCreator"
+    print_2title "USBCreator" "T1548.003,T1068"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html"
 
     pc_version=$(dpkg -l 2>/dev/null | grep policykit-desktop-privileges | grep -oP "[0-9][0-9a-zA-Z\.]+")

linPEAS/builder/linpeas_parts/1_system_information/4_Path.sh

@@ -22,6 +22,7 @@
 #       - Sudo PATH abuse
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1574.007
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG, $IAMROOT, $OLDPATH, $PATH, $Wfolders
 # Initial Functions:
@@ -30,7 +31,7 @@
 # Small linpeas: 1
 
 
-print_2title "PATH"
+print_2title "PATH" "T1574.007"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses"
 if ! [ "$IAMROOT" ]; then
     echo "$OLDPATH" 2>/dev/null | sed -${E} "s,$Wfolders|\./|\.:|:\.,${SED_RED_YELLOW},g"

linPEAS/builder/linpeas_parts/1_system_information/5_Date.sh

@@ -25,6 +25,7 @@
 #       - Cron job abuse
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082
 # Functions Used: print_2title, warn_exec
 # Global Variables:
 # Initial Functions:
@@ -33,7 +34,7 @@
 # Small linpeas: 0
 
 
-print_2title "Date & uptime"
+print_2title "Date & uptime" "T1082"
 warn_exec date 2>/dev/null
 warn_exec uptime 2>/dev/null
 echo ""

linPEAS/builder/linpeas_parts/1_system_information/6_CPU_info.sh

@@ -25,6 +25,7 @@
 #       - CPU timing exploitation
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082
 # Functions Used: print_2title, warn_exec
 # Global Variables: $DEBUG, $EXTRA_CHECKS
 # Initial Functions:
@@ -34,7 +35,7 @@
 
 
 if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
-    print_2title "CPU info"
+    print_2title "CPU info" "T1082"
     warn_exec lscpu 2>/dev/null
     echo ""
 fi

linPEAS/builder/linpeas_parts/1_system_information/7_Mounts.sh

@@ -25,6 +25,7 @@
 #       - Shared mount abuse
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082,T1120
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG, $mountG, $mountpermsB, $mountpermsG, $notmounted, $Wfolders, $mounted
 # Initial Functions:
@@ -34,7 +35,7 @@
 
 
 if [ -f "/etc/fstab" ] || [ "$DEBUG" ]; then
-    print_2title "Unmounted file-system?"
+    print_2title "Unmounted file-system?" "T1082,T1120"
     print_info "Check if you can mount umounted devices"
     grep -v "^#" /etc/fstab 2>/dev/null | grep -Ev "\W+\#|^#" | sed -${E} "s,$mountG,${SED_GREEN},g" | sed -${E} "s,$notmounted,${SED_RED},g" | sed -${E} "s%$mounted%${SED_BLUE}%g" | sed -${E} "s,$Wfolders,${SED_RED}," | sed -${E} "s,$mountpermsB,${SED_RED},g" | sed -${E} "s,$mountpermsG,${SED_GREEN},g"
     echo ""

linPEAS/builder/linpeas_parts/1_system_information/8_Disks.sh

@@ -25,6 +25,7 @@
 #       - Shared disk access
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082
 # Functions Used: print_2title, warn_exec
 # Global Variables: $DEBUG
 # Initial Functions:
@@ -34,14 +35,14 @@
 
 
 if [ -d "/dev" ] || [ "$DEBUG" ] ; then
-    print_2title "Any sd*/disk* disk in /dev? (limit 20)"
+    print_2title "Any sd*/disk* disk in /dev? (limit 20)" "T1082"
     ls /dev 2>/dev/null | grep -Ei "^sd|^disk" | sed "s,crypt,${SED_RED}," | head -n 20
     echo ""
 fi
 
 
 if [ "$(command -v smbutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
-    print_2title "Mounted SMB Shares"
+    print_2title "Mounted SMB Shares" "T1082"
     warn_exec smbutil statshares -a
     echo ""
 fi

linPEAS/builder/linpeas_parts/1_system_information/9_Disks_extra.sh

@@ -26,6 +26,7 @@
 #       - Resource-based attacks
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082
 # Functions Used: print_2title, warn_exec
 # Global Variables: $DEBUG, $EXTRA_CHECKS
 # Initial Functions:
@@ -35,18 +36,18 @@
 
 
 if ([ "$(command -v diskutil 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]) && [ "$EXTRA_CHECKS" ]; then
-    print_2title "Mounted disks information"
+    print_2title "Mounted disks information" "T1082"
     warn_exec diskutil list
     echo ""
 fi
 
 if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
-    print_2title "System stats"
+    print_2title "System stats" "T1082"
     (df -h || lsblk) 2>/dev/null || echo_not_found "df and lsblk"
     warn_exec free 2>/dev/null
     echo ""
 
-    print_2title "Inode usage"
+    print_2title "Inode usage" "T1082"
     warn_exec df -i 2>/dev/null
     echo ""
 fi

linPEAS/builder/linpeas_parts/2_container/1_Container_tools.sh

@@ -22,6 +22,7 @@
 #       - Container escape tool usage
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1613
 # Functions Used: print_2title
 # Global Variables:
 # Initial Functions:
@@ -29,8 +30,7 @@
 # Fat linpeas: 0
 # Small linpeas: 1
 
-print_2title "Container related tools present (if any):"
-
+print_2title "Container related tools present (if any):" "T1613"
 # Container runtimes
 command -v docker
 command -v lxc

linPEAS/builder/linpeas_parts/2_container/2_List_mounted_tokens.sh

@@ -5,6 +5,7 @@
 # Description: List tokens mounted in the system if any
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1528,T1552.007
 # Functions Used: print_2title, print_info
 # Global Variables:
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p')" ]; then
-  print_2title "Listing mounted tokens"
+  print_2title "Listing mounted tokens" "T1528,T1552.007"
   print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
   ALREADY_TOKENS="IinItialVaaluE"
   for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do

linPEAS/builder/linpeas_parts/2_container/3_Container_details.sh

@@ -25,6 +25,7 @@
 #       - Network escape techniques
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1613,T1611
 # Functions Used: containerCheck, echo_no, print_2title, print_list, warn_exec
 # Global Variables: $containerType
 # Initial Functions: containerCheck
@@ -32,8 +33,7 @@
 # Fat linpeas: 0
 # Small linpeas: 1
 
-print_2title "Container details"
-
+print_2title "Container details" "T1613,T1611"
 print_list "Is this a container? ...........$NC $containerType"
 
 if [ -e "/proc/vz" ] && ! [ -e "/proc/bc" ]; then

linPEAS/builder/linpeas_parts/2_container/4_Docker_container_details.sh

@@ -5,6 +5,7 @@
 # Description: Get docker Container details from the inside
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1613
 # Functions Used: checkDockerRootless, checkDockerVersionExploits, containerCheck, enumerateDockerSockets, inDockerGroup, print_2title, print_list
 # Global Variables: $containerType, $DOCKER_GROUP, $DOCKER_ROOTLESS, $dockerVersion, $inContainer, $VULN_CVE_2019_5736, $VULN_CVE_2019_13139, $VULN_CVE_2021_41091
 # Initial Functions: containerCheck
@@ -15,7 +16,7 @@
 
 #If docker
 if echo "$containerType" | grep -qi "docker"; then
-    print_2title "Docker Container details"
+    print_2title "Docker Container details" "T1613"
     inDockerGroup
     print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     print_list "Looking and enumerating Docker Sockets (if any):\n"$NC
@@ -31,7 +32,7 @@ if echo "$containerType" | grep -qi "docker"; then
         echo ""
     fi
     if df -h | grep docker; then
-        print_2title "Docker Overlays"
+        print_2title "Docker Overlays" "T1613"
         df -h | grep docker
     fi
 fi

linPEAS/builder/linpeas_parts/2_container/5_Container_breakout.sh

@@ -37,6 +37,7 @@
 #       - Container escape tool execution
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1611
 # Functions Used: checkContainerExploits, checkProcSysBreakouts, containerCheck, enumerateDockerSockets, print_2title, print_3title, print_info, print_list, warn_exec
 # Global Variables: $binfmt_misc_breakout, $containercapsB, $containerType, $core_pattern_breakout, $dev_mounted, $efi_efivars_writable, $efi_vars_writable, $GREP_IGNORE_MOUNTS, $inContainer, $kallsyms_readable, $kcore_readable, $kmem_readable, $kmem_writable, $kmsg_readable, $mem_readable, $mem_writable, $modprobe_present, $mountinfo_readable, $panic_on_oom_dos, $panic_sys_fs_dos, $proc_configgz_readable, $proc_mounted, $run_unshare, $release_agent_breakout1, $release_agent_breakout2, $release_agent_breakout3, $sched_debug_readable, $security_present, $security_writable, $sysreq_trigger_dos, $uevent_helper_breakout, $vmcoreinfo_readable, $VULN_CVE_2019_5021, $self_mem_readable
 # Initial Functions: containerCheck
@@ -46,7 +47,7 @@
 
 if [ "$inContainer" ]; then
     echo ""
-    print_2title "Container & breakout enumeration"
+    print_2title "Container & breakout enumeration" "T1611"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html"
     
     # Basic container info
@@ -56,7 +57,7 @@ if [ "$inContainer" ]; then
     fi
     
     # Security mechanisms
-    print_3title "Security Mechanisms"
+    print_3title "Security Mechanisms" "T1611"
     seccomp_mode_num="$(awk '/^Seccomp:/{print $2}' /proc/self/status 2>/dev/null)"
     seccomp_mode_desc="unknown"
     case "$seccomp_mode_num" in
@@ -87,8 +88,7 @@ if [ "$inContainer" ]; then
     fi
 
     # Known vulnerabilities
-    print_3title "Known Vulnerabilities"
-    
+    print_3title "Known Vulnerabilities" "T1611"
     checkContainerExploits
     print_list "Vulnerable to CVE-2019-5021 .... $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     
@@ -97,8 +97,7 @@ if [ "$inContainer" ]; then
     (command -v nsenter || command -v unshare || command -v chroot || command -v capsh || command -v setcap || command -v getcap || command -v docker || command -v kubectl || command -v ctr || command -v runc || command -v containerd || command -v crio || command -v podman || command -v lxc || command -v rkt || command -v nerdctl || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap|docker|kubectl|ctr|runc|containerd|crio|podman|lxc|rkt|nerdctl,${SED_RED},g"
     
     # Runtime vulnerabilities
-    print_3title "Runtime Vulnerabilities"
-    
+    print_3title "Runtime Vulnerabilities" "T1611"
     # Check for known runtime vulnerabilities
     if [ "$(command -v runc || echo -n '')" ]; then
         print_list "Runc version ................. "$NC
@@ -131,7 +130,7 @@ if [ "$inContainer" ]; then
     fi
     
     # Mount escape vectors
-    print_3title "Breakout via mounts"
+    print_3title "Breakout via mounts" "T1611"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html"
     
     checkProcSysBreakouts
@@ -164,7 +163,7 @@ if [ "$inContainer" ]; then
     mount | grep -E "shared|slave" | sed -${E} "s,docker.sock|host|privileged,${SED_RED},g"
     
     # Capability checks
-    print_3title "Capability Checks"
+    print_3title "Capability Checks" "T1611"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/capabilities-abuse-escape.html"
     
     print_list "Dangerous capabilities ......... "$NC
@@ -188,7 +187,7 @@ if [ "$inContainer" ]; then
     fi
     
     # Namespace checks
-    print_3title "Namespace Checks"
+    print_3title "Namespace Checks" "T1611"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/namespaces/index.html"
     
     print_list "Current namespaces ............. "$NC
@@ -228,8 +227,7 @@ if [ "$inContainer" ]; then
     enumerateDockerSockets
     
     # Additional breakout vectors
-    print_3title "Additional Breakout Vectors"
-    
+    print_3title "Additional Breakout Vectors" "T1611"
     print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
     print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,Yes,${SED_RED},"
@@ -239,7 +237,7 @@ if [ "$inContainer" ]; then
     print_list "Container escape tools in PATH . "$NC
     (which nsenter 2>/dev/null || which unshare 2>/dev/null || which chroot 2>/dev/null || which capsh 2>/dev/null || which setcap 2>/dev/null || which getcap 2>/dev/null || echo "No") | sed -${E} "s,nsenter|unshare|chroot|capsh|setcap|getcap,${SED_RED},g"
 
-    print_3title "Extra Breakout Vectors"
+    print_3title "Extra Breakout Vectors" "T1611"
     print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,Yes,${SED_RED},"
     print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,Yes,${SED_RED},"
@@ -279,7 +277,7 @@ if [ "$inContainer" ]; then
     
     # Kubernetes specific checks
     if echo "$containerType" | grep -qi "kubernetes"; then
-        print_3title "Kubernetes Specific Checks"
+        print_3title "Kubernetes Specific Checks" "T1611"
         print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.html"
         
         print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
@@ -315,7 +313,7 @@ if [ "$inContainer" ]; then
     fi
     
