From 07b61288d694892278bb3f4fbcd460f37f520090 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Fri, 26 Feb 2021 15:49:41 +0000
Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs
 branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 18 ++++++++++
 atomics/T1562.002/T1562.002.md                | 35 +++++++++++++++++++
 6 files changed, 57 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 2d66174d..cadd757d 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -331,6 +331,7 @@ defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS dev
 defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
+defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 01d6e9ed..75f7c4bc 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -176,6 +176,7 @@ defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS dev
 defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
+defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 5c7aced5..7a3158b1 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -645,6 +645,7 @@
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
   - Atomic Test #2: Kill Event Log Service Threads [windows]
   - Atomic Test #3: Impair Windows Audit Log Policy [windows]
+  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #1: Disable iptables firewall [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index bb5efa35..c4604cbe 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -340,6 +340,7 @@
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
   - Atomic Test #2: Kill Event Log Service Threads [windows]
   - Atomic Test #3: Impair Windows Audit Log Policy [windows]
+  - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
   - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 728c1876..6c9559e8 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -28941,6 +28941,8 @@ defense-evasion:
       description: |
         Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
         This action requires HTTP logging configurations in IIS to be unlocked.
+
+        Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
       supported_platforms:
       - windows
       input_arguments:
@@ -28996,6 +28998,22 @@ defense-evasion:
           auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
         name: command_prompt
         elevation_required: true
+    - name: Clear Windows Audit Policy Config
+      auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6
+      description: Clear the Windows audit policy using auditpol utility. This action
+        would stop certain audit events from being recorded in the security log.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          auditpol /clear /y
+          auditpol /remove /allusers
+        cleanup_command: |
+          auditpol /set /category:"Account Logon" /success:enable /failure:enable
+          auditpol /set /category:"Detailed Tracking" /success:enable
+          auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
+        name: command_prompt
+        elevation_required: true
   T1562.007:
     technique:
       external_references:
diff --git a/atomics/T1562.002/T1562.002.md b/atomics/T1562.002/T1562.002.md
index 3148b496..6089a6b1 100644
--- a/atomics/T1562.002/T1562.002.md
+++ b/atomics/T1562.002/T1562.002.md
@@ -12,6 +12,8 @@ Adversaries may targeting system-wide logging or just that of a particular appli
 
 - [Atomic Test #3 - Impair Windows Audit Log Policy](#atomic-test-3---impair-windows-audit-log-policy)
 
+- [Atomic Test #4 - Clear Windows Audit Policy Config](#atomic-test-4---clear-windows-audit-policy-config)
+
 
 <br/>
 
@@ -19,6 +21,8 @@ Adversaries may targeting system-wide logging or just that of a particular appli
 Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).
 This action requires HTTP logging configurations in IIS to be unlocked.
 
+Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
+
 **Supported Platforms:** Windows
 
 
@@ -116,4 +120,35 @@ auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Clear Windows Audit Policy Config
+Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log.
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+auditpol /clear /y
+auditpol /remove /allusers
+```
+
+#### Cleanup Commands:
+```cmd
+auditpol /set /category:"Account Logon" /success:enable /failure:enable
+auditpol /set /category:"Detailed Tracking" /success:enable
+auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
+```
+
+
+
+
+
 <br/>