Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-02-26 15:49:41 +00:00
parent 493c343724
commit 07b61288d6
6 changed files with 57 additions and 0 deletions
@@ -331,6 +331,7 @@ defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS dev
 defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
+defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
@@ -176,6 +176,7 @@ defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS dev
 defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
+defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
@@ -645,6 +645,7 @@
  - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
  - Atomic Test #2: Kill Event Log Service Threads [windows]
  - Atomic Test #3: Impair Windows Audit Log Policy [windows]
+  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
  - Atomic Test #1: Disable iptables firewall [linux]
@@ -340,6 +340,7 @@
  - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
  - Atomic Test #2: Kill Event Log Service Threads [windows]
  - Atomic Test #3: Impair Windows Audit Log Policy [windows]
+  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
@@ -28941,6 +28941,8 @@ defense-evasion:
      description: |
        Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
        This action requires HTTP logging configurations in IIS to be unlocked.
+
+        Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
      supported_platforms:
      - windows
      input_arguments:
@@ -28996,6 +28998,22 @@ defense-evasion:
          auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
        name: command_prompt
        elevation_required: true
+    - name: Clear Windows Audit Policy Config
+      auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6
+      description: Clear the Windows audit policy using auditpol utility. This action
+        would stop certain audit events from being recorded in the security log.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          auditpol /clear /y
+          auditpol /remove /allusers
+        cleanup_command: |
+          auditpol /set /category:"Account Logon" /success:enable /failure:enable
+          auditpol /set /category:"Detailed Tracking" /success:enable
+          auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
+        name: command_prompt
+        elevation_required: true
  T1562.007:
    technique:
      external_references:
@@ -12,6 +12,8 @@ Adversaries may targeting system-wide logging or just that of a particular appli

 - [Atomic Test #3 - Impair Windows Audit Log Policy](#atomic-test-3---impair-windows-audit-log-policy)

+- [Atomic Test #4 - Clear Windows Audit Policy Config](#atomic-test-4---clear-windows-audit-policy-config)
+

 <br/>

@@ -19,6 +21,8 @@ Adversaries may targeting system-wide logging or just that of a particular appli
 Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
 This action requires HTTP logging configurations in IIS to be unlocked.

+Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
+
 **Supported Platforms:** Windows


@@ -116,4 +120,35 @@ auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable



+<br/>
+<br/>
+
+## Atomic Test #4 - Clear Windows Audit Policy Config
+Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log.
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+auditpol /clear /y
+auditpol /remove /allusers
+```
+
+#### Cleanup Commands:
+```cmd
+auditpol /set /category:"Account Logon" /success:enable /failure:enable
+auditpol /set /category:"Detailed Tracking" /success:enable
+auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
+```
+
+
+
+
+
 <br/>