adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
81b987e1a6c5bae86cbc45496429f64b8b244045
atomic-red-team-gs/atomics/T1070.003/T1070.003.yaml
T
Hare Sudhan 81b987e1a6 fix atomics (#2852) 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2024-07-16 13:06:56 -05:00

196 lines
6.0 KiB
YAML
Raw Blame History

attack_technique: T1070.003
display_name: 'Indicator Removal on Host: Clear Command History'
atomic_tests:
- name: Clear Bash history (rm)
auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc
description: |
Clears bash history via rm
input_arguments:
history_path:
description: Bash history path
type: path
default: ~/.bash_history
supported_platforms:
- linux
- macos
executor:
command: |
rm #{history_path}
name: sh
- name: Clear Bash history (echo)
auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
description: |
Clears bash history via echo
input_arguments:
history_path:
description: Bash history path
type: path
default: ~/.bash_history
supported_platforms:
- linux
executor:
command: |
echo "" > #{history_path}
name: sh
- name: Clear Bash history (cat dev/null)
auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f
description: |
Clears bash history via cat /dev/null
supported_platforms:
- linux
- macos
input_arguments:
history_path:
description: Bash history path
type: path
default: ~/.bash_history
executor:
command: |
cat /dev/null > #{history_path}
name: sh
- name: Clear Bash history (ln dev/null)
auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914
description: |
Clears bash history via a symlink to /dev/null
supported_platforms:
- linux
- macos
input_arguments:
history_path:
description: Bash history path
type: path
default: ~/.bash_history
executor:
command: |
ln -sf /dev/null #{history_path}
name: sh
- name: Clear Bash history (truncate)
auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739
description: |
Clears bash history via truncate
supported_platforms:
- linux
input_arguments:
history_path:
description: Bash history path
type: path
default: ~/.bash_history
executor:
command: |
truncate -s0 #{history_path}
name: sh
- name: Clear history of a bunch of shells
auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c
description: |
Clears the history of a bunch of different shell types by setting the history size to zero
supported_platforms:
- linux
- macos
executor:
command: |
unset HISTFILE
export HISTFILESIZE=0
history -c
name: sh
- name: Clear and Disable Bash History Logging
auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
description: |
Clears the history and disable bash history logging of the current shell and future shell sessions
supported_platforms:
- linux
- macos
executor:
command: |
set +o history
echo 'set +o history' >> ~/.bashrc
. ~/.bashrc
history -c
cleanup_command: |
sed -i 's/set +o history//g' ~/.bashrc
. ~/.bashrc
set -o history
name: sh
- name: Use Space Before Command to Avoid Logging to History
auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
description: |
Using a space before a command causes the command to not be logged in the Bash History file
supported_platforms:
- linux
- macos
executor:
command: |
hostname
whoami
name: sh
- name: Disable Bash History Logging with SSH -T
auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1
description: |
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
supported_platforms:
- linux
dependencies:
- description: |
Install sshpass and create user account used for excuting
prereq_command: |
$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)
get_prereq_command: |
[ "$(uname)" = 'FreeBSD' ] && pw useradd testuser1 -g wheel -s /bin/sh || /usr/sbin/useradd testuser1
[ "$(uname)" = 'FreeBSD' ] && echo 'pwd101!' | pw mod user testuser1 -h 0 || echo -e 'pwd101!\npwd101!' | passwd testuser1
(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)||(which pkg && pkg install -y sshpass)
executor:
command: |
sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname
cleanup_command: |
[ "$(uname)" = 'FreeBSD' ] && rmuser -y testuser1 || userdel -f testuser1
name: sh
- name: Clear Docker Container Logs
auto_generated_guid: 553b39f9-1e8c-47b1-abf5-8daf7b0391e9
description: |
Clears Docker container logs using the Docker CLI and the truncate command, removing all log entries.
supported_platforms:
- linux
executor:
name: bash
command: |
docker container prune -f && sudo truncate -s 0 /var/lib/docker/containers/*/*-json.log
elevation_required: true
- name: Prevent Powershell History Logging
auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370
description: |
Prevents Powershell history
supported_platforms:
- windows
executor:
command: |
Set-PSReadlineOption -HistorySaveStyle SaveNothing
name: powershell
cleanup_command: 'Set-PSReadLineOption -HistorySaveStyle SaveIncrementally'
- name: Clear Powershell History by Deleting History File
auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037
description: |
Clears Powershell history
supported_platforms:
- windows
executor:
command: |
Remove-Item (Get-PSReadlineOption).HistorySavePath
name: powershell
- name: Set Custom AddToHistoryHandler to Avoid History File Logging
auto_generated_guid: 1d0d9aa6-6111-4f89-927b-53e8afae7f94
description: |
The "AddToHistoryHandler" receives the current command as the $line variable and then returns $true if
the line should be written to the history file. Here we simply return $false so nothing gets added to
the history file for the current session.
supported_platforms:
- windows
executor:
command: |
Set-PSReadLineOption -AddToHistoryHandler { return $false }
cleanup_command: |
Set-PSReadLineOption -AddToHistoryHandler $null
name: powershell
Reference in New Issue View Git Blame Copy Permalink