     # Interesting files and mounts
-    print_3title "Interesting Files & Mounts"
+    print_3title "Interesting Files & Mounts" "T1611"
     print_list "Interesting files mounted ........ "$NC
     (mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS" | sed -${E} "s,.sock,${SED_RED}," | sed -${E} "s,docker.sock,${SED_RED_YELLOW}," | sed -${E} "s,/dev/,${SED_RED},g"
     

linPEAS/builder/linpeas_parts/2_container/7_RW_bind_mounts_nosuid.sh

@@ -8,6 +8,7 @@
 #   (classic container-to-host breakout via writable bind mount).
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1611
 # Functions Used: containerCheck, print_2title, print_list, print_info
 # Global Variables: $inContainer
 # Initial Functions: containerCheck
@@ -19,7 +20,7 @@ containerCheck
 
 if [ "$inContainer" ]; then
   echo ""
-  print_2title "Container - Writable bind mounts w/o nosuid (SUID persistence risk)"
+  print_2title "Container - Writable bind mounts w/o nosuid (SUID persistence risk)" "T1611"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#writable-bind-mounts"
 
   if [ -r /proc/self/mountinfo ]; then

linPEAS/builder/linpeas_parts/3_cloud/10_Azure_automation_account.sh

@@ -5,6 +5,7 @@
 # Description: Azure Automation Account Service Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_az_automation_acc, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_az_automation_acc,
 # Initial Functions: check_az_automation_acc
@@ -16,8 +17,7 @@
 API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
 
 if [ "$is_az_automation_acc" = "Yes" ]; then
-  print_2title "Azure Automation Account Service Enumeration"
-
+  print_2title "Azure Automation Account Service Enumeration" "T1552.005,T1580"
   HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
 
   az_req=""
@@ -30,16 +30,16 @@ if [ "$is_az_automation_acc" = "Yes" ]; then
   fi
 
   if [ "$az_req" ]; then
-    print_3title "Management token"
+    print_3title "Management token" "T1552.005,T1580"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
     echo
-    print_3title "Graph token"
+    print_3title "Graph token" "T1552.005,T1580"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
     echo
-    print_3title "Vault token"
+    print_3title "Vault token" "T1552.005,T1580"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
     echo
-    print_3title "Storage token"
+    print_3title "Storage token" "T1552.005,T1580"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
   fi
   echo ""

linPEAS/builder/linpeas_parts/3_cloud/11_DO_Droplet.sh

@@ -5,6 +5,7 @@
 # Description: DO Droplet Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_do, print_2title
 # Global Variables: $is_do
 # Initial Functions: check_do
@@ -14,8 +15,7 @@
 
 
 if [ "$is_do" = "Yes" ]; then
-  print_2title "DO Droplet Enumeration"
-
+  print_2title "DO Droplet Enumeration" "T1552.005,T1580"
   do_req=""
   if [ "$(command -v curl || echo -n '')" ]; then
       do_req='curl -s -f -L '

linPEAS/builder/linpeas_parts/3_cloud/13_Ali_Cloud.sh

@@ -5,6 +5,7 @@
 # Description: Ali Cloud Platform Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: print_2title, print_3title, print_info
 # Global Variables: $is_aliyun_ecs
 # Initial Functions: check_aliyun_ecs
@@ -28,11 +29,11 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then
   fi
 
   if [ "$aliyun_token" ]; then
-    print_2title "Aliyun ECS Enumeration"
+    print_2title "Aliyun ECS Enumeration" "T1552.005,T1580"
     print_info "https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadata"
 
     echo ""
-    print_3title "Instance Info"
+    print_3title "Instance Info" "T1552.005,T1580"
     i_hostname=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/hostname)
     [ "$i_hostname" ] && echo "Hostname: $i_hostname"
     i_instance_id=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/instance-id)
@@ -50,7 +51,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then
     [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
 
     echo ""
-    print_3title "Network Info"
+    print_3title "Network Info" "T1552.005,T1580"
     i_pub_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/public-ipv4)
     [ "$i_pub_ipv4" ] && echo "Public IPv4: $i_pub_ipv4"
     i_priv_ipv4=$(eval $aliyun_req http://100.100.100.200/latest/meta-data/private-ipv4)
@@ -77,7 +78,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then
     done
 
     echo ""
-    print_3title "Service account "
+    print_3title "Service account " "T1552.005,T1580"
     for sa in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/"); do 
       echo "  Name: $sa"
       echo "  STS Token: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/ram/security-credentials/$sa")
@@ -85,7 +86,7 @@ if [ "$is_aliyun_ecs" = "Yes" ]; then
     done
 
     echo ""
-    print_3title "Possbile admin ssh Public keys"
+    print_3title "Possbile admin ssh Public keys" "T1552.005,T1580"
     for key in $(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/"); do
       echo "  Name: $key"
       echo "  Key: "$(eval $aliyun_req "http://100.100.100.200/latest/meta-data/public-keys/${key}openssh-key")

linPEAS/builder/linpeas_parts/3_cloud/14_IBM_Cloud.sh

@@ -5,6 +5,7 @@
 # Description: IBM Cloud Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_ibm_vm, print_2title, print_3title
 # Global Variables: $IBM_TOKEN, $is_ibm_vm
 # Initial Functions: check_ibm_vm
@@ -14,8 +15,7 @@
 
 
 if [ "$is_ibm_vm" = "Yes" ]; then
-  print_2title "IBM Cloud Enumeration"
-
+  print_2title "IBM Cloud Enumeration" "T1552.005,T1580"
   if ! [ "$IBM_TOKEN" ]; then
     echo "Couldn't get the metadata token:("
 
@@ -34,17 +34,17 @@ if [ "$is_ibm_vm" = "Yes" ]; then
     fi
 
     if [ "$ibm_req" ]; then
-      print_3title "Instance Details"
+      print_3title "Instance Details" "T1552.005,T1580"
       exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"
 
-      print_3title "Keys and User data"
+      print_3title "Keys and User data" "T1552.005,T1580"
       exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01"
       exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/keys?version=2022-03-01"
 
-      print_3title "Placement Groups"
+      print_3title "Placement Groups" "T1552.005,T1580"
       exec_with_jq eval $ibm_req "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01"
 
-      print_3title "IAM credentials"
+      print_3title "IAM credentials" "T1552.005,T1580"
       exec_with_jq eval $ibm_req -X POST "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01"
     fi
   fi

linPEAS/builder/linpeas_parts/3_cloud/15_Tencent_Cloud.sh

@@ -5,6 +5,7 @@
 # Description: Tencent Cloud Platform Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: print_2title, print_3title, print_info
 # Global Variables: $is_tencent_cvm
 # Initial Functions: check_tencent_cvm
@@ -24,12 +25,12 @@ if [ "$is_tencent_cvm" = "Yes" ]; then
   fi
 
   
-    print_2title "Tencent CVM Enumeration"
+    print_2title "Tencent CVM Enumeration" "T1552.005,T1580"
     print_info "https://cloud.tencent.com/document/product/213/4934"
     # Todo: print_info "Hacktricks Documents needs to be updated"
 
     echo ""
-    print_3title "Instance Info"
+    print_3title "Instance Info" "T1552.005,T1580"
     i_tencent_owner_account=$(eval $tencent_req http://169.254.0.23/latest/meta-data/app-id)
     [ "$i_tencent_owner_account" ] && echo "Tencent Owner Account: $i_tencent_owner_account"
     i_hostname=$(eval $tencent_req http://169.254.0.23/latest/meta-data/hostname)
@@ -48,7 +49,7 @@ if [ "$is_tencent_cvm" = "Yes" ]; then
     [ "$i_zone_id" ] && echo "Zone ID: $i_zone_id"
 
     echo ""
-    print_3title "Network Info"
+    print_3title "Network Info" "T1552.005,T1580"
     for mac_tencent in $(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/); do
       echo "  Mac: $mac_tencent"
       echo "  Primary IPv4: "$(eval $tencent_req http://169.254.0.23/latest/meta-data/network/interfaces/macs/$mac_tencent/primary-local-ipv4)
@@ -67,7 +68,7 @@ if [ "$is_tencent_cvm" = "Yes" ]; then
     done
 
     echo ""
-    print_3title "Service account "
+    print_3title "Service account " "T1552.005,T1580"
     for sa_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/"); do 
       echo "  Name: $sa_tencent"
       echo "  STS Token: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/cam/security-credentials/$sa_tencent")
@@ -75,7 +76,7 @@ if [ "$is_tencent_cvm" = "Yes" ]; then
     done
 
     echo ""
-    print_3title "Possbile admin ssh Public keys"
+    print_3title "Possbile admin ssh Public keys" "T1552.005,T1580"
     for key_tencent in $(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/"); do
       echo "  Name: $key_tencent"
       echo "  Key: "$(eval $tencent_req "http://169.254.0.23/latest/meta-data/public-keys/${key_tencent}openssh-key")
@@ -83,6 +84,6 @@ if [ "$is_tencent_cvm" = "Yes" ]; then
     done
 
     echo ""
-    print_3title "User Data"
+    print_3title "User Data" "T1552.005,T1580"
     eval $tencent_req http://169.254.0.23/latest/user-data; echo ""
 fi

linPEAS/builder/linpeas_parts/3_cloud/1_Check_if_in_cloud.sh

@@ -5,6 +5,7 @@
 # Description: Check if the current system is inside a cloud environment
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1580
 # Functions Used: check_aws_codebuild, check_aws_ec2, check_aws_ecs, check_aws_lambda, check_az_app, check_az_vm, check_az_automation_acc, check_do, check_gcp, check_ibm_vm, check_tencent_cvm, print_list
 # Global Variables: $is_aws_codebuild, $is_aws_ecs, $is_aws_ec2, , $is_aws_lambda, $is_az_app, $is_az_automation_acc, $is_az_vm, $is_do, $is_gcp_vm, $is_gcp_function, $is_ibm_vm, $is_aws_ec2_beanstalk, $is_aliyun_ecs, $is_tencent_cvm
 # Initial Functions: check_gcp, check_aws_ecs, check_aws_ec2, check_aws_lambda, check_aws_codebuild, check_do, check_ibm_vm, check_az_vm, check_az_app, check_az_automation_acc, check_aliyun_ecs, check_tencent_cvm

linPEAS/builder/linpeas_parts/3_cloud/2_AWS_EC2.sh

@@ -5,6 +5,7 @@
 # Description: AWS EC2 Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_aws_ec2, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_aws_ec2
 # Initial Functions: check_aws_ec2
@@ -14,8 +15,7 @@
 
 
 if [ "$is_aws_ec2" = "Yes" ]; then
-    print_2title "AWS EC2 Enumeration"
-    
+    print_2title "AWS EC2 Enumeration" "T1552.005,T1580"
     TOKEN=""
     TOKEN_HEADER="X-aws-ec2-metadata-token"
     TOKEN_TTL="X-aws-ec2-metadata-token-ttl-seconds: 21600"
@@ -43,11 +43,11 @@ if [ "$is_aws_ec2" = "Yes" ]; then
         printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
 
         echo ""
-        print_3title "Account Info"
+        print_3title "Account Info" "T1552.005,T1580"
         exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
 
         echo ""
-        print_3title "Network Info"
+        print_3title "Network Info" "T1552.005,T1580"
         for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
           echo "Mac: $mac"
           printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
@@ -62,7 +62,7 @@ if [ "$is_aws_ec2" = "Yes" ]; then
         done
 
         echo ""
-        print_3title "IAM Role"
+        print_3title "IAM Role" "T1552.005,T1580"
         exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
         for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
           echo "Role: $role"
@@ -71,14 +71,14 @@ if [ "$is_aws_ec2" = "Yes" ]; then
         done
         
         echo ""
-        print_3title "User Data"
+        print_3title "User Data" "T1552.005,T1580"
         eval $aws_req "http://169.254.169.254/latest/user-data"; echo ""
         
         echo ""
-        print_3title "EC2 Security Credentials"
+        print_3title "EC2 Security Credentials" "T1552.005,T1580"
         exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
         
-        print_3title "SSM Runnig"
+        print_3title "SSM Runnig" "T1552.005,T1580"
         ps aux 2>/dev/null | grep "ssm-agent" | grep -Ev "grep|sed s,ssm-agent" | sed "s,ssm-agent,${SED_RED},"
     fi
     echo ""

linPEAS/builder/linpeas_parts/3_cloud/3_AWS_ECS.sh

@@ -5,6 +5,7 @@
 # Description: AWS ECS Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_aws_ecs, exec_with_jq, print_2title, print_3title
 # Global Variables: $aws_ecs_metadata_uri, $aws_ecs_service_account_uri, $is_aws_ecs
 # Initial Functions: check_aws_ecs
@@ -14,8 +15,7 @@
 
 
 if [ "$is_aws_ecs" = "Yes" ]; then
-    print_2title "AWS ECS Enumeration"
-    
+    print_2title "AWS ECS Enumeration" "T1552.005,T1580"
     aws_ecs_req=""
     if [ "$(command -v curl || echo -n '')" ]; then
         aws_ecs_req='curl -s -f'
@@ -26,11 +26,11 @@ if [ "$is_aws_ecs" = "Yes" ]; then
     fi
 
     if [ "$aws_ecs_metadata_uri" ]; then
-        print_3title "Container Info"
+        print_3title "Container Info" "T1552.005,T1580"
         exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
         echo ""
         
-        print_3title "Task Info"
+        print_3title "Task Info" "T1552.005,T1580"
         exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
         echo ""
     else
@@ -38,14 +38,14 @@ if [ "$is_aws_ecs" = "Yes" ]; then
     fi
 
     if [ "$aws_ecs_service_account_uri" ]; then
-        print_3title "IAM Role"
+        print_3title "IAM Role" "T1552.005,T1580"
         exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
         echo ""
     else
         echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
     fi
 
-    print_3title "ECS task metadata hints"
+    print_3title "ECS task metadata hints" "T1552.005,T1580"
     aws_exec_env=$(printenv AWS_EXECUTION_ENV 2>/dev/null)
     if [ "$aws_exec_env" ]; then
         printf "AWS_EXECUTION_ENV=%s\n" "$aws_exec_env"
@@ -70,7 +70,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then
     fi
     echo ""
 
-    print_3title "IMDS reachability from this task"
+    print_3title "IMDS reachability from this task" "T1552.005,T1580"
     imds_token=""
     imds_roles=""
     imds_http_code=""
@@ -128,7 +128,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then
     fi
     echo ""
 
-    print_3title "ECS agent IMDS settings"
+    print_3title "ECS agent IMDS settings" "T1552.005,T1580"
     if [ -r "/etc/ecs/ecs.config" ]; then
         ecs_block_line=$(grep -E "^ECS_AWSVPC_BLOCK_IMDS=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
         ecs_host_line=$(grep -E "^ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=" /etc/ecs/ecs.config 2>/dev/null | tail -n 1)
@@ -158,7 +158,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then
     fi
     echo ""
 
