Update T1562.003.yaml (#2716)
Corrected the MITRE ATT&CK subtechnique name at top of the file. Added two new tests for disabling Windows Command Line Auditing Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Badoodish
@@ -1,5 +1,5 @@
|
||||
attack_technique: T1562.003
|
||||
display_name: 'Impair Defenses: HISTCONTROL'
|
||||
display_name: 'Impair Defenses: Impair Command History Logging'
|
||||
atomic_tests:
|
||||
- name: Disable history collection
|
||||
auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
|
||||
@@ -204,3 +204,64 @@ atomic_tests:
|
||||
# -> History cache is empty
|
||||
cleanup_command: |
|
||||
unset HISTIGNORE
|
||||
|
||||
- name: Disable Windows Command Line Auditing using reg.exe
|
||||
description: |
|
||||
In Windows operating systems, command line auditing is controlled through the following registry value:
|
||||
|
||||
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
|
||||
Registry Value: ProcessCreationIncludeCmdLine_Enabled
|
||||
|
||||
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
|
||||
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
|
||||
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
|
||||
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
|
||||
|
||||
Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
|
||||
Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
|
||||
Registry events (Windows Event ID 4657, Sysmon Event ID 13)
|
||||
|
||||
Read more here:
|
||||
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
command: |
|
||||
echo Commencing Attack - Disabling Registry Value
|
||||
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
|
||||
cleanup_command: |
|
||||
echo Commencing Cleanup - Restoring Registry Value
|
||||
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
|
||||
- name: Disable Windows Command Line Auditing using Powershell Cmdlet
|
||||
description: |
|
||||
In Windows operating systems, command line auditing is controlled through the following registry value:
|
||||
|
||||
Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
|
||||
Registry Value: ProcessCreationIncludeCmdLine_Enabled
|
||||
|
||||
When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
|
||||
This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
|
||||
By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
|
||||
Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
|
||||
|
||||
Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
|
||||
Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
|
||||
Registry events (Windows Event ID 4657, Sysmon Event ID 13)
|
||||
|
||||
Read more here:
|
||||
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
|
||||
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
command: |
|
||||
echo "Commencing Attack - Disabling Registry Value"
|
||||
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
|
||||
cleanup_command: |
|
||||
echo "Commencing Cleanup - Restoring Registry Value"
|
||||
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
|
||||
|
||||
|
||||
Reference in New Issue
Block a user