Generated docs from job=generate-docs branch=master [ci skip]

2024-03-17 01:56:45 +00:00
parent 805fbea899
commit 299603d06f
9 changed files with 106 additions and 2 deletions
@@ -242,6 +242,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,24,Set a firewall rule using New-NetFirewallRule,94be7646-25f6-467e-af23-585fb13000c8,powershell
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
@@ -147,6 +147,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,24,Set a firewall rule using New-NetFirewallRule,94be7646-25f6-467e-af23-585fb13000c8,powershell
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
@@ -304,6 +304,7 @@
  - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
  - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
  - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
+  - Atomic Test #24: Set a firewall rule using New-NetFirewallRule [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
  - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -197,6 +197,7 @@
  - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
  - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
  - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
+  - Atomic Test #24: Set a firewall rule using New-NetFirewallRule [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
  - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -11231,6 +11231,35 @@ defense-evasion:
          -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n"
        name: command_prompt
        elevation_required: false
+    - name: Set a firewall rule using New-NetFirewallRule
+      auto_generated_guid: 94be7646-25f6-467e-af23-585fb13000c8
+      description: This test will attempt to create a new inbound/outbound firewall
+        rule using the New-NetFirewallRule commandlet.
+      supported_platforms:
+      - windows
+      input_arguments:
+        direction:
+          description: Direction can be Inbound or Outbound
+          type: string
+          default: Inbound
+        local_port:
+          description: This is the local port you wish to test opening
+          type: integer
+          default: 21
+        protocol:
+          description: This is the protocol
+          type: string
+          default: TCP
+        action:
+          description: This is the action
+          type: string
+          default: allow
+      executor:
+        command: New-NetFirewallRule -DisplayName "New rule" -Direction "#{direction}"
+          -LocalPort "#{local_port}" -Protocol "#{protocol}" -Action "#{action}"
+        cleanup_command: Remove-NetFirewallRule -DisplayName "New rule"
+        name: powershell
+        elevation_required: true
  T1553.003:
    technique:
      x_mitre_platforms:
@@ -8677,6 +8677,35 @@ defense-evasion:
          -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n"
        name: command_prompt
        elevation_required: false
+    - name: Set a firewall rule using New-NetFirewallRule
+      auto_generated_guid: 94be7646-25f6-467e-af23-585fb13000c8
+      description: This test will attempt to create a new inbound/outbound firewall
+        rule using the New-NetFirewallRule commandlet.
+      supported_platforms:
+      - windows
+      input_arguments:
+        direction:
+          description: Direction can be Inbound or Outbound
+          type: string
+          default: Inbound
+        local_port:
+          description: This is the local port you wish to test opening
+          type: integer
+          default: 21
+        protocol:
+          description: This is the protocol
+          type: string
+          default: TCP
+        action:
+          description: This is the action
+          type: string
+          default: allow
+      executor:
+        command: New-NetFirewallRule -DisplayName "New rule" -Direction "#{direction}"
+          -LocalPort "#{local_port}" -Protocol "#{protocol}" -Action "#{action}"
+        cleanup_command: Remove-NetFirewallRule -DisplayName "New rule"
+        name: powershell
+        elevation_required: true
  T1553.003:
    technique:
      x_mitre_platforms:
@@ -52,6 +52,8 @@ Modifying or disabling a system firewall may enable adversary C2 communications,

 - [Atomic Test #23 - ESXi - Disable Firewall via Esxcli](#atomic-test-23---esxi---disable-firewall-via-esxcli)

+- [Atomic Test #24 - Set a firewall rule using New-NetFirewallRule](#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule)
+

 <br/>

@@ -1022,4 +1024,44 @@ Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -O



+<br/>
+<br/>
+
+## Atomic Test #24 - Set a firewall rule using New-NetFirewallRule
+This test will attempt to create a new inbound/outbound firewall rule using the New-NetFirewallRule commandlet.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 94be7646-25f6-467e-af23-585fb13000c8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| direction | Direction can be Inbound or Outbound | string | Inbound|
+| local_port | This is the local port you wish to test opening | integer | 21|
+| protocol | This is the protocol | string | TCP|
+| action | This is the action | string | allow|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-NetFirewallRule -DisplayName "New rule" -Direction "#{direction}" -LocalPort "#{local_port}" -Protocol "#{protocol}" -Action "#{action}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-NetFirewallRule -DisplayName "New rule"
+```
+
+
+
+
+
 <br/>