-    print_3title "DOCKER-USER IMDS filtering"
+    print_3title "DOCKER-USER IMDS filtering" "T1552.005,T1580"
     iptables_cmd=""
     if command -v iptables >/dev/null 2>&1; then
         iptables_cmd=$(command -v iptables)

linPEAS/builder/linpeas_parts/3_cloud/4_AWS_Lambda.sh

@@ -5,6 +5,7 @@
 # Description: AWS Lambda Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_aws_lambda, print_2title
 # Global Variables: $is_aws_lambda
 # Initial Functions: check_aws_lambda
@@ -14,7 +15,7 @@
 
 
 if [ "$is_aws_lambda" = "Yes" ]; then
-  print_2title "AWS Lambda Enumeration"
+  print_2title "AWS Lambda Enumeration" "T1552.005,T1580"
   printf "Function name: "; env | grep AWS_LAMBDA_FUNCTION_NAME
   printf "Region: "; env | grep AWS_REGION
   printf "Secret Access Key: "; env | grep AWS_SECRET_ACCESS_KEY

linPEAS/builder/linpeas_parts/3_cloud/5_AWS_Codebuild.sh

@@ -5,6 +5,7 @@
 # Description: AWS Codebuild Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_aws_codebuild, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_aws_codebuild
 # Initial Functions: check_aws_codebuild
@@ -14,8 +15,7 @@
 
 
 if [ "$is_aws_codebuild" = "Yes" ]; then
-  print_2title "AWS Codebuild Enumeration"
-
+  print_2title "AWS Codebuild Enumeration" "T1552.005,T1580"
   aws_req=""
   if [ "$(command -v curl || echo -n '')" ]; then
       aws_req="curl -s -f"
@@ -27,12 +27,12 @@ if [ "$is_aws_codebuild" = "Yes" ]; then
   fi
 
   if [ "$aws_req" ]; then
-    print_3title "Credentials"
+    print_3title "Credentials" "T1552.005,T1580"
     CREDS_PATH=$(cat /codebuild/output/tmp/env.sh | grep "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" | cut -d "'" -f 2)
     URL_CREDS="http://169.254.170.2$CREDS_PATH" # Already has a / at the begginig
     exec_with_jq eval $aws_req "$URL_CREDS"; echo ""
 
-    print_3title "Container Info"
+    print_3title "Container Info" "T1552.005,T1580"
     METADATA_URL=$(cat /codebuild/output/tmp/env.sh | grep "ECS_CONTAINER_METADATA_URI" | cut -d "'" -f 2)
     exec_with_jq eval $aws_req "$METADATA_URL"; echo ""
   fi

linPEAS/builder/linpeas_parts/3_cloud/6_Google_cloud_function.sh

@@ -5,6 +5,7 @@
 # Description: Google Cloud Function Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_gcp, print_2title, print_3title, print_info
 # Global Variables: $is_gcp_function, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES
 # Initial Functions: check_gcp
@@ -25,7 +26,7 @@ if [ "$is_gcp_function" = "Yes" ]; then
 
     # GCP Enumeration
     if [ "$gcp_req" ]; then
-        print_2title "Google Cloud Platform Enumeration"
+        print_2title "Google Cloud Platform Enumeration" "T1552.005,T1580"
         print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
 
         ## GC Project Info
@@ -43,7 +44,7 @@ if [ "$is_gcp_function" = "Yes" ]; then
         [ "$inst_zone" ] && echo "Zone: $inst_zone"
 
         echo ""
-        print_3title "Service Accounts"
+        print_3title "Service Accounts" "T1552.005,T1580"
         for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
             echo "  Name: $sa"
             echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${sa}email")

linPEAS/builder/linpeas_parts/3_cloud/7_Google_cloud_vm.sh

@@ -5,6 +5,7 @@
 # Description: Google Cloud VM Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_gcp, print_2title, print_3title, print_info
 # Global Variables: $is_gcp_vm, $GCP_GOOD_SCOPES, $GCP_BAD_SCOPES
 # Initial Functions: check_gcp
@@ -25,7 +26,7 @@ if [ "$is_gcp_vm" = "Yes" ]; then
 
 
     if [ "$gcp_req" ]; then
-        print_2title "Google Cloud Platform Enumeration"
+        print_2title "Google Cloud Platform Enumeration" "T1552.005,T1580"
         print_info "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/index.html"
 
         ## GC Project Info
@@ -80,7 +81,7 @@ if [ "$is_gcp_vm" = "Yes" ]; then
         [ "$inst_k8s_kubenv" ] && echo "K8s Kube-env: $inst_k8s_kubenv"
 
         echo ""
-        print_3title "Interfaces"
+        print_3title "Interfaces" "T1552.005,T1580"
         for iface in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/"); do 
             echo "  IP: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/ip")
             echo "  Subnetmask: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
@@ -91,12 +92,12 @@ if [ "$is_gcp_vm" = "Yes" ]; then
         done
         
         echo ""
-        print_3title "User Data"
+        print_3title "User Data" "T1552.005,T1580"
         echo $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script")
         echo ""
 
         echo ""
-        print_3title "Service Accounts"
+        print_3title "Service Accounts" "T1552.005,T1580"
         for sa in $(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"); do 
             echo "  Name: $sa"
             echo "  Email: "$(eval $gcp_req "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/$sa/email")

linPEAS/builder/linpeas_parts/3_cloud/8_Azure_VM.sh

@@ -5,6 +5,7 @@
 # Description: Azure VM Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_az_vm, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_az_vm
 # Initial Functions: check_az_vm
@@ -14,8 +15,7 @@
 
 
 if [ "$is_az_vm" = "Yes" ]; then
-  print_2title "Azure VM Enumeration"
-
+  print_2title "Azure VM Enumeration" "T1552.005,T1580"
   HEADER="Metadata:true"
   URL="http://169.254.169.254/metadata"
   API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
@@ -30,38 +30,38 @@ if [ "$is_az_vm" = "Yes" ]; then
   fi
 
   if [ "$az_req" ]; then
-    print_3title "Instance details"
+    print_3title "Instance details" "T1552.005,T1580"
     exec_with_jq eval $az_req "$URL/instance?api-version=$API_VERSION"
     echo ""
 
-    print_3title "Load Balancer details"
+    print_3title "Load Balancer details" "T1552.005,T1580"
     exec_with_jq eval $az_req "$URL/loadbalancer?api-version=$API_VERSION"
     echo ""
 
-    print_3title "User Data"
+    print_3title "User Data" "T1552.005,T1580"
     exec_with_jq eval $az_req "$URL/instance/compute/userData?api-version=$API_VERSION\&format=text" | base64 -d 2>/dev/null
     echo ""
 
-    print_3title "Custom Data and other configs (root needed)"
+    print_3title "Custom Data and other configs (root needed)" "T1552.005,T1580"
     (cat /var/lib/waagent/ovf-env.xml || cat /var/lib/waagent/CustomData/ovf-env.xml) 2>/dev/null | sed "s,CustomData.*,${SED_RED},"
     echo ""
 
-    print_3title "Management token"
+    print_3title "Management token" "T1552.005,T1580"
     print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://management.azure.com/"
     echo ""
 
-    print_3title "Graph token"
+    print_3title "Graph token" "T1552.005,T1580"
     print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
     echo ""
     
-    print_3title "Vault token"
+    print_3title "Vault token" "T1552.005,T1580"
     print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://vault.azure.net/"
     echo ""
 
-    print_3title "Storage token"
+    print_3title "Storage token" "T1552.005,T1580"
     print_info "It's possible to assign 1 system MI and several user MI to a VM. LinPEAS can only get the token from the default one. More info in https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm"
     exec_with_jq eval $az_req "$URL/identity/oauth2/token?api-version=$API_VERSION\&resource=https://storage.azure.com/"
     echo ""

linPEAS/builder/linpeas_parts/3_cloud/9_Azure_app_service.sh

@@ -5,6 +5,7 @@
 # Description: Azure App Service Enumeration
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005,T1580
 # Functions Used: check_az_app, exec_with_jq, print_2title, print_3title
 # Global Variables: $is_az_app,
 # Initial Functions: check_az_app
@@ -16,8 +17,7 @@
 API_VERSION="2019-08-01" #https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp
 
 if [ "$is_az_app" = "Yes" ]; then
-  print_2title "Azure App Service Enumeration"
-
+  print_2title "Azure App Service Enumeration" "T1552.005,T1580"
   HEADER="X-IDENTITY-HEADER:$IDENTITY_HEADER"
 
   az_req=""
@@ -30,16 +30,16 @@ if [ "$is_az_app" = "Yes" ]; then
   fi
 
   if [ "$az_req" ]; then
-    print_3title "Management token"
+    print_3title "Management token" "T1552.005,T1580"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://management.azure.com/"
     echo
-    print_3title "Graph token"
+    print_3title "Graph token" "T1552.005,T1580"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://graph.microsoft.com/"
     echo
-    print_3title "Vault token"
+    print_3title "Vault token" "T1552.005,T1580"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://vault.azure.net/"
     echo
-    print_3title "Storage token"
+    print_3title "Storage token" "T1552.005,T1580"
     exec_with_jq eval $az_req "$IDENTITY_ENDPOINT?api-version=$API_VERSION\&resource=https://storage.azure.com/"
   fi
   echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/10_Services.sh

@@ -5,6 +5,7 @@
 # Description: Services and service files analysis with privilege escalation vectors
 # License: GNU GPL
 # Version: 1.2
+# Mitre: T1543.002,T1007
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
 # Global Variables: $EXTRA_CHECKS, $IAMROOT, $SEARCH_IN_FOLDER, $TIMEOUT, $WRITABLESYSTEMDPATH
 # Initial Functions:
@@ -13,7 +14,7 @@
 # Small linpeas: 0
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Services and Service Files"
+  print_2title "Services and Service Files" "T1543.002,T1007"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#services"
 
   # Function to check service content for privilege escalation vectors
@@ -125,7 +126,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
 
   # List all services and check for privilege escalation vectors
   echo ""
-  print_3title "Active services:"
+  print_3title "Active services:" "T1543.002,T1007"
   systemctl list-units --type=service --state=active 2>/dev/null | grep -v "UNIT" | while read -r line; do
     service_unit=$(echo "$line" | awk '{print $1}')
     if [ -n "$service_unit" ]; then
@@ -145,7 +146,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
 
   # Check for disabled but available services
   echo ""
-  print_3title "Disabled services:"
+  print_3title "Disabled services:" "T1543.002,T1007"
   systemctl list-unit-files --type=service --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do
     service_unit=$(echo "$line" | awk '{print $1}')
     if [ -n "$service_unit" ]; then
@@ -166,7 +167,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   # Check service files from PSTORAGE_SYSTEMD
   if [ -n "$PSTORAGE_SYSTEMD" ]; then
     echo ""
-    print_3title "Additional service files:"
+    print_3title "Additional service files:" "T1543.002,T1007"
     printf "%s\n" "$PSTORAGE_SYSTEMD" | while read -r service_file; do
       if [ -n "$service_file" ] && [ -e "$service_file" ]; then
         check_service_file "$service_file"
@@ -177,7 +178,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   # Check for outdated services if EXTRA_CHECKS is enabled
   if [ "$EXTRA_CHECKS" ]; then
     echo ""
-    print_3title "Service versions and status:"
+    print_3title "Service versions and status:" "T1543.002,T1007"
     if [ "$TIMEOUT" ]; then
       $TIMEOUT 30 sh -c "(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null" || echo_not_found "service|chkconfig|rc-status|launchctl"
     else

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/11_Systemd.sh

@@ -14,6 +14,7 @@
 #     * Writable paths: Replace executables in writable paths to get code execution
 # License: GNU GPL
 # Version: 1.1
+# Mitre: T1543.002
 # Functions Used: print_2title, print_list, echo_not_found
 # Global Variables: $SEARCH_IN_FOLDER, $Wfolders, $SED_RED, $SED_RED_YELLOW, $NC
 # Initial Functions:
@@ -22,7 +23,7 @@
 # Small linpeas: 1
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-    print_2title "Systemd Information"
+    print_2title "Systemd Information" "T1543.002"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
 
     # Function to check if systemctl is available
@@ -161,7 +162,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
 
     echo ""
 
-    print_2title "Systemd PATH"
+    print_2title "Systemd PATH" "T1543.002"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#systemd-path---relative-paths"
     if check_systemctl; then
         systemctl show-environment 2>/dev/null | 

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/12_Socket_files.sh

@@ -10,6 +10,7 @@
 #   - Socket files with unsafe configurations
 # License: GNU GPL
 # Version: 1.2
+# Mitre: T1559
 # Functions Used: print_2title, print_info, print_list
 # Global Variables: $IAMROOT, $SEARCH_IN_FOLDER, $SED_RED, $SED_RED_YELLOW, $NC
 # Initial Functions:
@@ -18,7 +19,7 @@
 # Small linpeas: 0
 
 if ! [ "$IAMROOT" ]; then
-    print_2title "Analyzing .socket files"
+    print_2title "Analyzing .socket files" "T1559"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
 
     # Function to check if path is relative

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/13_Unix_sockets_listening.sh

@@ -10,6 +10,7 @@
 #   - Socket protocol analysis
 # License: GNU GPL
 # Version: 1.1
+# Mitre: T1571,T1049
 # Functions Used: print_2title, print_info
 # Global Variables: $EXTRA_CHECKS, $groupsB, $groupsVB, $IAMROOT, $idB, $knw_grps, $knw_usrs, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $SED_RED, $SED_GREEN, $SED_RED_YELLOW, $NC, $RED
 # Initial Functions:
@@ -19,7 +20,7 @@
 
 if ! [ "$IAMROOT" ]; then
     if ! [ "$SEARCH_IN_FOLDER" ]; then
-        print_2title "Unix Sockets Analysis"
+        print_2title "Unix Sockets Analysis" "T1571,T1049"
         print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sockets"
 
 

