Problem: T1574.006 /etc/ld.so.preload not deleted and sudo messed up

[iosonogio]

What did you do?

Invoke-AtomicTest T1574.006 -TestNumber 1
Invoke-AtomicTest T1574.006 -TestNumber 1 -Cleanup

What did you expect to happen?

The file /etc/ld.so.preload should be deleted.

What happened instead?

The file /etc/ld.so.preload is not deleted, and I get this message from sudo: "sudo: account validation failure, is your account locked?" The fact that sudo fails, has a nasty side effect as the user cannot logon anymore nor "sudo" anymore.
It seems that sudo is messed up by the library being preloaded (my educated guess).

The problem disappears after I delete /etc/ld.so.preload.

The problem does not come up if commands are rewritten without "sudo" in the yaml

There are also a couple of other issues with the commands:

1. The test command is overwriting any potentially existing /etc/ld.so.preload (we may fairly assume it didn't exist, but then why are we using sed to cleanup instead of a simple rm ?)
2. In the cleanup command the regex delimiters are confusing, better use a different delimiter: sudo sed -i 's|#{path_to_shared_library}||' /etc/ld.so.preload

executor:
    command: |
      sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'
    cleanup_command: |
      sudo sed -i 's##{path_to_shared_library}##' /etc/ld.so.preload
    name: bash
    elevation_required: true

Your Environment

• Amazon Linux 2023.5.20240916 (basically a RedHat)
• I run the test from elevated prompt (sudo -i), and then launching pwsh (Powershell on Linux)
• Relevant to T1574.006 (but cannot exclude others)