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/14_DBus_analysis.sh

@@ -11,6 +11,7 @@
 #   - D-Bus Privilege Escalation Vectors
 # License: GNU GPL
 # Version: 1.3
+# Mitre: T1559.001
 # Functions Used: print_2title, print_3title, print_info, echo_not_found
 # Global Variables: $IAMROOT, $mygroups, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $dbuslistG, $knw_usrs, $rootcommon, $SED_RED, $SED_GREEN, $SED_BLUE, $SED_LIGHT_CYAN, $SED_LIGHT_MAGENTA, $NC
 # Initial Functions:
@@ -19,7 +20,7 @@
 # Small linpeas: 1
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-    print_2title "D-Bus Analysis"
+    print_2title "D-Bus Analysis" "T1559.001"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#d-bus"
 
 
@@ -213,7 +214,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     # Analyze D-Bus Configuration Files
     if [ "$PSTORAGE_DBUS" ]; then
         echo ""
-        print_2title "D-Bus Configuration Files"
+        print_2title "D-Bus Configuration Files" "T1559.001"
         echo "$PSTORAGE_DBUS" | while read -r dir; do
             for dbus_file in "$dir"/*; do
                 if [ -f "$dbus_file" ]; then
@@ -229,7 +230,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     # Check for D-Bus session bus
     if command -v dbus-send >/dev/null 2>&1; then
         echo ""
-        print_3title "D-Bus Session Bus Analysis"
+        print_3title "D-Bus Session Bus Analysis" "T1559.001"
         if dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames 2>/dev/null | grep -q "Error"; then
             echo "(${RED}No access to session bus${NC})"
         else

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/15_Rcommands_trust.sh

@@ -6,6 +6,7 @@
 #              which can allow passwordless root via hostname/DNS manipulation.
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1021.004
 # Functions Used: print_2title, print_3title, echo_not_found
 # Global Variables:
 # Initial Functions:
@@ -14,10 +15,9 @@
 # Small linpeas: 1
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Legacy r-commands (rsh/rlogin/rexec) and host-based trust"
-
+  print_2title "Legacy r-commands (rsh/rlogin/rexec) and host-based trust" "T1021.004"
   echo ""
-  print_3title "Listening r-services (TCP 512-514)"
+  print_3title "Listening r-services (TCP 512-514)" "T1021.004"
   if command -v ss >/dev/null 2>&1; then
     ss -ltnp 2>/dev/null | awk '$1 ~ /^LISTEN$/ && $4 ~ /:(512|513|514)$/ {print}' || echo_not_found "ss"
   elif command -v netstat >/dev/null 2>&1; then
@@ -27,7 +27,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 
   echo ""
-  print_3title "systemd units exposing r-services"
+  print_3title "systemd units exposing r-services" "T1021.004"
   if command -v systemctl >/dev/null 2>&1; then
     systemctl list-unit-files 2>/dev/null | grep -E '^(rlogin|rsh|rexec)\.(socket|service)\b' || echo_not_found "rlogin|rsh|rexec units"
     systemctl list-sockets 2>/dev/null | grep -E '\b(rlogin|rsh|rexec)\.socket\b' || true
@@ -36,7 +36,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 
   echo ""
-  print_3title "inetd/xinetd configuration for r-services"
+  print_3title "inetd/xinetd configuration for r-services" "T1021.004"
   if [ -f /etc/inetd.conf ]; then
     grep -vE '^\s*#|^\s*$' /etc/inetd.conf 2>/dev/null | grep -Ei '\b(shell|login|exec|rsh|rlogin|rexec)\b' 2>/dev/null || echo "  No r-services found in /etc/inetd.conf"
   else
@@ -60,7 +60,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 
   echo ""
-  print_3title "Installed r-service server packages"
+  print_3title "Installed r-service server packages" "T1021.004"
   if command -v dpkg >/dev/null 2>&1; then
     dpkg -l 2>/dev/null | grep -E '\b(rsh-server|rsh-redone-server|krb5-rsh-server|inetutils-inetd|openbsd-inetd|xinetd|netkit-rsh)\b' || echo "  No related packages found via dpkg"
   elif command -v rpm >/dev/null 2>&1; then
@@ -70,7 +70,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 
   echo ""
-  print_3title "/etc/hosts.equiv and /etc/shosts.equiv"
+  print_3title "/etc/hosts.equiv and /etc/shosts.equiv" "T1021.004"
   for f in /etc/hosts.equiv /etc/shosts.equiv; do
     if [ -f "$f" ]; then
       perms=$(stat -c %a "$f" 2>/dev/null)
@@ -87,7 +87,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   done
 
   echo ""
-  print_3title "Per-user .rhosts files"
+  print_3title "Per-user .rhosts files" "T1021.004"
   any_rhosts=false
   for rfile in /root/.rhosts /home/*/.rhosts; do
     if [ -f "$rfile" ]; then
@@ -107,7 +107,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   if ! $any_rhosts; then echo_not_found ".rhosts"; fi
 
   echo ""
-  print_3title "PAM rhosts authentication"
+  print_3title "PAM rhosts authentication" "T1021.004"
   shown=false
   for p in /etc/pam.d/rlogin /etc/pam.d/rsh; do
     if [ -f "$p" ]; then
@@ -119,7 +119,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   if ! $shown; then echo_not_found "/etc/pam.d/rlogin|rsh"; fi
 
   echo ""
-  print_3title "SSH HostbasedAuthentication"
+  print_3title "SSH HostbasedAuthentication" "T1021.004"
   if [ -f /etc/ssh/sshd_config ]; then
     if grep -qiE '^[^#]*HostbasedAuthentication\s+yes' /etc/ssh/sshd_config 2>/dev/null; then
       echo "  HostbasedAuthentication yes (check /etc/shosts.equiv or ~/.shosts)"
@@ -131,7 +131,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 
   echo ""
-  print_3title "Potential DNS control indicators (local)"
+  print_3title "Potential DNS control indicators (local)" "T1021.004"
   (ps -eo comm,args 2>/dev/null | grep -Ei '(^|/)(pdns|pdns_server|pdns_recursor|powerdns-admin)( |$)' | grep -Ev 'grep|bash' || echo "  Not detected")
 
   echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/16_Crontab_UI_misconfig.sh

@@ -8,6 +8,7 @@
 #   - Cron DB path (CRON_DB_PATH) and weak permissions / embedded secrets in jobs
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1053.003
 # Functions Used: print_2title, print_info, print_list, echo_not_found
 # Global Variables: $SEARCH_IN_FOLDER, $SED_RED, $SED_RED_YELLOW, $NC
 # Initial Functions:
@@ -16,7 +17,7 @@
 # Small linpeas: 1
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Crontab UI (root) misconfiguration checks"
+  print_2title "Crontab UI (root) misconfiguration checks" "T1053.003"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
 
   # Collect candidate services referencing crontab-ui

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/17_Deleted_open_files.sh

@@ -5,6 +5,7 @@
 # Description: Identify deleted files still held open by running processes
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1083
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG, $EXTRA_CHECKS, $E, $SED_RED
 # Initial Functions:
@@ -13,12 +14,12 @@
 # Small linpeas: 1
 
 if [ "$(command -v lsof 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
-    print_2title "Deleted files still open"
+    print_2title "Deleted files still open" "T1083"
     print_info "Open deleted files can hide tools and still consume disk space"
     lsof +L1 2>/dev/null | sed -${E} "s,\\(deleted\\),${SED_RED},g"
     echo ""
 elif [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
-    print_2title "Deleted files still open"
+    print_2title "Deleted files still open" "T1083"
     print_info "lsof not found, scanning /proc for deleted file descriptors"
     ls -l /proc/[0-9]*/fd 2>/dev/null | grep "(deleted)" | sed -${E} "s,\\(deleted\\),${SED_RED},g" | head -n 200
     echo ""

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/1_List_processes.sh

@@ -5,6 +5,7 @@
 # Description: List running processes and check for unusual configurations
 # License: GNU GPL
 # Version: 1.4
+# Mitre: T1057
 # Functions Used: print_2title, print_info, print_ps
 # Global Variables: $capsB, $knw_usrs, $nosh_usrs, $NOUSEPS, $processesB, $processesDump, $processesVB, $rootcommon, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
 # Initial Functions:
@@ -13,8 +14,7 @@
 # Small linpeas: 1
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Running processes (cleaned)"
-
+  print_2title "Running processes (cleaned)" "T1057"
   if [ "$NOUSEPS" ]; then
     printf ${BLUE}"[i]$GREEN Looks like ps is not finding processes, going to read from /proc/ and not going to monitor 1min of processes\n"$NC
   fi
@@ -234,7 +234,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 
   # Additional checks for each process
-  print_2title "Processes with unusual configurations"
+  print_2title "Processes with unusual configurations" "T1057"
   for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
     # Skip if process doesn't exist or we can't access it
     [ ! -d "/proc/$pid" ] && continue

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/2_Process_cred_in_memory.sh

@@ -5,6 +5,7 @@
 # Description: Processes with credentials inside memory and memory-mapped files
 # License: GNU GPL
 # Version: 1.2
+# Mitre: T1003.007
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $pslist, $SEARCH_IN_FOLDER, $processesDump, $nosh_usrs, $processesB, $knw_usrs, $rootcommon, $sh_usrs, $processesVB
 # Initial Functions:
@@ -13,7 +14,7 @@
 # Small linpeas: 1
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Processes with credentials in memory (root req)"
+  print_2title "Processes with credentials in memory (root req)" "T1003.007"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory"
 
   # Common credential-storing processes
@@ -30,7 +31,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
 
   # Check for processes with open handles to credential files
   echo ""
-  print_2title "Opened Files by processes"
+  print_2title "Opened Files by processes" "T1003.007"
   for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
     # Skip if process doesn't exist or we can't access it
     [ ! -d "/proc/$pid" ] && continue
@@ -76,7 +77,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
 
   # Check for processes with memory-mapped files that might contain credentials
   echo ""
-  print_2title "Processes with memory-mapped credential files"
+  print_2title "Processes with memory-mapped credential files" "T1003.007"
   for pid in $(find /proc -maxdepth 1 -regex '/proc/[0-9]+' -printf "%f\n" 2>/dev/null); do
     # Skip if process doesn't exist or we can't access it
     [ ! -d "/proc/$pid" ] && continue

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/3_Process_binaries_perms.sh

@@ -5,6 +5,7 @@
 # Description: Check the permissions of the binaries of the running processes
 # License: GNU GPL
 # Version: 1.2
+# Mitre: T1574,T1554
 # Functions Used: print_2title, print_info
 # Global Variables: $knw_usrs, $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$NOUSEPS" ]; then
-    print_2title "Binary processes permissions (non 'root root' and not belonging to current user)"
+    print_2title "Binary processes permissions (non 'root root' and not belonging to current user)" "T1574,T1554"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes"
     
     # Get list of writable binaries

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/4_Processes_PPID_different_user.sh

@@ -5,6 +5,7 @@
 # Description: Processes whose PPID belongs to a different user (not root)
 # License: GNU GPL
 # Version: 1.1
+# Mitre: T1134.004
 # Functions Used: print_2title, print_info
 # Global Variables: $nosh_usrs, $NOUSEPS, $SEARCH_IN_FOLDER, $sh_usrs, $USER
 # Initial Functions:
@@ -13,7 +14,7 @@
 # Small linpeas: 1
 
 if ! [ "$SEARCH_IN_FOLDER" ] && ! [ "$NOUSEPS" ]; then
-  print_2title "Processes whose PPID belongs to a different user (not root)"
+  print_2title "Processes whose PPID belongs to a different user (not root)" "T1134.004"
   print_info "You will know if a user can somehow spawn processes as a different user"
   
   # Function to get user by PID using /proc

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/5_Files_open_process_other_user.sh

@@ -5,6 +5,7 @@
 # Description: Files opened by processes belonging to other users
 # License: GNU GPL
 # Version: 1.1
+# Mitre: T1083
 # Functions Used: print_2title, print_info
 # Global Variables: $IAMROOT, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if ! [ "$IAMROOT" ]; then
-    print_2title "Files opened by processes belonging to other users"
+    print_2title "Files opened by processes belonging to other users" "T1083"
     print_info "This is usually empty because of the lack of privileges to read other user processes information"
 
     # Function to get username by UID

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/6_Different_procs_1min.sh

@@ -5,6 +5,7 @@
 # Description: Different processes executed during 1 min
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1057
 # Functions Used: print_2title, print_info
 # Global Variables: $nosh_usrs, $sh_usrs, $Wfolders
 # Initial Functions:
@@ -15,7 +16,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
-    print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
+    print_2title "Different processes executed during 1 min (interesting is low number of repetitions)" "T1057"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#frequent-cron-jobs"
     temp_file=$(mktemp)
     if [ "$(ps -e -o user,command 2>/dev/null)" ]; then 

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/7_Cron_jobs.sh

@@ -5,6 +5,7 @@
 # Description: Enumerate system cron jobs and check for privilege escalation vectors
 # License: GNU GPL
 # Version: 1.2
+# Mitre: T1053.003
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $cronjobsG, $nosh_usrs, $SEARCH_IN_FOLDER, $sh_usrs, $USER, $Wfolders, $cronjobsB, $PATH
 # Initial Functions:
@@ -13,10 +14,10 @@
 # Small linpeas: 1
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Check for vulnerable cron jobs"
+  print_2title "Check for vulnerable cron jobs" "T1053.003"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
 
-  print_3title "Cron jobs list"
+  print_3title "Cron jobs list" "T1053.003"
   command -v crontab 2>/dev/null || echo_not_found "crontab"
   crontab -l 2>/dev/null | tr -d "\r" | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
   command -v incrontab 2>/dev/null || echo_not_found "incrontab"
@@ -29,10 +30,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   atq 2>/dev/null
   echo ""
 
-  print_3title "Checking for specific cron jobs vulnerabilities"
-
-
-
+  print_3title "Checking for specific cron jobs vulnerabilities" "T1053.003"
   # Function to check if a binary is writable and executable
   check_binary_perms() {
     local bin="$1"
@@ -244,7 +242,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   #  done
   #fi
 else
-  print_2title "Cron jobs"
+  print_2title "Cron jobs" "T1053.003"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs"
   find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
 fi

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/8_Macos_launch_agents_daemons.sh

@@ -5,6 +5,7 @@
 # Description: Third party LaunchAgents & LaunchDemons and privilege escalation vectors
 # License: GNU GPL
 # Version: 1.1
+# Mitre: T1543.001
 # Functions Used: print_2title, print_info
 # Global Variables: $MACPEAS, $SEARCH_IN_FOLDER
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$MACPEAS" ]; then
-    print_2title "Third party LaunchAgents & LaunchDemons"
+    print_2title "Third party LaunchAgents & LaunchDemons" "T1543.001"
     print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#launchd"
     print_info "Checking for privilege escalation vectors in LaunchAgents & LaunchDaemons:"
     print_info "1. Writable plist files"
@@ -100,7 +101,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     done
     echo ""
 
-    print_2title "StartupItems"
+    print_2title "StartupItems" "T1543.001"
     print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
     for startup_dir in /Library/StartupItems/ /System/Library/StartupItems/; do
       [ ! -d "$startup_dir" ] && continue
@@ -114,7 +115,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     done
     echo ""
 
-    print_2title "Login Items"
+    print_2title "Login Items" "T1543.001"
     print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#startup-items"
     osascript -e 'tell application "System Events" to get the name of every login item' 2>/dev/null | tr ", " "\n" | while read -r login_item; do
       if [ -n "$login_item" ]; then
@@ -128,7 +129,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     done
     echo ""
 
-    print_2title "SPStartupItemDataType"
+    print_2title "SPStartupItemDataType" "T1543.001"
     system_profiler SPStartupItemDataType 2>/dev/null | while read -r line; do
       if echo "$line" | grep -q "Location:"; then
         location=$(echo "$line" | cut -d: -f2- | xargs)
@@ -140,7 +141,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     done
     echo ""
 
-    print_2title "Emond scripts"
+    print_2title "Emond scripts" "T1543.001"
     print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-auto-start-locations.html#emond"
     if [ -d "/private/var/db/emondClients" ]; then
       find "/private/var/db/emondClients" -type f 2>/dev/null | while read -r emond_script; do
@@ -152,7 +153,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
     fi
     echo ""
 
-    print_2title "Periodic tasks"
+    print_2title "Periodic tasks" "T1543.001"
     print_info "Checking periodic tasks for privilege escalation vectors"
     for periodic_dir in /etc/periodic/daily /etc/periodic/weekly /etc/periodic/monthly; do
       [ ! -d "$periodic_dir" ] && continue

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets/9_System_timers.sh

@@ -5,6 +5,7 @@
 # Description: System Timers and privilege escalation vectors
 # License: GNU GPL
 # Version: 1.2
+# Mitre: T1053.003
 # Functions Used: echo_not_found, print_2title, print_info, print_3title
 # Global Variables: $SEARCH_IN_FOLDER, $timersG
 # Initial Functions:
@@ -13,7 +14,7 @@
 # Small linpeas: 1
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "System timers"
+  print_2title "System timers" "T1053.003"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#timers"
 
   # Function to check timer content for privilege escalation vectors
@@ -111,7 +112,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   }
 
   # List all timers and check for privilege escalation vectors
-  print_3title "Active timers:"
+  print_3title "Active timers:" "T1053.003"
   systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | while read -r line; do
     # Extract timer unit name
     timer_unit=$(echo "$line" | awk '{print $1}')
@@ -131,7 +132,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   done || echo_not_found
 
   # Check for disabled but available timers
-  print_3title "Disabled timers:"
+  print_3title "Disabled timers:" "T1053.003"
   systemctl list-unit-files --type=timer --state=disabled 2>/dev/null | grep -v "UNIT FILE" | while read -r line; do
     timer_unit=$(echo "$line" | awk '{print $1}')
     if [ -n "$timer_unit" ]; then
@@ -144,7 +145,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
 
   # Check timer files from PSTORAGE_TIMER
   if [ -n "$PSTORAGE_TIMER" ]; then
-    print_3title "Additional timer files:"
+    print_3title "Additional timer files:" "T1053.003"
     printf "%s\n" "$PSTORAGE_TIMER" | while read -r timer_file; do
       if [ -n "$timer_file" ] && [ -e "$timer_file" ]; then
         check_timer_file "$timer_file"

linPEAS/builder/linpeas_parts/5_network_information/10_Macos_hardware_ports.sh

@@ -5,6 +5,7 @@
 # Description: Enumerate macOS hardware ports
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1016
 # Functions Used: print_2title
 # Global Variables: $EXTRA_CHECKS, $MACPEAS
 # Initial Functions:
@@ -14,27 +15,27 @@
 
 
 if [ "$MACPEAS" ] && [ "$EXTRA_CHECKS" ]; then
-  print_2title "Hardware Ports"
+  print_2title "Hardware Ports" "T1016"
   networksetup -listallhardwareports
   echo ""
 
-  print_2title "VLANs"
+  print_2title "VLANs" "T1016"
   networksetup -listVLANs
   echo ""
 
-  print_2title "Wifi Info"
+  print_2title "Wifi Info" "T1016"
   networksetup -getinfo Wi-Fi
   echo ""
 
-  print_2title "Check Enabled Proxies"
+  print_2title "Check Enabled Proxies" "T1016"
   scutil --proxy
   echo ""
 
-  print_2title "Wifi Proxy URL"
+  print_2title "Wifi Proxy URL" "T1016"
   networksetup -getautoproxyurl Wi-Fi
   echo ""
   
-  print_2title "Wifi Web Proxy"
+  print_2title "Wifi Web Proxy" "T1016"
   networksetup -getwebproxy Wi-Fi
   echo ""
 fi

linPEAS/builder/linpeas_parts/5_network_information/11_Internet_access.sh

@@ -5,6 +5,7 @@
 # Description: Check for internet access
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1016,T1590
 # Functions Used: check_dns, check_icmp, check_tcp_443, check_tcp_443_bin, check_tcp_80, print_2title, print_3title, print_info, check_external_hostname
 # Global Variables: $E
 # Initial Functions:
@@ -14,8 +15,7 @@
 
 
 
-print_2title "Internet Access?"
-
+print_2title "Internet Access?" "T1016,T1590"
 TIMEOUT_INTERNET_SECONDS=5
 
 if [ "$SUPERFAST" ]; then
@@ -44,13 +44,13 @@ wait 2>/dev/null
 if [ "$tcp443_bin_status" -eq 0 ] && \
    [ -z "$SUPERFAST" ] && [ -z "$NOT_CHECK_EXTERNAL_HOSTNAME" ]; then
   echo ""
-  print_2title "Is hostname malicious or leaked?"
+  print_2title "Is hostname malicious or leaked?" "T1016,T1590"
   print_info "This will check the public IP and hostname in known malicious lists and leaks to find any relevant information about the host."
   check_external_hostname 2>/dev/null
 fi
 
 echo ""
-print_3title "Proxy discovery"
+print_3title "Proxy discovery" "T1016,T1590"
 print_info "Checking common proxy env vars and apt proxy config"
 (env | grep -iE '^(http|https|ftp|all)_proxy=|^no_proxy=') 2>/dev/null | sed -${E} "s,_proxy|no_proxy,${SED_RED_YELLOW},g"
 grep -RinE 'Acquire::(http|https)::Proxy|proxy' /etc/apt/apt.conf /etc/apt/apt.conf.d 2>/dev/null | sed -${E} "s,proxy|Acquire::http::Proxy|Acquire::https::Proxy,${SED_RED_YELLOW},g"

linPEAS/builder/linpeas_parts/5_network_information/1_Network_interfaces.sh

@@ -5,6 +5,7 @@
 # Description: Check network interfaces
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1016
 # Functions Used: print_2title, print_3title
 # Global Variables: $E, $SED_RED_YELLOW
 # Initial Functions:
@@ -61,7 +62,7 @@ parse_network_interfaces() {
     fi
 }
 
-print_2title "Interfaces"
+print_2title "Interfaces" "T1016"
 cat /etc/networks 2>/dev/null
 
 # Try standard tools first, then fall back to our custom function
@@ -74,21 +75,21 @@ else
 fi
 
 if command -v ip >/dev/null 2>&1; then
-    print_3title "Routing & policy quick view"
+    print_3title "Routing & policy quick view" "T1016"
     ip route 2>/dev/null
     ip -6 route 2>/dev/null | head -n 30
     echo ""
     ip rule 2>/dev/null
 
-    print_3title "Virtual/overlay interfaces quick view"
+    print_3title "Virtual/overlay interfaces quick view" "T1016"
     ip -d link 2>/dev/null | grep -E "^[0-9]+:|veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale" | sed -${E} "s,veth|docker|cni|flannel|br-|bridge|vlan|bond|tun|tap|wg|tailscale,${SED_RED_YELLOW},g"
 
-    print_3title "Network namespaces quick view"
+    print_3title "Network namespaces quick view" "T1016"
     ip netns list 2>/dev/null
     ls -la /var/run/netns/ 2>/dev/null
 fi
 
-print_3title "Forwarding status"
+print_3title "Forwarding status" "T1016"
 sysctl net.ipv4.ip_forward net.ipv6.conf.all.forwarding 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g"
 
 echo ""

linPEAS/builder/linpeas_parts/5_network_information/2_Hostname_hosts_dns.sh

@@ -5,6 +5,7 @@
 # Description: Get hostname, hosts and DNS
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1016,T1018
 # Functions Used: print_2title, warn_exec
 # Global Variables:
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 # Function to get hostname using multiple methods
 get_hostname_info() {
-    print_3title "Hostname Information"
+    print_3title "Hostname Information" "T1016,T1018"
     # Try multiple methods to get hostname
     if command -v hostname >/dev/null 2>&1; then
         echo "System hostname: $(hostname 2>/dev/null)"
@@ -33,7 +34,7 @@ get_hostname_info() {
 
 # Function to get hosts file information
 get_hosts_info() {
-    print_3title "Hosts File Information"
+    print_3title "Hosts File Information" "T1016,T1018"
     if [ -f "/etc/hosts" ]; then
         echo "Contents of /etc/hosts:"
         grep -v "^#" /etc/hosts 2>/dev/null | grep -v "^$" | while read -r line; do
@@ -45,8 +46,7 @@ get_hosts_info() {
 
 # Function to get DNS information
 get_dns_info() {
-    print_3title "DNS Configuration"
-    
+    print_3title "DNS Configuration" "T1016,T1018"
     # Get resolv.conf information
     if [ -f "/etc/resolv.conf" ]; then
         echo "DNS Servers (resolv.conf):"
@@ -99,8 +99,7 @@ get_dns_info() {
     echo ""
 }
 
-print_2title "Hostname, hosts and DNS"
-
+print_2title "Hostname, hosts and DNS" "T1016,T1018"
 # Execute all information gathering functions
 get_hostname_info
 get_hosts_info

linPEAS/builder/linpeas_parts/5_network_information/3_Network_neighbours.sh

@@ -5,6 +5,7 @@
 # Description: Networks and neighbours
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1018,T1040
 # Functions Used: print_2title, print_3title
 # Global Variables: $EXTRA_CHECKS, $MACPEAS
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 # Function to parse routing information from /proc/net/route
 parse_proc_route() {
-    print_3title "Routing Table (from /proc/net/route)"
+    print_3title "Routing Table (from /proc/net/route)" "T1018,T1040"
     echo "Destination         Gateway         Genmask         Flags Metric Ref    Use Iface"
     echo "--------------------------------------------------------------------------------"
     # Skip header line and process each route
@@ -39,7 +40,7 @@ parse_proc_route() {
 
 # Function to parse ARP information from /proc/net/arp
 parse_proc_arp() {
-    print_3title "ARP Table (from /proc/net/arp)"
+    print_3title "ARP Table (from /proc/net/arp)" "T1018,T1040"
     echo "IP address       HW type     Flags     HW address           Mask     Device"
     echo "------------------------------------------------------------------------"
     # Skip header line and process each ARP entry
@@ -61,10 +62,9 @@ parse_proc_arp() {
 
 # Function to get network neighbors information
 get_network_neighbors() {
-    print_2title "Networks and neighbours"
-
+    print_2title "Networks and neighbours" "T1018,T1040"
     # Get routing information
-    print_3title "Routing Information"
+    print_3title "Routing Information" "T1018,T1040"
     if [ "$MACPEAS" ]; then
         # macOS specific
         if command -v netstat >/dev/null 2>&1; then
@@ -88,7 +88,7 @@ get_network_neighbors() {
     fi
 
     # Get ARP information
-    print_3title "ARP Information"
+    print_3title "ARP Information" "T1018,T1040"
     if command -v arp >/dev/null 2>&1; then
         if [ "$MACPEAS" ]; then
             arp -a 2>/dev/null
@@ -102,8 +102,7 @@ get_network_neighbors() {
     fi
 
     # Additional neighbor discovery methods
-    print_3title "Additional Neighbor Information"
-    
+    print_3title "Additional Neighbor Information" "T1018,T1040"
     # Check for IPv6 neighbors if available
     if [ -f "/proc/net/ipv6_neigh" ]; then
         echo "IPv6 Neighbors:"

linPEAS/builder/linpeas_parts/5_network_information/4_Open_ports.sh

@@ -5,6 +5,7 @@
 # Description: Enumerate open ports
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1049
 # Functions Used: print_2title, print_3title, print_info
 # Global Variables: $E, $SED_RED, $SED_RED_YELLOW
 # Initial Functions:
@@ -43,7 +44,7 @@ parse_proc_net_ports() {
     local header_sep="--------------------------------------------------------------------------------"
 
     if [ -f "$proc_file" ]; then
-        print_3title "Active $proto Ports (from /proc/net/$proto)"
+        print_3title "Active $proto Ports (from /proc/net/$proto)" "T1049"
         echo "$header"
         echo "$header_sep"
 
@@ -106,15 +107,15 @@ parse_proc_net_ports() {
 
 # Function to get open ports information
 get_open_ports() {
-    print_2title "Active Ports"
+    print_2title "Active Ports" "T1049"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports"
 
     # Try standard tools first
     if command -v netstat >/dev/null 2>&1; then
-        print_3title "Active Ports (netstat)"
+        print_3title "Active Ports (netstat)" "T1049"
         netstat -punta 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
     elif command -v ss >/dev/null 2>&1; then
-        print_3title "Active Ports (ss)"
+        print_3title "Active Ports (ss)" "T1049"
         ss -nltpu 2>/dev/null | grep -i listen | sed -${E} "s,127.0.[0-9]+.[0-9]+|:::|::1:|0\.0\.0\.0,${SED_RED},g"
     else
         # Fallback to parsing /proc/net files
@@ -123,14 +124,14 @@ get_open_ports() {
     fi
 
     # Focused local service exposure view
-    print_3title "Local-only listeners (loopback)"
+    print_3title "Local-only listeners (loopback)" "T1049"
     if command -v ss >/dev/null 2>&1; then
         ss -nltpu 2>/dev/null | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g"
     elif command -v netstat >/dev/null 2>&1; then
         netstat -punta 2>/dev/null | grep -i listen | grep -E "127\.0\.0\.1:|::1:" | sed -${E} "s,127\.0\.0\.1:|::1:,${SED_RED},g"
     fi
 
-    print_3title "Unique listener bind addresses"
+    print_3title "Unique listener bind addresses" "T1049"
     if command -v ss >/dev/null 2>&1; then
         ss -nltpuH 2>/dev/null | awk '{
             a=$5
@@ -158,13 +159,12 @@ get_open_ports() {
         }' | sort -u | sed -${E} "s,127\.0\.0\.1|::1,${SED_RED},g"
     fi
 
-    print_3title "Potential local forwarders/relays"
+    print_3title "Potential local forwarders/relays" "T1049"
     ps aux 2>/dev/null | grep -E "[s]ocat|[s]sh .*(-L|-R|-D)|[n]cat|[n]c .*-l" | sed -${E} "s,socat|ssh|-L|-R|-D|ncat|nc,${SED_RED_YELLOW},g"
 
     # Additional port information
     if [ "$EXTRA_CHECKS" ] || [ "$DEBUG" ]; then
-        print_3title "Additional Port Information"
-
+        print_3title "Additional Port Information" "T1049"
         # Check for listening ports in /proc/net/unix
         if [ -f "/proc/net/unix" ]; then
             echo "Unix Domain Sockets:"

linPEAS/builder/linpeas_parts/5_network_information/5_Macos_network_capabilities.sh

@@ -5,6 +5,7 @@
 # Description: MacOS network Capabilities
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1016
 # Functions Used: print_2title, print_3title, warn_exec
 # Global Variables: $MACPEAS, $EXTRA_CHECKS
 # Initial Functions:
@@ -14,28 +15,27 @@
 
 # Function to get network capabilities information
 get_macos_network_capabilities() {
-    print_2title "Network Capabilities"
-
+    print_2title "Network Capabilities" "T1016"
     # Basic network information
     echo ""
-    print_3title "Network Interfaces and Configuration"
+    print_3title "Network Interfaces and Configuration" "T1016"
     warn_exec system_profiler SPNetworkDataType
 
     # Network locations
     echo ""
-    print_3title "Network Locations"
+    print_3title "Network Locations" "T1016"
     warn_exec system_profiler SPNetworkLocationDataType
 
     # Network extensions
     echo ""
-    print_3title "Network Extensions"
+    print_3title "Network Extensions" "T1016"
     if [ -d "/Library/SystemExtensions" ]; then
         warn_exec systemextensionsctl list
     fi
 
     # Network security
     echo ""
-    print_3title "Network Security"
+    print_3title "Network Security" "T1016"
     if command -v networksetup >/dev/null 2>&1; then
         echo "Firewall Status:"
         warn_exec networksetup -getglobalstate
@@ -54,29 +54,29 @@ get_macos_network_capabilities() {
     if [ "$EXTRA_CHECKS" ]; then
         # Network preferences
         echo ""
-        print_3title "Network Preferences"
+        print_3title "Network Preferences" "T1016"
         if [ -f "/Library/Preferences/SystemConfiguration/preferences.plist" ]; then
             warn_exec plutil -p /Library/Preferences/SystemConfiguration/preferences.plist | grep -A 5 "NetworkServices"
         fi
         
         # Network statistics
         echo ""
-        print_3title "Network Statistics"
+        print_3title "Network Statistics" "T1016"
         warn_exec netstat -s
         
         # Network routes
         echo ""
-        print_3title "Network Routes"
+        print_3title "Network Routes" "T1016"
         warn_exec netstat -rn
         
         # Network interfaces details
         echo ""
-        print_3title "Network Interfaces Details"
+        print_3title "Network Interfaces Details" "T1016"
         warn_exec ifconfig -a
         
         # Network kernel extensions
         echo ""
-        print_3title "Network Kernel Extensions"
+        print_3title "Network Kernel Extensions" "T1016"
         warn_exec kextstat | grep -i network
     fi
 

linPEAS/builder/linpeas_parts/5_network_information/6_Macos_network_services.sh

@@ -5,6 +5,7 @@
 # Description: Enumerate macos network services
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1016
 # Functions Used: print_2title, print_3title, warn_exec
 # Global Variables: $EXTRA_CHECKS, $MACPEAS, $E, $SED_RED
 # Initial Functions:
@@ -25,8 +26,7 @@ check_listening_port() {
 
 # Function to get sharing services status
 get_sharing_services_status() {
-    print_2title "MacOS Sharing Services Status"
-    
+    print_2title "MacOS Sharing Services Status" "T1016"
     # Define services and their ports using parallel arrays
     services="Screen Sharing File Sharing Remote Login Remote Management Remote Apple Events Back to My Mac AirPlay Receiver AirDrop Bonjour Printer Sharing Internet Sharing"
     ports="5900 88,445,548 22 3283 3031 4488 7000 5353 5353 515,631 67,68"
@@ -77,8 +77,7 @@ get_sharing_services_status() {
 
 # Function to get VPN information
 get_vpn_info() {
-    print_3title "VPN Information"
-    
+    print_3title "VPN Information" "T1016"
     # Get VPN configurations
     warn_exec system_profiler SPNetworkLocationDataType | grep -A 5 -B 7 ": Password" | sed -${E} "s,Password|Authorization Name.*,${SED_RED},g"
     
@@ -95,8 +94,7 @@ get_vpn_info() {
 
 # Function to get firewall information
 get_firewall_info() {
-    print_3title "Firewall Information"
-    
+    print_3title "Firewall Information" "T1016"
     # Get firewall status
     warn_exec system_profiler SPFirewallDataType
     
@@ -117,8 +115,7 @@ get_firewall_info() {
 # Function to get additional network information
 get_additional_network_info() {
     if [ "$EXTRA_CHECKS" ]; then
-        print_3title "Additional Network Information"
-        
+        print_3title "Additional Network Information" "T1016"
         # Bluetooth information
         echo "Bluetooth Status:"
         warn_exec system_profiler SPBluetoothDataType

linPEAS/builder/linpeas_parts/5_network_information/7_Tcpdump.sh

@@ -5,6 +5,7 @@
 # Description: Check network traffic analysis capabilities and tools
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1040
 # Functions Used: print_2title, print_3title, print_info, warn_exec
 # Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_RED_YELLOW
 # Initial Functions:
@@ -52,11 +53,10 @@ check_promiscuous_mode() {
 
 # Main function to check network traffic analysis capabilities
 check_network_traffic_analysis() {
-    print_2title "Network Traffic Analysis Capabilities"
-    
+    print_2title "Network Traffic Analysis Capabilities" "T1040"
     # Check for sniffing tools
     echo ""
-    print_3title "Available Sniffing Tools"
+    print_3title "Available Sniffing Tools" "T1040"
     tools_found=0
     
     if check_command tcpdump; then
@@ -116,7 +116,7 @@ check_network_traffic_analysis() {
     
     # Check network interfaces
     echo ""
-    print_3title "Network Interfaces Sniffing Capabilities"
+    print_3title "Network Interfaces Sniffing Capabilities" "T1040"
     interfaces_found=0
     
     # Get list of network interfaces
@@ -161,7 +161,7 @@ check_network_traffic_analysis() {
     # Check for sensitive traffic patterns if we have sniffing capabilities
     if [ $tools_found -eq 1 ] && [ $interfaces_found -eq 1 ]; then
         echo ""
-        print_3title "Sensitive Traffic Detection"
+        print_3title "Sensitive Traffic Detection" "T1040"
         print_info "Checking for common sensitive traffic patterns..."
         
         # List of sensitive traffic patterns to check
@@ -193,14 +193,13 @@ check_network_traffic_analysis() {
     fi
 
     echo ""
-    print_3title "Running sniffing/traffic reconstruction processes"
+    print_3title "Running sniffing/traffic reconstruction processes" "T1040"
     ps aux 2>/dev/null | grep -E "[t]cpdump|[d]umpcap|[t]shark|[w]ireshark|[n]grep|[t]cpflow" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
     
     # Additional information
     if [ "$EXTRA_CHECKS" ]; then
         echo ""
-        print_3title "Additional Network Analysis Information"
-        
+        print_3title "Additional Network Analysis Information" "T1040"
         # Check for network monitoring tools
         echo "Checking for network monitoring tools..."
         for tool in nethogs iftop iotop nload bmon; do

linPEAS/builder/linpeas_parts/5_network_information/8_Iptables.sh

@@ -5,6 +5,7 @@
 # Description: Analyze firewall rules and configurations
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1016
 # Functions Used: print_2title, print_3title, warn_exec, echo_not_found
 # Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW, $SED_RED_YELLOW
 # Initial Functions:
@@ -26,8 +27,7 @@ check_command() {
 # Function to analyze iptables rules
 analyze_iptables() {
     echo ""
-    print_3title "Iptables Rules"
-    
+    print_3title "Iptables Rules" "T1016"
     # Check if iptables is available
     if ! check_command iptables; then
         echo_not_found "iptables"
@@ -70,8 +70,7 @@ analyze_iptables() {
 # Function to analyze nftables rules
 analyze_nftables() {
     echo ""
-    print_3title "Nftables Rules"
-    
+    print_3title "Nftables Rules" "T1016"
     # Check if nft is available
     if ! check_command nft; then
         echo_not_found "nftables"
@@ -107,8 +106,7 @@ analyze_nftables() {
 # Function to analyze firewalld rules
 analyze_firewalld() {
     echo ""
-    print_3title "Firewalld Rules"
-    
+    print_3title "Firewalld Rules" "T1016"
     # Check if firewall-cmd is available
     if ! check_command firewall-cmd; then
         echo_not_found "firewalld"
@@ -148,8 +146,7 @@ analyze_firewalld() {
 # Function to analyze UFW rules
 analyze_ufw() {
     echo ""
-    print_3title "UFW Rules"
-    
+    print_3title "UFW Rules" "T1016"
     # Check if ufw is available
     if ! check_command ufw; then
         echo_not_found "ufw"
@@ -176,8 +173,7 @@ analyze_ufw() {
 
 # Main function to analyze firewall rules
 analyze_firewall_rules() {
-    print_2title "Firewall Rules Analysis"
-    
+    print_2title "Firewall Rules Analysis" "T1016"
     # Analyze different firewall systems
     analyze_iptables
     analyze_nftables
@@ -185,7 +181,7 @@ analyze_firewall_rules() {
     analyze_ufw
 
     echo ""
-    print_3title "Forwarding and rp_filter"
+    print_3title "Forwarding and rp_filter" "T1016"
     for sysctl_var in net.ipv4.ip_forward net.ipv6.conf.all.forwarding net.ipv4.conf.all.rp_filter; do
         sysctl "$sysctl_var" 2>/dev/null | sed -${E} "s,=[[:space:]]*1,${SED_RED_YELLOW},g"
     done
@@ -198,8 +194,7 @@ analyze_firewall_rules() {
     # Additional checks if EXTRA_CHECKS is enabled
     if [ "$EXTRA_CHECKS" ]; then
         echo ""
-        print_3title "Additional Firewall Information"
-        
+        print_3title "Additional Firewall Information" "T1016"
         # Check for common firewall configuration files
         echo "Checking for firewall configuration files..."
         for config_file in /etc/sysconfig/iptables /etc/sysconfig/ip6tables /etc/iptables/rules.v4 /etc/iptables/rules.v6 /etc/nftables.conf /etc/ufw/user.rules /etc/ufw/user6.rules; do

linPEAS/builder/linpeas_parts/5_network_information/9_Inetdconf.sh

@@ -5,6 +5,7 @@
 # Description: Analyze inetd and xinetd services and configurations
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1049
 # Functions Used: print_2title, print_3title, warn_exec, echo_not_found
 # Global Variables: $EXTRA_CHECKS, $E, $SED_RED, $SED_GREEN, $SED_YELLOW
 # Initial Functions:
@@ -26,8 +27,7 @@ check_command() {
 # Function to analyze inetd services
 analyze_inetd() {
     echo ""
-    print_3title "Inetd Services"
-    
+    print_3title "Inetd Services" "T1049"
     # Check if inetd is installed
     if ! check_command inetd; then
         echo_not_found "inetd"
@@ -67,8 +67,7 @@ analyze_inetd() {
 # Function to analyze xinetd services
 analyze_xinetd() {
     echo ""
-    print_3title "Xinetd Services"
-    
+    print_3title "Xinetd Services" "T1049"
     # Check if xinetd is installed
     if ! check_command xinetd; then
         echo_not_found "xinetd"
@@ -129,8 +128,7 @@ analyze_xinetd() {
 # Function to check for running inetd/xinetd services
 check_running_services() {
     echo ""
-    print_3title "Running Inetd/Xinetd Services"
-    
+    print_3title "Running Inetd/Xinetd Services" "T1049"
     # Check netstat for services
     if check_command netstat; then
         echo "Active Services (from netstat):"
@@ -152,8 +150,7 @@ check_running_services() {
 
 # Main function to analyze inetd/xinetd services
 analyze_inetd_services() {
-    print_2title "Inetd/Xinetd Services Analysis"
-    
+    print_2title "Inetd/Xinetd Services Analysis" "T1049"
     # Analyze inetd and xinetd services
     analyze_inetd
     analyze_xinetd
@@ -164,8 +161,7 @@ analyze_inetd_services() {
     # Additional checks if EXTRA_CHECKS is enabled
     if [ "$EXTRA_CHECKS" ]; then
         echo ""
-        print_3title "Additional Inetd/Xinetd Information"
-        
+        print_3title "Additional Inetd/Xinetd Information" "T1049"
         # Check for inetd/xinetd logs
         echo "Checking for service logs..."
         for log_file in /var/log/inetd.log /var/log/xinetd.log /var/log/messages /var/log/syslog; do

linPEAS/builder/linpeas_parts/6_users_information/10_Pkexec.sh

@@ -5,6 +5,7 @@
 # Description: Check Pkexec policy and related files for privilege escalation
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1548.003,T1548.004,T1068
 # Functions Used: print_2title, print_info
 # Global Variables: $Groups, $groupsB, $groupsVB, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
@@ -13,11 +14,11 @@
 # Small linpeas: 1
 
 
-print_2title "Checking Pkexec and Polkit"
+print_2title "Checking Pkexec and Polkit" "T1548.003,T1548.004,T1068"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2"
 
 echo ""
-print_3title "Polkit Binary"
+print_3title "Polkit Binary" "T1548.003,T1068"
 # Check pkexec binary
 pkexec_bin=$(command -v pkexec 2>/dev/null)
 if [ -n "$pkexec_bin" ]; then
@@ -39,7 +40,7 @@ fi
 
 # Check polkit policies
 echo ""
-print_3title "Polkit Policies"
+print_3title "Polkit Policies" "T1548.003"
 for policy_dir in "/etc/polkit-1/localauthority.conf.d/" "/etc/polkit-1/rules.d/" "/usr/share/polkit-1/rules.d/"; do
   if [ -d "$policy_dir" ]; then
     echo "Checking $policy_dir:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
@@ -59,6 +60,6 @@ done
 
 # Check for polkit authentication agent
 echo ""
-print_3title "Polkit Authentication Agent"
+print_3title "Polkit Authentication Agent" "T1548.004"
 ps aux 2>/dev/null | grep -i "polkit" | grep -v "grep"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/11_Superusers.sh

@@ -5,6 +5,7 @@
 # Description: Check for superusers and users with UID 0
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1087.001
 # Functions Used: print_2title, print_info
 # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
@@ -13,12 +14,12 @@
 # Small linpeas: 1
 
 
-print_2title "Superusers and UID 0 Users"
+print_2title "Superusers and UID 0 Users" "T1087.001"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html"
 
 # Check /etc/passwd for UID 0 users
 echo ""
-print_3title "Users with UID 0 in /etc/passwd"
+print_3title "Users with UID 0 in /etc/passwd" "T1087.001"
 awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g"
 
 if [ command -v getent >/dev/null 2>&1 ]; then
@@ -32,6 +33,6 @@ fi
 
 # Check for users with sudo privileges in sudoers
 echo ""
-print_3title "Users with sudo privileges in sudoers"
+print_3title "Users with sudo privileges in sudoers" "T1087.001"
 grep -v "^#" /etc/sudoers 2>/dev/null | grep -v "^$" | grep -v "^Defaults" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_RED_YELLOW},g" | sed "s,root,${SED_RED},g"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/12_Users_with_console.sh

@@ -5,6 +5,7 @@
 # Description: Users with console
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1087.001
 # Functions Used: print_2title
 # Global Variables: $MACPEAS, $sh_usrs, $TIMEOUT, $USER 
 # Initial Functions:
@@ -13,7 +14,7 @@
 # Small linpeas: 1
 
 
-print_2title "Users with console"
+print_2title "Users with console" "T1087.001"
 if [ "$MACPEAS" ]; then
   dscl . list /Users | while read un; do
     ushell=$(dscl . -read "/Users/$un" UserShell | cut -d " " -f2)

linPEAS/builder/linpeas_parts/6_users_information/13_Users_groups.sh

@@ -5,6 +5,7 @@
 # Description: Get all users & groups
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1087.001,T1069.001
 # Functions Used: print_2title
 # Global Variables: $groupsB, $groupsVB, $knw_grps, $knw_usrs, $MACPEAS, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
@@ -13,7 +14,7 @@
 # Small linpeas: 1
 
 
-print_2title "All users & groups"
+print_2title "All users & groups" "T1087.001,T1069.001"
 if [ "$MACPEAS" ]; then
   dscl . list /Users | while read i; do id $i;done 2>/dev/null | sort | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g"
 else

linPEAS/builder/linpeas_parts/6_users_information/14_Login_now.sh

@@ -5,6 +5,7 @@
 # Description: Check currently logged in users and their sessions
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1033
 # Functions Used: print_2title
 # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
@@ -13,44 +14,43 @@
 # Small linpeas: 1
 
 
-print_2title "Currently Logged in Users"
-
+print_2title "Currently Logged in Users" "T1033"
 # Check basic user information
 echo ""
-print_3title "Basic user information"
+print_3title "Basic user information" "T1033"
 (w || who || finger || users) 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 
 # Check for active sessions
 echo ""
-print_3title "Active sessions"
+print_3title "Active sessions" "T1033"
 if command -v w >/dev/null 2>&1; then
   w 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 
 # Check for logged in users via utmp
 echo ""
-print_3title "Logged in users (utmp)"
+print_3title "Logged in users (utmp)" "T1033"
 if [ -f "/var/run/utmp" ]; then
   who -a 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 
 # Check for SSH sessions
 echo ""
-print_3title "SSH sessions"
+print_3title "SSH sessions" "T1033"
 if command -v ss >/dev/null 2>&1; then
   ss -tnp | grep ":22" 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 
 # Check for screen sessions
 echo ""
-print_3title "Screen sessions"
+print_3title "Screen sessions" "T1033"
 if command -v screen >/dev/null 2>&1; then
   screen -ls 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 
 # Check for tmux sessions
 echo ""
-print_3title "Tmux sessions"
+print_3title "Tmux sessions" "T1033"
 if command -v tmux >/dev/null 2>&1; then
   tmux list-sessions 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi

linPEAS/builder/linpeas_parts/6_users_information/15_Last_logons.sh

@@ -5,6 +5,7 @@
 # Description: Check last logons and login history
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1033
 # Functions Used: print_2title
 # Global Variables: $knw_usrs, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
@@ -12,25 +13,24 @@
 # Fat linpeas: 0
 # Small linpeas: 1
 
-print_2title "Last Logons and Login History"
-
+print_2title "Last Logons and Login History" "T1033"
 # Check last logins
 echo ""
-print_3title "Last logins"
+print_3title "Last logins" "T1033"
 if command -v last >/dev/null 2>&1; then
   last -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 
 # Check failed login attempts
 echo ""
-print_3title "Failed login attempts"
+print_3title "Failed login attempts" "T1033"
 if command -v lastb >/dev/null 2>&1; then
   lastb -n 20 2>/dev/null | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
 
 # Check auth logs for recent logins
 echo ""
-print_3title "Recent logins from auth.log (limit 20)"
+print_3title "Recent logins from auth.log (limit 20)" "T1033"
 if [ -f "/var/log/auth.log" ]; then
   grep -i "login\|authentication\|accepted" /var/log/auth.log 2>/dev/null | tail -n 20 | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed "s,root,${SED_RED},g"
 fi
@@ -38,7 +38,7 @@ fi
 # Last time logon each user
 echo ""
 if command -v lastlog >/dev/null 2>&1; then
-  print_3title "Last time logon each user"
+  print_3title "Last time logon each user" "T1033"
   lastlog 2>/dev/null | grep -v "Never" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed "s,root,${SED_RED},"
 fi
 

linPEAS/builder/linpeas_parts/6_users_information/17_Password_policy.sh

@@ -5,6 +5,7 @@
 # Description: Get assword policy
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1201
 # Functions Used: echo_not_found, print_2title
 # Global Variables: $EXTRA_CHECKS, $MACPEAS
 # Initial Functions:
@@ -14,16 +15,16 @@
 
 
 if [ "$EXTRA_CHECKS" ]; then
-  print_2title "Password policy"
+  print_2title "Password policy" "T1201"
   grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null || echo_not_found "/etc/login.defs"
   echo ""
 
   if [ "$MACPEAS" ]; then
-    print_2title "Relevant last user info and user configs"
+    print_2title "Relevant last user info and user configs" "T1201"
     defaults read /Library/Preferences/com.apple.loginwindow.plist 2>/dev/null
     echo ""
 
-    print_2title "Guest user status"
+    print_2title "Guest user status" "T1201"
     sysadminctl -afpGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
     sysadminctl -guestAccount status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"
     sysadminctl -smbGuestAccess status | sed -${E} "s,enabled,${SED_RED}," | sed -${E} "s,disabled,${SED_GREEN},"

linPEAS/builder/linpeas_parts/6_users_information/18_Brute_su.sh

@@ -5,6 +5,7 @@
 # Description: Brute su
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1110.001
 # Functions Used: check_if_su_brute, print_2title, su_brute_user_num
 # Global Variables: $IAMROOT, $PASSTRY, $TIMEOUT
 # Initial Functions:

linPEAS/builder/linpeas_parts/6_users_information/1_Macos_my_user_hooks.sh

@@ -5,6 +5,7 @@
 # Description: Get current user Login and Logout hooks
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1033,T1543.001
 # Functions Used: print_2title
 # Global Variables: $HOME, $MACPEAS
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$MACPEAS" ];then
-  print_2title "Current user Login and Logout hooks"
+  print_2title "Current user Login and Logout hooks" "T1033,T1543.001"
   defaults read $HOME/Library/Preferences/com.apple.loginwindow.plist 2>/dev/null | grep -e "Hook"
   echo ""
 fi

linPEAS/builder/linpeas_parts/6_users_information/1_My_user.sh

@@ -5,6 +5,7 @@
 # Description: My User
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1033
 # Functions Used: print_2title, print_info
 # Global Variables: $groupsB, $groupsVB, $idB, $knw_grps , $knw_usrs, $nosh_usrs,$sh_usrs, $USER
 # Initial Functions:
@@ -13,7 +14,7 @@
 # Small linpeas: 1
 
 
-print_2title "My user"
+print_2title "My user" "T1033"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#users"
 (id || (whoami && groups)) 2>/dev/null | sed -${E} "s,$groupsB,${SED_RED},g" | sed -${E} "s,$groupsVB,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN},g" | sed "s,$USER,${SED_LIGHT_MAGENTA},g" | sed -${E} "s,$nosh_usrs,${SED_BLUE},g" | sed -${E} "s,$knw_usrs,${SED_GREEN},g" | sed "s,root,${SED_RED}," | sed -${E} "s,$knw_grps,${SED_GREEN},g" | sed -${E} "s,$idB,${SED_RED},g"
 echo ""

linPEAS/builder/linpeas_parts/6_users_information/2_Macos_user_hooks.sh

@@ -5,6 +5,7 @@
 # Description: Enumerate all users login and logout hooks
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1543.001
 # Functions Used: print_2title
 # Global Variables: $MACPEAS 
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$MACPEAS" ];then
-  print_2title "All Login and Logout hooks"
+  print_2title "All Login and Logout hooks" "T1543.001"
   for user_home in /Users/*/ /private/var/root/; do
     if [ -f "${user_home}Library/Preferences/com.apple.loginwindow.plist" ]; then
       echo "User: $(basename "$user_home")" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"

linPEAS/builder/linpeas_parts/6_users_information/3_Macos_keychains.sh

@@ -5,6 +5,7 @@
 # Description: Get macOS keychains information
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1555.001
 # Functions Used: print_2title, print_info
 # Global Variables: $MACPEAS
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$MACPEAS" ];then
-  print_2title "Keychains"
+  print_2title "Keychains" "T1555.001"
   print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker"
   echo "System Keychains:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
   security list-keychains 2>/dev/null | sed -${E} "s,.*,${SED_RED},g"

linPEAS/builder/linpeas_parts/6_users_information/4_Macos_systemkey.sh

@@ -5,6 +5,7 @@
 # Description: Get macOS SystemKey information (used for FileVault encryption)
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1555.001
 # Functions Used: print_2title
 # Global Variables: $MACPEAS
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$MACPEAS" ];then
-  print_2title "SystemKey"
+  print_2title "SystemKey" "T1555.001"
   echo "The SystemKey is used by FileVault to encrypt/decrypt the volume. If you can read it, you might be able to decrypt the disk."
   echo -e "\nSystemKey file permissions:" | sed -${E} "s,.*,${SED_LIGHT_CYAN},g"
   ls -l /var/db/SystemKey 2>/dev/null | sed -${E} "s,.*,${SED_RED_YELLOW},g"

linPEAS/builder/linpeas_parts/6_users_information/5_Pgp_keys.sh

@@ -5,6 +5,7 @@
 # Description: Check for PGP keys and related files that might contain sensitive information
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.004
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $HOME
 # Initial Functions:
@@ -13,7 +14,7 @@
 # Small linpeas: 1
 
 
-print_2title "PGP Keys and Related Files"
+print_2title "PGP Keys and Related Files" "T1552.004"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#pgp-keys"
 
 # Check for GPG

linPEAS/builder/linpeas_parts/6_users_information/6_Clipboard_highlighted_text.sh

@@ -5,6 +5,7 @@
 # Description: Check clipboard and highlighted text for sensitive information
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1115
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $DEBUG, $pwd_inside_history
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$(command -v xclip 2>/dev/null || echo -n '')" ] || [ "$(command -v xsel 2>/dev/null || echo -n '')" ] || [ "$(command -v pbpaste 2>/dev/null || echo -n '')" ] || [ "$(command -v wl-paste 2>/dev/null || echo -n '')" ] || [ "$DEBUG" ]; then
-  print_2title "Clipboard and Highlighted Text"
+  print_2title "Clipboard and Highlighted Text" "T1115"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#clipboard"
 
   # Function to check clipboard content

linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

@@ -5,6 +5,7 @@
 # Description: Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1548.003
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables:$IAMROOT, $PASSWORD, $sudoB, $sudoG, $sudoVB1, $sudoVB2 
 # Initial Functions:
@@ -13,7 +14,7 @@
 # Small linpeas: 1
 
 
-print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d"
+print_2title "Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d" "T1548.003"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid"
 (echo '' | timeout 1 sudo -S -l | sed "s,_proxy,${SED_RED},g" | sed "s,$sudoG,${SED_GREEN},g" | sed -${E} "s,$sudoVB1,${SED_RED_YELLOW}," | sed -${E} "s,$sudoVB2,${SED_RED_YELLOW}," | sed -${E} "s,$sudoB,${SED_RED},g" | sed "s,\!root,${SED_RED},") 2>/dev/null || echo_not_found "sudo"
 if [ "$PASSWORD" ]; then

linPEAS/builder/linpeas_parts/6_users_information/8_Sudo_tokens.sh

@@ -5,6 +5,7 @@
 # Description: Checking Sudo tokens
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1548.003
 # Functions Used: print_2title, print_info
 # Global Variables: $HOME, $CURRENT_USER_PIVOT_PID
 # Initial Functions: get_current_user_privot_pid
@@ -13,7 +14,7 @@
 # Small linpeas: 1
 
 
-print_2title "Checking sudo tokens"
+print_2title "Checking sudo tokens" "T1548.003"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens"
 ptrace_scope="$(cat /proc/sys/kernel/yama/ptrace_scope 2>/dev/null)"
 if [ "$ptrace_scope" ] && [ "$ptrace_scope" -eq 0 ]; then

linPEAS/builder/linpeas_parts/6_users_information/9_Doas.sh

@@ -5,6 +5,7 @@
 # Description: Check doas configuration and permissions for privilege escalation
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1548.003
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $DEBUG, $nosh_usrs, $sh_usrs, $USER
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ -f "/etc/doas.conf" ] || [ -f "/usr/local/etc/doas.conf" ] || [ "$DEBUG" ]; then
-  print_2title "Doas Configuration"
+  print_2title "Doas Configuration" "T1548.003"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#doas"
 
   # Find doas binary and its config locations

linPEAS/builder/linpeas_parts/7_software_information/1_Useful_software.sh

@@ -5,6 +5,7 @@
 # Description: Useful Software
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082
 # Functions Used: print_2title
 # Global Variables: $SEARCH_IN_FOLDER, $USEFUL_SOFTWARE
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Useful software"
+  print_2title "Useful software" "T1082"
   for t in $USEFUL_SOFTWARE; do command -v "$t" || echo -n ''; done
   echo ""
 fi

linPEAS/builder/linpeas_parts/7_software_information/2_Compilers.sh

@@ -5,6 +5,7 @@
 # Description: Search for compilers
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1587.001
 # Functions Used: print_2title
 # Global Variables: $SEARCH_IN_FOLDER
 # Initial Functions:
@@ -14,18 +15,18 @@
 
 
 if ! [ "$SEARCH_IN_FOLDER" ]; then
-  print_2title "Installed Compilers"
+  print_2title "Installed Compilers" "T1587.001"
   (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
   echo ""
 
   if [ "$(command -v pkg 2>/dev/null || echo -n '')" ]; then
-      print_2title "Vulnerable Packages"
+      print_2title "Vulnerable Packages" "T1587.001"
       pkg audit -F | sed -${E} "s,vulnerable,${SED_RED},g"
       echo ""
   fi
 
   if [ "$(command -v brew 2>/dev/null || echo -n '')" ]; then
-      print_2title "Brew Installed Packages"
+      print_2title "Brew Installed Packages" "T1587.001"
       brew list
       echo ""
   fi

linPEAS/builder/linpeas_parts/7_software_information/3_Macos_writable_installed_apps.sh

@@ -5,6 +5,7 @@
 # Description: Writable Installed Applications
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1574
 # Functions Used: print_2title
 # Global Variables: $MACPEAS
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$MACPEAS" ]; then
-    print_2title "Writable Installed Applications"
+    print_2title "Writable Installed Applications" "T1574"
     system_profiler SPApplicationsDataType | grep "Location:" | cut -d ":" -f 2 | cut -c2- | while read f; do
         if [ -w "$f" ]; then
             echo "$f is writable" | sed -${E} "s,.*,${SED_RED},g"

linPEAS/builder/linpeas_parts/7_software_information/Apache_nginx.sh

@@ -5,6 +5,7 @@
 # Description: Apache-Nginx
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.001
 # Functions Used: print_3title, warn_exec
 # Global Variables: $NGINX_KNOWN_MODULES
 # Initial Functions:

linPEAS/builder/linpeas_parts/7_software_information/Awsvault.sh

@@ -5,6 +5,7 @@
 # Description: Check aws-vault
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.005
 # Functions Used: print_2title
 # Global Variables: $DEBUG
 # Initial Functions:
@@ -15,6 +16,6 @@
 
 AWSVAULT="$(command -v aws-vault 2>/dev/null || echo -n '')"
 if [ "$AWSVAULT" ] || [ "$DEBUG" ]; then
-  print_2title "Check aws-vault"
+  print_2title "Check aws-vault" "T1552.005"
   aws-vault list
 fi

linPEAS/builder/linpeas_parts/7_software_information/Browser_profiles.sh

@@ -5,6 +5,7 @@
 # Description: List browser profiles that may store credentials/cookies
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1539,T1217
 # Functions Used: print_2title, print_3title, print_info
 # Global Variables: $HOMESEARCH, $SED_RED
 # Initial Functions:
@@ -12,7 +13,7 @@
 # Fat linpeas: 0
 # Small linpeas: 1
 
-print_2title "Browser Profiles"
+print_2title "Browser Profiles" "T1539,T1217"
 print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#browser-data"
 
 echo ""
@@ -22,7 +23,7 @@ for h in $HOMESEARCH; do
 
   firefox_ini="$h/.mozilla/firefox/profiles.ini"
   if [ -f "$firefox_ini" ]; then
-    print_3title "Firefox profiles ($h)"
+    print_3title "Firefox profiles ($h)" "T1539,T1217"
     awk -F= '
       /^\[Profile/ { in_profile=1 }
       /^Path=/ { path=$2 }
@@ -54,7 +55,7 @@ for h in $HOMESEARCH; do
     if [ -d "$chrome_base" ]; then
       profiles=$(find "$chrome_base" -maxdepth 1 -type d \( -name "Default" -o -name "Profile *" \) 2>/dev/null)
       if [ "$profiles" ]; then
-        print_3title "Chromium profiles ($chrome_base)"
+        print_3title "Chromium profiles ($chrome_base)" "T1539,T1217"
         printf "%s\n" "$profiles" | sed -${E} "s,.*,${SED_RED},"
         echo ""
       fi

linPEAS/builder/linpeas_parts/7_software_information/Cached_AD_hashes.sh

@@ -5,6 +5,7 @@
 # Description: Cached AD Hashes
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1003.003
 # Functions Used: print_2title
 # Global Variables: $DEBUG
 # Initial Functions:
@@ -15,7 +16,7 @@
 
 adhashes=$(ls "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null)
 if [ "$adhashes" ] || [ "$DEBUG" ]; then
-  print_2title "Searching AD cached hashes"
+  print_2title "Searching AD cached hashes" "T1003.003"
   ls -l "/var/lib/samba/private/secrets.tdb" "/var/lib/samba/passdb.tdb" "/var/opt/quest/vas/authcache/vas_auth.vdb" "/var/lib/sss/db/cache_*" 2>/dev/null
   echo ""
 fi

linPEAS/builder/linpeas_parts/7_software_information/Containerd.sh

@@ -5,6 +5,7 @@
 # Description: containerd installed
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1613
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG, $SEARCH_IN_FOLDER
 # Initial Functions:
@@ -16,7 +17,7 @@
 if ! [ "$SEARCH_IN_FOLDER" ]; then
   containerd=$(command -v ctr || echo -n '')
   if [ "$containerd" ] || [ "$DEBUG" ]; then
-    print_2title "Checking if containerd(ctr) is available"
+    print_2title "Checking if containerd(ctr) is available" "T1613"
     print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#containerd-ctr-privilege-escalation"
     if [ "$containerd" ]; then
       echo "ctr was found in $containerd, you may be able to escalate privileges with it" | sed -${E} "s,.*,${SED_RED},"

linPEAS/builder/linpeas_parts/7_software_information/Docker.sh

@@ -5,6 +5,7 @@
 # Description: Docker
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1613
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG, $IAMROOT
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then
-  print_2title "Searching docker files (limit 70)"
+  print_2title "Searching docker files (limit 70)" "T1613"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/index.html#docker-breakout--privilege-escalation"
   printf "%s\n" "$PSTORAGE_DOCKER" | head -n 70 | while read f; do
     ls -l "$f" 2>/dev/null

linPEAS/builder/linpeas_parts/7_software_information/Dovecot.sh

@@ -5,6 +5,7 @@
 # Description: Dovecot
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.001
 # Functions Used: echo_not_found, print_2title
 # Global Variables: $DEBUG
 # Initial Functions:
@@ -16,7 +17,7 @@
 # Needs testing
 dovecotpass=$(grep -r "PLAIN" /etc/dovecot 2>/dev/null)
 if [ "$dovecotpass" ] || [ "$DEBUG" ]; then
-  print_2title "Searching dovecot files"
+  print_2title "Searching dovecot files" "T1552.001"
   if [ -z "$dovecotpass" ]; then
     echo_not_found "dovecot credentials"
   else

linPEAS/builder/linpeas_parts/7_software_information/Extra_software.sh

@@ -5,6 +5,7 @@
 # Description: Add all the extra software checks from build_lists/sensitive_files.yaml that doesn't have linpeas disabled
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1082
 # Functions Used: print_3title, warn_exec
 # Global Variables: $NGINX_KNOWN_MODULES
 # Initial Functions:

linPEAS/builder/linpeas_parts/7_software_information/FreeIPA.sh

@@ -5,6 +5,7 @@
 # Description: FreeIPA
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.001
 # Functions Used: print_info
 # Global Variables:
 # Initial Functions:

linPEAS/builder/linpeas_parts/7_software_information/Gitlab.sh

@@ -5,6 +5,7 @@
 # Description: Searching GitLab related files
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1552.001
 # Functions Used: print_2title
 # Global Variables: $DEBUG
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$(command -v gitlab-rails || echo -n '')" ] || [ "$(command -v gitlab-backup || echo -n '')" ] || [ "$PSTORAGE_GITLAB" ] || [ "$DEBUG" ]; then
-  print_2title "Searching GitLab related files"
+  print_2title "Searching GitLab related files" "T1552.001"
   #Check gitlab-rails
   if [ "$(command -v gitlab-rails || echo -n '')" ]; then
     echo "gitlab-rails was found. Trying to dump users..."

linPEAS/builder/linpeas_parts/7_software_information/Kcpassword.sh

@@ -5,6 +5,7 @@
 # Description: Analyzing kcpassword files
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1555.001
 # Functions Used: print_2title, print_info
 # Global Variables: $DEBUG
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$PSTORAGE_KCPASSWORD" ] || [ "$DEBUG" ]; then
-  print_2title "Analyzing kcpassword files"
+  print_2title "Analyzing kcpassword files" "T1555.001"
   print_info "https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#kcpassword"
   printf "%s\n" "$PSTORAGE_KCPASSWORD" | while read f; do
     echo "$f" | sed -${E} "s,.*,${SED_RED},"

linPEAS/builder/linpeas_parts/7_software_information/Kerberos.sh

@@ -5,6 +5,7 @@
 # Description: Kerberos
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1558.003
 # Functions Used: echo_not_found, print_2title, print_info
 # Global Variables: $DEBUG, $ITALIC
 # Initial Functions:
@@ -17,7 +18,7 @@ kadmin_exists="$(command -v kadmin || echo -n '')"
 klist_exists="$(command -v klist || echo -n '')"
 kinit_exists="$(command -v kinit || echo -n '')"
 if [ "$kadmin_exists" ] || [ "$klist_exists" ] || [ "$kinit_exists" ] || [ "$PSTORAGE_KERBEROS" ] || [ "$DEBUG" ]; then
-  print_2title "Searching kerberos conf files and tickets"
+  print_2title "Searching kerberos conf files and tickets" "T1558.003"
   print_info "https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/linux-active-directory.html#linux-active-directory"
 
   if [ "$kadmin_exists" ]; then echo "kadmin was found on $kadmin_exists" | sed "s,$kadmin_exists,${SED_RED},"; fi

linPEAS/builder/linpeas_parts/7_software_information/Log4shell.sh

@@ -5,6 +5,7 @@
 # Description: Searching Log4Shell vulnerable libraries
 # License: GNU GPL
 # Version: 1.0
+# Mitre: T1190
 # Functions Used: print_2title
 # Global Variables: $DEBUG
 # Initial Functions:
@@ -14,7 +15,7 @@
 
 
 if [ "$PSTORAGE_LOG4SHELL" ] || [ "$DEBUG" ]; then
-  print_2title "Searching Log4Shell vulnerable libraries"
+  print_2title "Searching Log4Shell vulnerable libraries" "T1190"
   printf "%s\n" "$PSTORAGE_LOG4SHELL" | while read f; do
     echo "$f" | grep -E "log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6])" | sed -${E} "s,log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6]),${SED_RED},";
   done